A comparison of state-level data policies

tl;dr

This blog post aims to compare and contrast the data policy for seven Indian states, namely, Punjab, Odisha, Karnataka, Tamil Nadu, Sikkim, Telangana and Chandigarh. While India still lacks a national-level data protection or governance framework, many states have come up with a state-level data policy which largely deals with accessibility, use, sharing and exchange of data. In this post, we attempt to analyse these policies through a lens of data protection and privacy.

Why should you care?

The digital age today has led to an explosion of information and data, which makes the task of achieving compliance with data privacy standards very daunting. This task can be tackled head-on if states proactively draft their own data policy, while accounting for and addressing the various privacy concerns arising out of such data sharing policies. Since data privacy and security has so far and will continue to play a pivotal role in our lives, the time is ripe for the states to take such a step. Unfortunately, only a few states have come out with a state-level policy akin to the National Data Sharing and Accessibility Policy (NDSAP), 2012. Furthermore, much like the latter, the existing state level data policies are also, to some extent, riddled with privacy related concerns, which could have a damaging impact on the privacy and security of individuals’ data.

Background

On May 27, 2022, we wrote to the Tamil Nadu e-Governance Agency for providing our inputs on the Tamil Nadu Data Policy, 2022. Through our comments, we commended the objective of the Tamil Nadu Government to utilise data to improve the quality of governance and service delivery as well as to promote innovation. At the same time, we stressed that these objectives can also be achieved through a rights-centric framework, in a way that the policy truly works for the benefit of all stakeholders. This is broadly our stance for all the other six state level data policies that are listed below:

  1. Punjab State Data Policy, 2020 (“PSDP”)
  2. Odisha State Data Policy, 2015 (“OSDP”)
  3. Karnataka Open Data Policy (“KODP”)
  4. Tamil Nadu Data Policy, 2022 (“TNDP”)
  5. Sikkim Open Data Acquisition and Accessibility Policy 2014 (“SODAAP”)
  6. Telangana Open Data Policy, 2016 (“TODP”)
  7. Data Sharing And Accessibility Policy For Chandigarh Smart City Limited (“DSAP”)

Comparison

Definition: In efforts of strengthening transparency, legal certainty, consistency and clarity, terms in the state-level policies must use pre-existing legal definitions. Doing so will reduce the scope of ambiguity once the policy has been implemented. Most of the state-level data policies define various terms that have already been defined in NDSAP. A step further would be to take inspiration from some of these existing legislations, policies or judgements while drafting the state-level policy. PSDP has, for instance, explicitly mentioned that the RTI Act and 2017 right to privacy judgement must be taken into consideration while making the non-shareable list. But TODP and DSAP have, on the other hand, not relied on the pre-existing definitions. DSAP defines a “negative list” as that including non-sharable data as declared by Chandigarh Smart City Limited (“CSCL”). This is opposed to the general practice applied by NDSAP as well as most state governments, wherein each department/ organisation declares their own negative list. Restricting the right to declare non-shareable data to a single entity is not a move towards encouraging transparency as it will make CSCL the sole entity with an unrestricted power to include/exclude items from the list. Similarly, while the TODP defines “negative list”, it doesn’t follow the NDSAP definition, and thus doesn’t specify who will be declaring the list of non-shareable data. Furthermore, many state data policies have omitted important definitions. For instance, PSDP and SODAAP have not defined “restricted data'', while TODP and OSDP have not defined “open data''. Only KODP and TNDP have defined “anonymisation”, while only KODP, PSDP, TODP and TNDP have defined “personal data''. These inconsistencies and inadequacies may lead to damaging consequences on individual privacy and security of data.

