The government has issued a notice confirming the final DPDP rules and the implementation timeline for the Digital Personal Data Protection Act, which was passed in 2023.
Out of these notified rules, Rule 5 specifies the state powers to process the personal data of the user, which is set to come into force after 18 months of the publication of the final rules, which means this rule, along with Rules 3, 16, 22 and 23, will also come into effect in May 2027 and the remaining Rules are already in force, except Rule 4, which deals with the appointment and the obligations of a consent manager.
Section 7(b) of the Act and Rule 5 of the draft DPDP Rules give the government the authority to process personal data when such processing is necessary to deliver public services. Additionally, while the final DPDP Rules do not differ significantly from the January draft, they remove the phrase “issued under law or policy or using public funds” from clause (d). It now reads
When can the government process personal data?
The government can process the personal data of the citizens for legitimate uses, such as issuing the following services:
- subsidies,
- benefits,
- certificates,
- licences, and
- “other permits”.
Additionally, under Section 7 of the Act, the government can process the data for the following purposes as well:
- To perform legal functions under Indian law, including those by the state or its agencies.
- To protect “national security, sovereignty, integrity, and public order.”
- To meet legal or judicial requirements, including court orders and judgements.
- To address medical emergencies or threats to public health, including epidemics.
- To ensure safety or provide aid during disasters or public order breakdowns.
What data can the government access?
The government can also process the records which are already available in digitised or non-digitised formats. However, to enable the government to process the data, the data principal (user) must have previously given their consent. These non-digitised data can be further digitised for processing. The government can process the records maintained by the government or its instrumentalities (agencies). These agencies will be notified by the government.
Additionally, the government and its agencies can also process the personal data for the “performance of any function under any law in force.” This means – as mentioned above – that the government can process personal data if it is necessary to fulfil legal functions or obligations.
This also includes the “interest of sovereignty and integrity of India or security of the State.” Additionally, Section 7(d) allows the processing of personal data of any person for “fulfilling any obligation under any law” to share the information with states and their instrumentalities. The section also notes that such disclosure of information must be in accordance with other applicable laws.
Advertisements
What Data Standards Does the Government Have to Follow?
While the final DPDP rules do not differ significantly from the previous draft, the government made one notable change to the Second Schedule, which sets the standards for processing personal data by the state and its instrumentalities. Clause 7(d) now expands the requirement for “reasonable efforts” to include ensuring the “completeness, accuracy and consistency of personal data”. The earlier draft required reasonable efforts only to ensure “accuracy”.
Except for this minor expansion, the second schedule remains unchanged, and the key points of the schedule are:
- Data Principals must be informed about the data processing.
- Must publish the business contact information of the Data Protection Officer, to answer the questions of Data Principals
- Must retain the personal data only as long as necessary to achieve the goal, like delivering the services.
- Must process the data only to achieve the specified goal, and not for other purposes.
- It is essential to ensure that the data being collected and processed is accurate, complete, and consistent.
- Must ensure that the required safeguards are in place to protect the data from data breaches.
Also Read:
Support our journalism:
For You
Source link
