New Delhi: A draft document listing guidelines for the anonymisation of data was unexpectedly removed from the information technology (IT) ministry’s website Tuesday, about a week after it had been put up for public feedback. The removal has led to criticism from civil society groups about the government’s apparent “disregard” for the consultation process.
Sources within the IT ministry said, however, that the guidelines were taken down “since we wanted to send it for further ministerial evaluation. This is not new since such processes existed in the past as well. We will put it back again once the due process is followed. We are following the process of consultation as well, but it is only after a thorough ministerial evaluation that we can put it forward for wider discussions.”
Titled ‘Guidelines for Anonymisation of Data (AoD)’, the document was released on 30 August and was supposed to remain open for comments until 21 September.
Anonymisation refers to the removal or modification of data, such as Aadhaar numbers and addresses, so that individuals cannot be identified from it.
The draft identified some of the main reasons as to why a blueprint for data anonymisation must exist. “Unauthorised access, disproportionate surveillance, identity theft, financial frauds, blackmail and extortion using personal information, 360-degree profiling are some of the emerging challenges for society at large. In addition, large-scale data breaches are rampant and present a significant challenge that requires attention from all stakeholders,” it read.
However, several civil society and advocacy groups have questioned the idea of having such guidelines without data protection laws in place. Such a law would enable criminal penalties to be applicable to major breaches.
Last month, the government withdrew the Personal Data Protection Bill 2019, which aimed to regulate how companies and the government could use the digital data of citizens.
Responding to the criticism, the ministry sources said, “These guidelines are a part of a larger data privacy ecosystem. Every aspect of this is important to us and this is not a first step towards the legislation. The legislation is independent of these guidelines and has no relation.”
The AoD guidelines were put together by a 14-member working group headed by Avinash Agarwal, deputy director general (convergence & broadcasting) of the Department of Telecommunications in the national capital. The group was formed by the Centre for Development of Advanced Computing in Pune, which works under the IT ministry and conducts research in technological domains.
With the guidelines no longer available, some internet activists are crying foul.
“This is the third time that the government has openly disregarded the consultation process,” said Prateek Waghre, director of policy at Internet Freedom Foundation.
He was referring to similar issues around the proposed draft amendment to the IT Rules, 2021 and the draft India Data Accessibility & Use Policy, 2022. The former was withdrawn and then re-released this June, and the latter was reportedly updated without a notification.
Also read: Why Modi govt withdrew the Personal Data Protection Bill
What is data anonymisation?
Data anonymisation is a process of protecting the data of citizens by hiding personal identifiers like phone numbers, Aadhaar numbers, home or office addresses etc.
With huge volumes of data within platforms like CoWIN & Ayushman Bharat, the draft guidelines document spoke about how to process this information and reduce the chances of privacy risks.
There are different ways of anonymising data, according to the draft.
These include “data masking”, where essential personal details may be obscured with an “x” or an “*”. Another technique is “generalisation”, where data is made less specific. For example, instead of writing an exact age, one may just mention an age range. “Data swapping” is a third method. It involves the shuffling of data by using permutation techniques to keep original data safe.
What critics have said
Questions have been raised regarding the foundations of data anonymisation in India.
According to Amit Dubey, a cyber expert from the Delhi NCR region, data anonymisation is “much needed” but does not address issues around how internet usage patterns can be tracked and personal data breached.
Waghre, quoted earlier, also reinforced the need for a data protection law and need to research data anonymisation ahead of anything else. “Without penalties, guidelines may not work and we have seen policies remaining in limbo because of that,” he added.
The AoD draft is just the first step and was not meant to be a “silver bullet”, according to Rahul Sharma, one of the working group members who formed the guidelines and is also the founder of The Perspective, an advisory firm that focuses on cyber policy and data privacy.
“These guidelines are independent of the data protection legislation,” Sharma told ThePrint.
“These guidelines are voluntary in nature…It is the organisations’ prerogative to anonymise data…The longer purpose is to build a voluntary culture and as a norm so that there are lesser data privacy risks,” he added.
(Edited by Asavari Singh)
Also read: Don’t spread fake news on state institutions — Pakistan watchdog warns in diktat to media