Preamble- an introduction to privacy?: Some positive steps have been taken by these data policies (Punjab, Karnataka and Tamil Nadu), especially in their efforts to recognise and acknowledge the need to protect individual privacy. At the same time, a few state policies (Odisha and Sikkim) make no mention, in letter or spirit, of privacy and security of citizens’ data. The preamble is often termed as the “soul of the document”, and the following quotes from the policies we compared reflect this conscious recognition (or absence) of privacy concerns:

  1. Punjab: “PSDP seeks to define the rules of engagement with regards to all aspects of data management while remaining committed to protecting the privacy of citizens and making optimal use of data for evidence based decision-making.
  2. Odisha: Government of Odisha is embarking upon establishment of “Odisha Spatial Data Infrastructure (OSDI)”,in the line of National Spatial Data Infrastructure(NSDI)”. OSDP is adopted  to facilitate easy access and sharing of such Government owned data, in open format.
  3. Karnataka: “It shall simultaneously define the processes for handling data in department and outside with external stakeholders. It will also encompass the data privacy aspect and will help the State of Karnataka in leveraging data for better decision making, research and innovation.
  4. Tamil Nadu:Share the available data in the repositories in a secure manner ensuring data privacy and protection of sensitive personal data.…The open data could be leveraged by the private sector to develop value added services as well. The Policy intends to achieve this in a non-discriminatory manner while safeguarding the privacy of individuals and institutions.
  5. Sikkim: “The policy will be a driver for economic growth in the building of a knowledge society as envisaged by the Chief Minister.
  6. Telangana: “TODP lays out the broad framework for proactive data sharing while addressing all security and privacy concerns.
  7. Chandigarh: DSAP for CSCL will allow appropriate and responsible sharing of Company’s data to the public for enhancing public well-being. Approach to the data sharing must be responsible and must recognise legal, regulatory, ethical and commercial constraints.

Privacy and security of citizens’ data: The common vision and motivation behind drafting a state-level data policy was to create a shared digital infrastructure that has the potential to improve governance and encourage innovation. While this vision is essential, especially due to the push towards digitisation, it must be achieved while facilitating stronger data protection and privacy measures. In this regard, focusing on the digital rights of citizens while drafting data-related policies is vital.

