Non-Personal Data Governance

Report by the Committee of Experts on Non-Personal Data Governance Framework

Ministry of Electronics and Information Technology formed the Committee of Experts on Non-Personal Data Governance Framework headed by former Infosys Vice-Chairman Kris Gopalakrishnan. Following recommendation are suggested in the report

  • Definition of Non-Personal Data– Committee has defined Non-Personal Data as kind of data that doesn’t contain any personally identifiable information of a user. This simply means that no individual can be identified with the help of this data. They have further classified Non-Personal Data into three categories
  1. Public Non-Personal Data: This includes all the data collected by the government agencies-census, tax receipts, the information sought during the execution of public-funded works, etc.
  2. Community Non-Personal Data: This includes all data identifiers about a set of people who have either the same geographic location, religion, job, or other common social interests.
  3. Private Non-Personal Data: This data includes the data which is produced by the individuals themselves and can be derived from the application.
  • Sensitivity of Non-Personal Data- The Committee has also defined a new concept of ‘sensitivity of Non-Personal Data,’ as even Non- Personal Data could be sensitive from the following perspectives:
  1. It relates to national security or strategic interests
  2. It is business sensitive or confidential information
  3. It is anonymized data, that bears a risk of re-identification
  • Key Non-Personal Data Roles- The report identifies three key roles related to non-personal data and an institutional form of data infrastructures, a data trust.
  1. The data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates.
  2. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal.
  3. The data principal group/community will exercise its data rights through an appropriate data trustee.
  • Data Business- The report talks about a Data Business, a new kind of entity that significantly deals with data in a large measure. This would perhaps include existing businesses that are increasingly dealing with data, or new kinds of businesses that are data-driven.