Right to Privacy: Nine Principles of Data Privacy in AP Shah Report
A woman goes through the process of eye scanning for Aadhaar. (REUTERS)
New Delhi: In 2012, the Planning Commission and the Group of Experts on Privacy Issues held meetings on the question of the Right to Privacy. The meetings were chaired by Justice (retd.) AP Shah.
The Justice AP Shah Committee report outlined nine principles that were central to and defined the Right to Privacy.
Principle of Notice: This principle requires a data controller to notify all individuals of its information practices before collecting information from them.
Principle of Choice and Consent: Individuals divulging information must have a choice in the matter, according to this principle. There are two methods of getting the consent of an individual – the opt-in method and the opt-out method. No collection or processing of personal data should take place without consent, with the exception of authorized agencies.
Principle of Collection Limitation: A data controller should collect only as much information as is directly necessary for the purposes identified. The controller should also notify the person giving the information (data subject) through ‘lawful’ and ‘fair’ means.
Principle of Purpose Limitation: It requires that the collection or processing of information be restricted to only as much information as is adequate and relevant. It further states that the collection, procession, disclosure, usage of personal information by a data controller should be limited to the purpose notified and consented to the individual by the data controller, and that any change in this purpose must be notified to the individual.
Principle of Access and Correction: This principle requires that data subjects have access to the data held about them, the ability to seek corrections, amendment, or deletion of such data in case of inaccuracy, and the ability to confirm if a data controller is holding any information on them.
Principle of Disclosure of Information: According to this principle, the data subject (person whose information is taken) has the right to privacy in case their personal information is disclosed to a third party.
Principle of Security: This principle requires that a data controller ensure the security of the collected personal information by ‘reasonable security standards’ to protect from reasonably foreseeable risks. It specifically mentions the following possible dangers: loss, unauthorized access, destruction, use, processing, storage, modification, deanonymization (a strategy in which anonymous data is cross-referenced to identify the source) and unauthorized disclosure, either accidental or incidental.
Principle of Openness: This principle requires a data controller to make public all the information it can about the practices, procedures, policies and systems that it implements in order to comply with the National Privacy principles.
Principle of Accountability: This principle pins accountability on the data controller to comply with measures that fulfil the other eight principles. It states that such measures should include mechanisms to implement privacy policies. It specifically mentions the following: training and education, external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the Commissioner’s orders.