  1. Punjab: In a commendable move, the PSDP’s data governance framework specifies that the data collection and storage shall be compliant with data privacy and security laws as well as best practices. Furthermore, it includes a separate section on security & protection as well as a section on data privacy, where it recognises it as a fundamental right. However, data has been made the property of the respective state government department. This seriously undermines the rights of the data principal such as the rights to confirmation and access, correction and erasure, data portability and the right to be forgotten.
  2. Odisha: The data policy enjoins upon mandatory sharing of all shareable data by the Government departments. It states, “Pricing of data, mostly arising out of value addition to the existing data, if any, will be decided by the respective data owner department in a rational manner and as per Government of Odisha/Government of India policies” (Section 9). This will lead to datasets being priced arbitrarily as no clear and standard guidelines for pricing of datasets has been prescribed under the Policy itself. Moreover, as the purpose of the policy is to enable inter-departmental access of data, it is unclear how the final dataset which has gone through various levels of processing and analysis will be priced. The final dataset may include information provided by several government departments, and hence; it remains unclear how final valuation will be done. Finally, by deciding how much data must be shared with other departments and for how much, it is essentially making personal data of citizens a saleable commodity. Such perverse commercial incentives to monetise data may set a dangerous precedent.
  3. Karnataka: The KODP shares open data both within the governmental departments and outside it, with external stakeholders. While encompassing the data privacy aspect, it aims to leverage data for better decision making, research and innovation. It claims that well-managed and governed data will be more secure and less vulnerable to cyber-attacks. The need for respecting and protecting the privacy of citizens’ personal data is repeatedly echoed throughout the policy. The flip side is that the policy allows external stakeholders, including private agencies, to access and monetise anonymised data. While the policy disallows the processing of shared data for any purpose, other than the stated purpose, without the prior consent of the respected department(s), it is not enough as a safeguard. The concerns here are twofold. Firstly, the policy fails to adequately account for the possibility that anonymised data can be re-identified or de-anonymised. Secondly, the profit motive and commercial interests may thus create a perverse incentive to collect more granular personal details through greater capture of data and retain it beyond the purpose consented by users.
  4. Tamil Nadu: While elaborating on the economic potential of sharing and utilising data residing among the entities of the government, the policy has repeatedly underlined the need to safeguard the privacy of individuals and institutions in the process. The TNDP has further taken a praiseworthy step by including “privacy” as one of its guiding principles. While these steps are commendable, the policy retains certain issues, right from inception to conclusion. The policy was drafted without holding free, open and public consultations, failing to garner perspectives from a wide range of stakeholders. It also allows private institutions to easily access government data, which gives them a financial incentive to collect more data than necessary and monetise it. This goes against the principle of data minimisation. Secondly, though the Policy has defined the terms “anonymisation”, “aggregation” and “de-identification or pseudo-anonymisation'', it is concerning that it fails to acknowledge the possibility of de-anonymisation.
  5. Sikkim: The SODAAP makes no mention of the terms “privacy” and “security” anywhere in the document. The disregard towards citizens’ privacy and security of data is further made evident in the preamble, wherein the policy is cited as a “driver for economic growth”. While the intention of increasing the ease of living of citizens through the collection of standardised data is commendable, the policy includes inadequate safeguards towards ensuring the protection of the privacy of citizens. Furthermore, SODAAP mandates that all shareable non-sensitive data will become open data, which can also be used to “attract talented entrepreneurs and skilled employees''. The default open and shareable nature of data violates internationally recognised best practices of consent and purpose limitation for processing of personal data.
  6. Telangana: The TODP allows the use of non-classified, non-sensitive data for “scientific, economic and developmental purposes''. It proceeds from an incorrect economic understanding, treating personal data of citizens as a resource to be processed for financial gains. This economic incentive of the policy may thus result in excessive data collection. Moreover, the objective of the policy only mentions “proactive disclosure of Government data”, not clarifying the external stakeholders who may have access to the data, for how long and for what purposes they will have access to the data. Lastly, the policy aims to facilitate interdepartmental sharing of all existing data assets by creating departmental data inventories. In addition to violating the principles of consent and purpose limitation, creation of such databases can lead to the formation of 360° profiles of citizens. This could result in illegal state sponsored mass surveillance.
  7. Chandigarh: In a commendable move, the Policy supports the idea of an alliance which will undertake education and awareness about data in the community as well as address concerns on data privacy and security. On the other hand, it is upsetting to see that the same alliance will be used to further create data collaborations between various government and private agencies. This may lead to unrestrained collection of information, which will risk the government records of Chandigarh residents being sold and profiled by the private sector. Furthermore, the CSCL is the sole entity which has been given the responsibility of pricing the datasets. This makes it difficult for stakeholders to assess the rationale behind the pricing, thereby hampering transparency and accountability. The pricing of datasets will also limit the ability to access data to the wealthy, further strengthening data monopolies and posing a risk to open and fair competition.

The thin line between personal and non-personal data

When drafting a state-level data policy, states must exercise extra caution while classifying and defining the type of data. While non-personal data (“NPD”) has been advocated as having immense economic value and potential to facilitate innovation, personal data has formed the basis of the discourse around privacy. NPD is usually defined as data that does not originate from persons (such as weather data, industrial machinery data), or personal data that has been anonymised. However, there has been a growing collapse of confidence in the ability of anonymised data to alleviate privacy concerns. The urgent need to fill this technical, regulatory and privacy gap has led to calls for criminal penalties for the wrongful re-identification of “anonymized” data. The Draft Report by the Committee of Experts on Non-Personal Data Governance Framework also noted the grave threat posed by de-anonymization, against which adequate barriers must be maintained. The state-level data policies must thus be accompanied with a proactive approach in which robust guidelines for anonymisation procedures are mandated and enforced (in addition to any retroactive procedures) to deal with the emerging threats posed by de-anonymisation.

