Written by Tulika Avni Sinha
The Government of India recently notified the Digital Personal Data Protection Act 2023 (DPDPA). Albeit with debated shortfalls, this is a step in the right direction and aims to empower citizens with the right to know and hold authority over their data. It limits possibilities of corporate and government surveillance and citizen profiling with exceptions built in for national security and interests. While there can be debate over whether these exceptions run too far in allowing the government to use and/or misuse personal data for its purposes, the overall intention and enforcement law is expected to serve the people of India well. It is important to note, however, that it covers in its ambit, all data presently held and managed by state governments and its agencies as well — an area that requires urgent attention and effort before the enforcement can show intended and effective results. The state data ecosystem is the elephant in the room embarrassingly overlooked amid the “more important issues of every day”. It poses unfavourable challenges in terms of capacity, infrastructure, knowledge and implementation.
States hold massive data sets under various schemes, programmes and surveys implemented. These data sets are scattered across departments and agencies, and sometimes districts, with minimal standardisation, interoperability, or integration between them. Very few data managers hold and update metadata (explanatory details about the underlying data sets) for data sets in their purview. There is some focus on data quality, but lack of capacity and standardised infrastructure often lead to inconsistencies, duplicity, and errors in data making it much more difficult than imagined for any useful analysis and use at higher levels of hierarchy. While dashboards with performance indicators are often prepared and presented with glamour, the backend processes are mostly manual, riddled with ad hoc checks for consistency, accuracy and quality. Sadly, once the dashboards are presentable and accepted, the processes and underlying issues are not resolved and stay “as is” for most efforts, if not all.
Many states have adopted data policies or strategies over the last couple of decades. Examples include Karnataka, Odisha, Punjab, Sikkim, Tamil Nadu, Telangana, among others. While some fall short of important themes such as data retention, continuity, cybersecurity, standardisation, capacity, etc., some lack a strong implementation framework that sets milestones and accountability, while building a clearly structured plan for the timely, successful and effective execution of the policy. These policies are well-intentioned and can serve as good action plans towards successful enforcement of the DPDPA but unfortunately, most of them are yet to be implemented, in part or full, across these state governments. What adds to the hurdle is that, unlike most policies and laws where the enforcement is the responsibility of a particular department, the DPDPA 2023 and data policies need to be enforced across every department and agency wherever there is public data. This makes the effort much more complex and cumbersome in the convoluted and hierarchical bureaucracies our governments operate with.
With the DPDPA now passed, it has become urgent for states to act. The existing policies or strategies need to be revised in alignment with the DPDPA or a new one designed to serve as an action plan for the entire state government. The policy now needs to put down guidelines for data collection, standardisation, anonymisation, integration, infrastructure, security, retention, continuity, processing, and use. They need to elaborately build a plan for the capacity development of all government officials involved at any stage of the data lifecycle to understand the DPDPA, other relevant laws in India (such as the Aadhaar Act 2016, the Right to Information Act 2005, the IT Act 2000 and others), and their personal roles and responsibilities. The importance of cybersecurity needs to be explained and reflected in measures and investments at all levels of the bureaucracy to ensure public data is safe and cyber threats can be minimised. Since the DPDPA sets in a detailed process for registering and addressing public grievances, states need to establish their processes for citizens and institutions to raise grievances, queries, requests, and suggestions related to personal and non-personal data.
While a well-designed policy is the beginning, sustained and unfaltering implementation as priority should be non-negotiable if the intended benefits are to be realised. There is a need for a commitment to a prolonged allocation of resources, a rigorous process to monitor and track policy implementation, and a culture where data is understood as an asset, a responsibility, and the key to an inclusive and secure future.
The DPDPA is an opportunity for governments to improve their data ecosystem and enable evidence-driven decision-making, transparency, and renewed accountability. The DPDPA is also an opportunity for the people to demand these values and benefits from the administration. New and revised policies from the states can empower a collaborative environment allowing civil society organisations, research and academic institutions, and other experts to support governments with modern technologies for data analysis, interpretation, and use. It can also facilitate participatory governance for the people. The benefits of adopting and implementing a comprehensive data policy outweigh the associated costs in all measures and with the DPDPA in place, its urgency and imperativeness have rightly escalated.
The process has not been made easier though. State governments shall need sufficient support from external organisations, guidance from the central government, and camaraderie from each other. Issues of legacy data that are yet to be digitised, legacy formats, present resource availability, manpower requirements, existing IT systems and others shall need severe planning and tradeoffs. But with the advent of modern technologies such as artificial intelligence (AI) making its way as an ally and a threat, it is now that the states need to hold the reins of their data ecosystem and drive change. Without resolving the data chaos that exists, it would be immensely difficult for the states to enforce the DPDPA, contribute to the AI revolution, or even keep pace with the technological and legal advances of the modern world.
The writer is working with Harvard University on research related to data privacy and ethics
