Classification of Your Data

In the big all encompassing world of digital data, have you ever wondered how your data may be categorised ? With the upcoming data privacy law in the country, new codified categorisations will be created and all these types of data would be subjected to different rules. Before understanding the classification, it’s imperative to know what data means. As per the currently existing legislation concerning data privacy, the Information Technology Act, 2000(“IT Act”), section 2(1)(o) defines data as;

“ A representation of information, knowledge, facts, concepts or instructions prepared/ to be prepared in a formalised manner and processed/ to be processed in a computer system or computer network and it can be in tangible or soft form” . The Personal Data Protection Bill, 2019(“PDP Bill”)provides a similar but wider definition of data under section 2(11), stating that data “ includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated mean.” By virtue of being an inclusive definition, the bill seeks to remove any scope of conflict as to what can constitute data.

Primarily data can be broadly classified as personal and nonpersonal. The IT Act does not seek to regulate these broader categories. The provisions of the IT Act, seek to regulate the subcategory of personal data, which is sensitive personal data. Personal data in simple terms can be understood as data through which an individual can be identified. The PDP Bill defines it as, “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.” This definition may have been influenced by the General Data Protection Regulations(GDPR) of Europe because they provide a similar definition. Non Personal information is not regulated by any existing law in India, however, in July 2020, an Expert Committee chaired by Mr. Kris Gopalakrishnan was constituted to prepare first draft of regulations governing the same. As per the expert Committee, non personal data is any data which is not personal data (data pertaining to characteristics, traits or attributes of identity, which can be used to identify an individual. It can be classified into three subcategories. Firstly, public non-personal data, which is data collected or generated by the government in course of publicly funded works. Secondly, community non-personal data, which is raw or factual data (without any processing) which is sourced from a community of natural persons. Thirdly, private non-personal data, which is data which is collected or generated by private entities through privately owned processes (derived insights, algorithms or proprietary knowledge. Personal data although not clearly classified by the present IT Act or the upcoming PDP Bill, can be said to be categorized under their aegis into sensitive personal data and critical personal data. The IT Act deems to protect only the subcategory of sensitive personal data and defines it through the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011(“SPDI Rules”). These rules framed under the powers conferred by section 87(2)(ob) read with section 43A of the IT act defines under Rule 3, sensitive personal data as:

“Data or information of a person means such personal information which consists of information relating to; — (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”

The PDP Bill defines sensitive personal data under as:

“Such personal data, which may, reveal, be related to, or constitute — (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under section 15.” Here, section 15 gives power to the Central government to classify any personal data as sensitive personal data with consultation and under certain conditions. Similar power has been given by section 43A(iii) to the Central government, which was inserted by amendment in 2009. However this power under the existing law is more specific, which can be utilised only for the purpose of addressing issue of compensation in case of failure to protect data. The PDP Bill further proposes a new category of personal data called critical personal data. Section 33(2) explanation, provides for the difference between sensitive and critical personal data. Although critical personal data is also an open-ended category which government can define from time to time, however the difference is that, critical personal data can never leave the country, for storage or processing, whereas sensitive personal data can be transferred but not be stored outside India. Lastly, another new category which shall be introduced by the PDP Bill, is anonymised data defined under section 3(2) as “data which has undergone irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified”.

Thus with the upcoming and much anticipated data privacy reforms, many new categories of data and many new concerns shall arise.