The myth that is “open” data

Almost all state data policies refer to “open data” as a principle on which data sharing and governance need to be based. We acknowledge that open data provides significant value to the economy. Governments and public authorities across the world are launching open data initiatives, realising the value and benefits of opening up data. It is equally important that  governments view open data not just as an enabler of economic growth and a driver of innovation, but also as an opportunity to bring in transparency and accountability in their functioning. Unfortunately, in practice, all policies fall short of correctly applying the concept of open data. While most policies list the various benefits of opening data, they rarely acknowledge the inherent risks to individual privacy of sharing data. The core principle and objective of the concept of open data is government transparency. However, the mention of transparency appears to be purely for ornamental purposes. Moreover, there is almost no mention of how data sharing, as envisaged under the respective policies, will help fulfil demands for accountability and redressal. Instead, the policy incentive behind making data open seems to be maximising revenue generation. It is thus critical that effective approaches to balance the benefits and risks of open data are developed, to ensure that opening data doesn’t unduly compromise sensitive data.

Conclusion

Considering that these policies contemplate large scale data sharing that will be borne from public funds, it is unfortunate that the state governments have bypassed legislatures to introduce these policies. Furthermore, the constitution of offices, prescription of duties, roles and responsibilities of officers, prescription of standards that may be applicable to the state governments them require legislative deliberation. Thus, the lack of an anchoring legislation to support the various state data policies significantly dilutes their legal standing. Moreover, framing it in the absence of an oversight mechanism and a data protection law, especially considering that the pending version has its own limitations, also dilutes the respective governments’ efforts of working towards data privacy and protection rights of users. Further, these policies would lead to serious privacy concerns due to the interdepartmental data sharing structure envisaged under them as well as result in arbitrary application due to inherent vagueness. The primacy of privacy and consent over any other objectives of data collection must thus be maintained to ensure that the collection and processing of data does not result in harm.

Table summarising the comparison of state-level data policies

State

Name and link

Privacy and Consent as reflected in the Preamble

Position on Privacy; sharing of anonymised data; purpose limitation

Ownership of Data; commercial or profit motives leading to risks of data monetisation; pricing of datasets

Definition of Negative List / non- shareable list

Punjab

Punjab State Data Policy, 2020 (link)

PSDP seeks to remain committed to protecting the privacy of citizens and making optimal use of data for evidence-based decision-making

It specifies compliance of data collection and storage with data privacy and security laws as well as best practices. 


It includes a separate section on security & protection as well as on data privacy, where it recognises it as a fundamental right. 

Data has been made the property of the respective state government department, undermining the rights of the data principal.


PSDP mentions that the RTI Act and right to privacy judgement must be considered while making the non- shareable list. While PSDP has defined “personal data”, it has not defined “restricted data''.  

Odisha

Odisha State Data Policy, 2015 (link)

Government of Odisha plans to establish “Odisha Spatial Data Infrastructure. Thus, OSDP was adopted  to facilitate easy access and sharing of such Government owned data, in open format.

It states that all government owned open data shall be stored and maintained with adequate data management / security. It seeks to ensure implementation of proper data types, standards and sharing by developing guidelines for security and safety of such data sets. 

The policy makes personal data of citizens a saleable commodity. Such perverse commercial incentives to monetise data may set a dangerous precedent. 


Pricing as per value addition to the existing data will lead to arbitrary pricing as no clear and standard guidelines have been prescribed.

OSDP has not defined “open data'' or “personal data”. 


Karnataka

Karnataka Open Data Policy (link)

KODP will define the processes for handling data in department and outside with external stakeholders, while also encompassing the data privacy aspect.

While encompassing the data privacy aspect, the policy allows external stakeholders, including private agencies, to access and monetise anonymised data. 

The policy fails to adequately account for the possibility that anonymised data can be de-anonymised. 


The profit motive and commercial interests created by sharing data with private entities may create a perverse incentive to collect more granular personal details and retain it beyond the purpose consented by users.


The annexure of the policy includes a MoU form which states, “The Parties mutually agree that there exist no commercial considerations in respect of this

MoU.”

KODP has defined “anonymisation”. Although the policy has classified data into 3 types/ levels - shareable, sensitive & restricted - it has not explained the reasoning behind doing so. 


