With developing technology, data protection has become a burning issue. This also comes in light of incidents like US election rigging, which showed how data can be misused. In this regard, a bill was introduced in the Lok Sabha in December 2019, called the Personal Data Protection Bill. This aims to form a ‘Data Protection Authority’ and gives rules on the protection of different kinds of data. Even though the bill hasn’t become a law yet, it is very significant due to the growing importance of data. It is primarily based on the Srikrishna Committee report. However, it is inspired by other data protection laws, primarily GDPR (General Data Protection Regulation). For this purpose, data has been classified into certain categories, so as to ensure different levels of protection under the bill. The word ‘data’ is defined as representing information, facts, concepts, opinions, or instructions in a way that can be communicated or processed by humans.
This data relates to a person’s finances, which includes any account or payment instrument issued by a financial institution. This may reflect financial status or credit history. This also comes under sensitive personal data, as a person’s finances are deeply personal and should not be inspected without consent.
Biometric, Genetic and Health Data
Biometric Data includes facial images, fingerprints, iris scans, etc. These are all kinds of personal data. However, they can only be obtained by measuring or some technical process. It is a physical, physiological or behavioural characteristic of the person. Biometric data is mostly used as a unique identification of a person. Biometric data comes under sensitive personal data and so receives the same level of protection. Additionally, section 106 restricts the processing of certain forms of it. What these ‘forms’ are to be notified by the Central Government unless it is permitted by law.
Genetic Data refers to the data related to the inherited and acquired genetic characteristic of a human being. it includes the gene structure of a person, which gives unique information about the behaviour, physiology or health. It is obtained by an analysis of a biological sample of a person. The most common example is DNA analysis, which can reveal illnesses, hereditary traits and much more. Although they are related, there is a subtle difference between genetic and biometric data. Biometric data focuses on the external distinguishing features of a person, while genetic data focuses on the internal makeup which shows the behavioural characteristics of the person.
Health data includes all records of the past, present and future health of a person. It mainly includes data collected during health check-ups. In technical terms, it has to reflect the association of the person to the provision of health services. It also comes under sensitive personal data. These concepts have been borrowed from the General Data Protection Regulation (GDPR).
Personal Data and Sensitive Personal Data
Personal Data is a wide term that, in the simplest terms, means information about a specific person. It may be related to any characteristic or trait of that person. Sensitive Personal Data is a subset of personal data, including special categories of personal data that require additional protection. The bill lists down the categories that come under this heading. It includes passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, and religious or political belief or affiliation. The bill keeps one end open by allowing the Data Protection Authority to add new categories when required. Such small steps help laws to stay updated without repeated amendments. It also gives the relevant authority (here, the supposed Data Protection Authority) power to make decisions on laws rather than leaving it to the parliament.
While the whole bill talks about regulating the processing of personal data, there is a very specific section talking about the processing of sensitive personal data. Chapter 4 of the bill exclusively deals with this. In general, it can be processed only with explicit consent. However, there are exceptions. Firstly, it can be processed if strictly necessary for a function of the legislatures, or the state. Secondly, if it is asked for by a law or an order of a tribunal. Certain kinds of sensitive personal data may be needed for ‘prompt action’. This refers to emergency situations such as a medical emergency, a threat to life, safety during a disaster and the like.
Children’s Personal and Sensitive Personal Data
Chapter 5 of the bill provides special safeguards for the processing of children’s data. It should be processed in a manner that protects the rights and is in the best interests of the child. The bill calls for establishing appropriate mechanisms for age verification and parental consent. The guardian needs to be informed. However, guardian data fiduciaries (person who decides how that data is to be processed) are barred from profiling, tracking, behavioural monitoring or targeted at children or undertaking any other processing that can harm the child.