In view of the imminent Personal Data Protection Bill, Post 1 of PSA’s data protection law series aims at providing an overview of what is personal data and what it means for organizations processing such data.
• Existing framework: The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) define “personal information” as any information processed by computer (system/network) standalone or combined with others that leads to identification of a natural person. Additionally, the IT Rules categorise some personal information as “sensitive”. These include passwords, financial information (like account, card or other payment instrument details), physical, physiological and mental health condition, sexual orientation, medical records and biometric information. Further, it has been customary for organizations processing personal information to regard anonymized pseudonymised data as outside IT Rules’ purview, even though there is no express provision.
• Personal Data under the Bill: The PDP Bill defines “personal data” as any data, alone or in combination with others that results in direct or indirect identification of a natural person. However, the Bill does not provide an illustrative list, and some examples are:
- direct => name, phone number, e-mail ID, government ID, bank account numbers, address
- indirect => location, purchase history, physical traits, IP address, postal code, cookie identifiers
Thus, the concept is not entirely new and a wide variety of data can be personal data if they reveal identity of a person. Further, the scope is similar to personal data/information under other global laws such as EU General Data Protection Regulations, Australian Privacy Act and the California Consumer Protection Act.
But it is important to understand how the Bill defines “data” to fully appraise the ambit of personal data. Data is defined broadly and includes representation of information, facts, concept, opinions, and instructions suitable for processing by humans or automated means. Consequently, the Bill will make processing of personal data technology agnostic. It is also likely that any oral communication and opinion that reveals individual’s identity will be treated as personal data.
• Sensitive personal data: Similar to the IT Rules, the Bill classifies some personal data as “sensitive personal data”; these are those which reveal, relate to, or constitute any of the following categories:
- official identifiers => PAN, voter ID, passport
- sex life, sexual orientation, transgender status, intersex status
- caste or tribe, religious or political belief/affiliation
- financial => data used to identify accounts, payment instruments, credit history, financial status or relationship with financial institutions like cards, cheques, bank account number, payment history, income statement, credit score, tax or bankruptcy cases
- health => data about past, present or future physical or mental health such as medical reports, prescriptions, data collected during health camps or surveys
- biometric => data resulting from processing of physical, physiological, or behavioural characteristics like fingerprints, iris scan, facial images
- genetic => data about genetic characteristics providing information regarding behavioural, physiological or health such as chromosomal, DNA or RNA analysis
In addition to the above, the Bill empowers the proposed regulator, Data Protection Authority to notify further categories.
Similar concept exists in other jurisdictions, although there are some differences. For instance, the Australian Privacy Act’s “sensitive information” does not include financial information, as its processing is regulated under separate legal requirements and not under the general privacy law.
• What happens to anonymized and pseudonymised data? The Bill specifically excludes processing of “anonymised data”. Anonymisation is the irreversible process of transforming or converting personal data into such form that it cannot lead to identification of a person. Acceptable anonymization standards will be notified once the Bill is enacted.
While the Bill carves out anonymised data, there is no specific exclusion for pseudonymised or de-identified data. De-identified data are those where identifiers are removed/masked/replaced with fictitious name/code and which cannot on its own reveal identity. Essentially, this means that when combined with identifiers, de-identified data can lead to identification. As a result, de-identified data also is treated as personal data under the Bill.
When compared with law in other jurisdictions like European Union and Australia, there is no categorical exemption for these categories. Rather, anonymization and pseudonymisation processes are viewed as efficient data protection processes. The underlying rationale appears to stem from the fact that no anonymization technique is fool-proof. It is possible that anonymized or pseudonymised data can be clubbed with identifiers to result in personal data and identification of natural person. Thus, while the Bill recognizes the existing custom of disregarding anonymized data, it appears to disregard the situation where anonymised data is processed to result in personal data.
• Analysis: In light of the foregoing discussion, our view is:
- The scope of PD is extremely wide. This is primarily because the scope of data per se is wide to include any data that can be processed manually or digitally. Personal information under the IT Rules is limited in the context of processing by computers.
- Opinions revealing identity can be personal data. Even a false opinion that reveals identity is covered and while this is in line with other international laws, the IT Rules do not include opinions.
- Large pool of personal data processed by businesses may be sensitive, requiring them to comply with associated stricter processing requirements. Most categories of sensitive personal data are open to factual interpretation. For instance, financial data includes “financial status or relationship with financial institutions”. Thus, it is a possibility that many organizations may find themselves dealing with sensitive data once the Bill is enacted.
- Upon enactment, organizations must as part of their compliance processes, conduct detailed data inventory and continue doing so periodically to keep stock of what data is personal and sensitive. In certain cases, data inventory will be needed for different departments within the organization. This will facilitate their adherence with PDP’s requirements, but at the same time will necessarily mean incurring added costs.