Tamil Nadu

Tamil Nadu Data Policy, 2022 (link)

On the one hand, the TNDP aims to share the available data in a secure manner ensuring data privacy and protection of sensitive personal data. On the other hand, it discusses how the open data could be leveraged by the private sector.

The policy repeatedly underlined the need to safeguard the privacy of individuals and institutions. It also includes “privacy” as one of its guiding principles. 


The policy fails to acknowledge the possibility with which de- anonymisation of data can be conducted.

It allows private institutions to easily access government data, giving them a financial incentive to collect more data than necessary and monetise it. 

TNDP has defined “anonymisation” as well as “personal data”.


Sikkim

Sikkim Open Data Acquisition and Accessibility Policy 2014 (link)

SODAAP intends to be a driver for economic growth in the building of a knowledge society, as envisaged by the Chief Minister.

The SODAAP makes no mention of the terms “privacy” and “security” anywhere in the document. Furthermore, SODAAP mandates that all shareable non-sensitive data will become open data. The default open and shareable nature of data violates internationally recognised best practices of consent and purpose limitation for processing of personal data.

The disregard towards citizens’ privacy and security of data is further made evident in the preamble, wherein the policy is cited as a “driver for economic growth”. Furthermore, the policy states that the open data can also be used to “attract talented entrepreneurs and skilled employees''.


SODAAP has not defined “restricted data''.



Telengana

Telangana Open Data Policy, 2016 (link)

TODP lays out the broad framework for proactive data sharing while addressing all security and privacy concerns

The TODP allows the use of non-classified, non-sensitive data for “scientific, economic and developmental purposes''.


Additionally, the creation of inter- departmental databases can lead to the formation of 360° profiles of citizens. 

The policy proceeds from an incorrect economic understanding, treating personal data of citizens as a resource to be processed for financial gains. This economic incentive of the policy may thus result in excessive data collection.

TODP has not relied on pre-existing definitions to define certain terms in the policy. While the TODP defines “negative list”, it doesn’t follow the NDSAP definition, and thus doesn’t specify who will be declaring the list of non-shareable data. While TODP has defined “personal data”, it has not defined “open data''.

Chandigarh

Data Sharing And

Accessibility Policy

For Chandigarh Smart City Limited

(CSCL) (link)

DSAP aims to allow appropriate and responsible sharing of Company’s data to the public for enhancing public well-being. It recognises that the approach to data sharing must be responsible and must recognize legal, regulatory, ethical and commercial constraints.

The Policy supports the idea of an alliance which will undertake education and awareness about data in the community as well as address concerns on data privacy and security. 


Sharing of data with private entities will risk the government records of Chandigarh residents being sold and profiled by the private sector.

The Smart City Alliance will be used to further create data collaborations between various government and private agencies. This may lead to unrestrained collection of information. Furthermore, the CSCL is the sole entity which has been given the responsibility of pricing the datasets,  hampering transparency and accountability. 


DSAP has not relied on the pre-existing definitions to define certain terms. It defines a “negative list” as that including non- sharable data as declared by CSCL, restricting that right to a single entity is not a move towards encouraging transparency as it will give it unrestricted power to include/exclude items from the list. 

This blogpost was primarily drafted by Tejasi Panjiar, Associate Policy Counsel, and reviewed by Prateek Waghre, Policy Director.

Important Documents

  1. Punjab State Data Policy, 2020
  2. Odisha State Data Policy, 2015
  3. Karnataka Open Data Policy
  4. Tamil Nadu Data Policy, 2022
  5. Sikkim Open Data Acquisition and Accessibility Policy 2014
  6. Telangana Open Data Policy, 2016
  7. Data Sharing And Accessibility Policy For Chandigarh Smart City Limited
  8. National Data Sharing and Accessibility Policy (NDSAP), 2012
  9. Draft Report by the Committee of Experts on Non-Personal Data Governance Framework
  10. Our letter to the TNeGA on the Tamil Nadu Data Policy, 2022