Indian Personal Data Protection Bill 2019: Data Types

In the last two series of these articles on the Indian Personal Data Protection Bill 2019, we have touched on the concept of Privacy and how it relates with Data and Data Protection.

In this third series, let us try to understand the concept of Data and how it maybe be classified and treated, along with its relevance to the PDPB 2019.

Just to reiterate, Privacy, in its overall sense, is the right of individuals, groups, or organizations to control and manage who can approach, observe, process or even perceive personal information related to their bodies, property, ideas, data, or other general and specific information.

The exponential growth of a global information economy, driven by new technologies and disruptive business models, means that an ever-increasing amount of personal data is being collected, used, exchanged, analysed, retained, and sometimes used for commercial purposes. It also means there is an ever-increasing number of accidental or intentional data breaches, incorrect or lost data records, and data misuse incidents.

As a result, the demand for data privacy — the right to control how personal information is collected, with whom it is shared, and how it is used, processes, or erased— has grown, as has the demand for data security. Balancing the individual’s right to data privacy and an organization’s desire to use personal data for its own purposes is challenging, but not impossible.

Personal Information (PI) is information that can be used to uniquely identify, contact, or locate a single person. From an organisation and legal point of view, Personal Information (PI) is a legal term pertaining to information security environments. Amongst its other formal definitions, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. PI may be accessed only on a strictly need-to-know basis and managed, processed and controlled with utmost caution.

Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive.

Non-sensitive PII can be transmitted in the unsecured form without causing harm to an individual. Sensitive PI must be transmitted and stored in the secure form, for example, using encryption, because it could cause harm to an individual if misused.

Organizations use the concept of PI to understand which data they store, process and manage that identifies people and may carry additional responsibility, security requirements, and in some cases legal or compliance requirements.

Similarly, “Data” includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.

According to this definition, data includes that which is meant for processing by humans. Hence this law also covers data in paper form.

Personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

Additionally, sensitive Personal Data means such personal data, which may, reveal, be related to, or constitute any component such as: full name (maybe alias), face, home address, email, ID number, passport number, vehicle plate number, driver’s license, fingerprints or handwriting, credit card number, digital identity, date of birth, birthplace, medical information, genetic information, phone number, login name or screen name, caste & tribe, religious beliefs, historical data and many more such components.

According to experts, these items definitely qualify as Sensitive, because they can be used to clearly and precisely identify a particular human being.

By Sameer Mathur, Founder and CEO, SM Consulting

President, Delhi-NCR Chapter of the Foundation of Data Protection Professionals in India

With inputs from Vijayashankar Nagaraj Rao