The government has woken up belatedly to provide legal protection to its citizens' privacy, circulating an approach paper on need to guarantee it without compromising the country's balance of interests and concern.
Most Western countries have strict privacy laws that India lacked so far because the public dissemination of personal information has over time become a way of demonstrating 'the transparent functioning of the government.'
How soon the law will be enacted for the purpose is, however, not certain as it is all still at the conceptual level. The draft approach paper was circulated on Monday and a short time of one week is given for the public views by October 25; that itself may trigger an outcry to allow more time.
The approach paper says the privacy for the purpose should be defined as the expectation that confidential personal information disclosed by any individual to government or non-government entity should not be disclosed to third parties without his consent and sufficient safeguards be adopted in processing and storing such information.
"In essence, disclosure of data which can be used to identify a physical person without following the due process could be construed as breach of privacy," says the document while pointing out that the country does not have any protection statute.
Though the judiciary has derived "right to privacy" from the rights available under Article 19(1)(a) that defines fundamental right to freedom of speech and expression and Article 21 that gives the right to life and personal liberty, all cases were decided in the context of government action resulting in denial of right of privacy to private citizens.
No privacy judgment has so far granted citizens a right of action against the breach of privacy by another citizen and as such the personal privacy jurisprudence in the country is not yet fully developed, says the approach paper.
It says the legislation to ensure privacy should really be in the form of framework rather than detailed prescriptions, making it applicable equally to private as well as public entities to protect citizens and individuals against the misuse of their personal data by anybody.
Such a law will ensure protection to all forms of personal data, imposing a greater responsibility on those processing and collecting the information "whose disclosure can result in significant financial, reputational or other associated loss to the person concerned."
The legislation is recommended to be limited to personal information relating to real persons on the ground that there are other legislations that deal with information in the context of legal persons such as corporations.
Besides, there is a greater risk of personal injury in the context of real persons as opposed to legal persons.
The document recommends creation of an appropriate list of items that would constitute sensitive information and goes on to list out what they can be. These are:
- racial or ethnic origin or castes;
- political affiliations or opinions;
- religious affiliations and beliefs or other beliefs of a similar nature;
- membership of a trade union;
- physical or mental health or condition;
- sexual life;
- criminal record;
- genetic information about an individual that is not otherwise health information;
- information or an opinion about an individual;
- financial or proprietary confidential corporate data;
- data on a person's personality;
- private family relations;
- biometric data;
- social welfare needs of a person or the benefits, support or other social welfare assistance received by the person; and
- data collected on a person during the process of taxation (except data concerning tax arrears).
The approach paper also takes note of the biometric data collected by the government under its Unique Identity project called 'Aadhar' which can be misused causing immense harm to the individuals as it says it should be also defined as personal sensitive data.
It also stressed that the personal data be collected only after written consent and the individuals should have the right to correct any wrong data about them and the data controller must be made responsible for faults of the data processor to fulfil the data protection obligations.
Also the data should be stored only till the time the purpose for which it is collected is achieved.
The document discusses the possible conflict of the privacy law with various other laws like the Right to Information Act and says the act itself directly or indirectly lays down that private information relating to an individual is to be prevented from authorised disclosure.
It also stressed that the legislation must provide for exceptions like in the interests of national security as on many occasions the government may need to gain access.
What about the credit verification done by banks and financial institutions to access personal information about the prospective borrowers? The document says there will be no bar on collection of data but provide a regulation regime on how it is processed for only verifying the credit worthiness of a person.
As regards the possibility of the proposed law infringing upon freedom to trade of the detective agencies, the approach paper refers to the European laws dealing with the use of surveillance for security and private investigation purposes and suggests that the private detective agencies must be regulated as they can potentially wreak considerable havoc on the personal information of a citizen if allowed to operate without regulations.
