The draft data access and use policy does not specify the norms, rules and mechanisms to achieve its vision
The draft data access and use policy does not specify the norms, rules and mechanisms to achieve its vision
In February 2022, the Ministry of Electronics and Information Technology (MEITY) published the draft India Data Accessibility and Use Policy 2022 (or Draft Policy) for public consultation. The draft policy aims to provide a robust framework for using public sector data for informed decision-making, citizen-centric public service delivery and economy-wide digital innovation. In particular, it aims to maximize access to and use of high-quality non-personally identifiable data (NPD) available in the public sector and to overcome a number of historical bottlenecks: slow progress on the Open Government Data (OGD) platform , fragmentation of datasets in departmental silos, lack of data anonymization tools, insufficient attention to developing data stewardship models; and lack of data quality standards, licensing and assessment frameworks to support data sharing.
Incomplete norms
This GovTech 3.0 approach – to unlocking the valuable resource of public sector data – updates the OGD vision of the 2012 National Data Sharing and Accessibility Policy (NDSAP). It seeks to leverage data-based intelligence for governance and economic development. However, the draft directive’s silence on the norms, rules and mechanisms to realize its vision of data-driven social transformation deserves attention.
Ensuring greater citizen awareness, participation and engagement in open data is identified as a core objective of the draft directive. In the spirit of such openness, the draft limits the transparency of public data to non-personal data sets. Any attempt to encourage meaningful citizen engagement with data cannot afford to ignore the canons of the Right to Information (RTI) and hence the need for certain citizen records containing personally identifiable information to be publicly available in order to make proactive disclosure meaningful . This raises ethical and procedural dilemmas to balance privacy/risk of data misuse with transparency and accountability considerations. The NDSAP’s unfinished task of establishing coherence between restrictions on the availability of sensitive personal information in the public sphere and India’s RTI has therefore been lost sight of.
Similarly, in relation to government-to-government data sharing for citizen-centric service delivery, the draft policy highlights that approved data inventories will be aggregated into a government-wide, searchable database. Since citizen records generated during service delivery contain personal identifiers, the assumption here seems to be that compliance with anonymization standards is a sufficient safeguard against privacy risks. But even with anonymized citizen records (which are no longer personal data), downstream processing can pose serious risks to the privacy of the group. Given that India has no law on the protection of personal data, the converged data processing proposed in the draft directive becomes particularly problematic.
The draft policy adheres to the NDSAP paradigm of treating government agencies as “owners” of the records they collect and compile, rather than moving to the trusteeship paradigm recommended in the MEITY Expert Committee’s 2020 Report on Management of Non-Personally Identifiable Information. When government agencies are considered owners of public sector datasets, it means they have carte blanche to determine how to classify their datasets as “open, restricted, or non-shareable,” without mechanisms for public consultation and civic accountability. The lack of a data stewardship framework gives government agencies unilateral privileges to set the terms of data licensing. As such, legacy directives ignore obligations to regularly update public records. Taking a fiduciary approach into account, the proposed draft directive must pay attention to data quality and ensure that licensing frameworks and all associated costs do not constitute an obstacle to the accessibility of data for non-commercial purposes, while protecting public sector data from large firms, particularly transnational ones Big Techs to be conquered for economic innovations.
In the current context, where the most valuable data resources are owned by the private sector, it is becoming increasingly clear to policymakers that socio-economic innovation depends on the state’s ability to catalyze a wide-ranging data exchange of public and private sector actors in different sectors. For example, the European Union has focused on creating common, interoperable data spaces to encourage voluntary data sharing in specific areas such as health, energy and agriculture. These shared data spaces provide the governance framework for secure and trust-based access and use in full compliance with personal data protection and updated consumer protection and competition laws.
Creating the right conditions for voluntary data sharing is a necessary but not a sufficient condition for democratizing data innovation. Competition law regulation is proving to be inadequate in the platform economy, in which first movers get stuck due to their intelligence advantage. And mandatory public access in exceptional cases, such as public emergencies, proposed in the proposed EU Data Law (2022) generally fails to release the data locked up by leading companies for public value creation.
In this regard, the data stewardship model for high-quality datasets proposed by the MEITY expert committee in its report on the management of non-personal data (2020) is instructive. In this model, a government/non-profit organization can request the Non-Personal Data Authority or NPDA (an independent institutional mechanism) to produce a high-quality data set (non-personal data only) in a specific sector that serves the specific purpose of public interest for which such data is sought and demonstrate community endorsement based on an appropriate public consultation process. Once such a request has been approved by the NPDA, the Data Trustee has the right to request data sharing from all major custodians of datasets that correspond to the relevant high-value dataset category—both public and private. Private sector custodians are required to comply with such requests for certain raw data fields. You can only claim trade secret protection in derivative data. In the event that a data custodian denies a data trustee request, the NPDA will have the final say in resolving the dispute.
While the detailed controls and trade-offs for such mandatory data-sharing arrangements have yet to develop, the radical idea of high-quality datasets as social knowledge commons, to which private data collectors are de facto unentitled, is crucial to enhancing public use and private Use to reconcile innovation.
What we need
What we need is a new social contract for data in which: a) the societal commons of data are governed as inappropriate commons that belong to all citizens; b) the government is the steward or trustee with fiduciary responsibility for promoting the use of data for the public good; and c) the democratization of data value is ensured through accountable institutional mechanisms for data governance. The draft policy needs to be revised from this perspective to seize the data opportunity before it’s too late.
Anita Gurumurthy and Nandini Chami work at IT for Change, an NGO working on digital technologies and social justice
