The National Data Sharing and Accessibility Policy (NDSAP) which facilitates easy access and sharing of government owned, publicly funded data, was released in 2012. Soon after its enforcement, multiple States unveiled their respective State data policies (Data Policies). States such as Odisha and Telangana formulated their policies early on in 2015 and 2016, respectively. While Punjab, Karnataka and Tamil Nadu, among others, adopted data policies state-wide, almost a decade from the NDSAP.

Notably, conscious efforts are being made in these States to integrate emerging tech across sectors. Telangana has announced its intentions to establish an exclusive AI city and to make internet a basic right. Karnataka is partnering with World Economic Forum to institute a centre for AI. It is also looking to deploy AI in operational functions such as law enforcement. Odisha on the other hand is utilising AI in disease detection and in education for exam monitoring.

These efforts are in alignment with the National Strategy for AI which encourages State actors to embody the promise of tech to optimise its operations better. In parallel, such States are also crafting IT/ITeS and start-up policies to attract private investment. Despite having comparable formal IT and start-up policies in place, States such as Uttar Pradesh and Kerala lack cohesive strategies to manage data effectively. Such discrepancy is particularly flagrant, given their self-proclaimed objectives to found AI city and AI hub, respectively, within their borders.

Naturally, for States looking to spur industrial and technological advancement, a robust data governance framework becomes a prerequisite. Since the data policies are largely based on the NDSAP, they possess certain key issues which are typically characteristic of the parent policy.

Secondary literature suggests that the preambles to certain data policies do not envisage privacy and security of citizens’ data as a key objective. Given how certain public data may also be of critical nature, the data policy falls short of prioritising the fundamental right to privacy of citizens.

Data pricing is underlined as another sore point. For example, under some data policies, pricing of data is the mandate of the respective data-owner department in terms of policies of the State government concerned. In light of negligible parameters on data pricing, such an expansive provision in the data policy begets arbitrariness and contradiction at the administrative and quasi-judicial levels in the State’s machinery. Separately, majority of the data policies of States do not explicitly provide for anonymising non-personal data which has the potential of being reverse engineered into sensitive data depending upon its use. This compounds the security risks that the mandatory data-sharing of non-personal data, may pose.

Other shortcomings

Incremental to the above, data policies are also characterised by other shortcomings which may induce privacy-centric ramifications. There may be personal data implications in respect of metadata (which includes information on Aadhaar, National Population Register, etc.) hosted on: (a) the portal of the implementing agency of a given data policy in a concerned State; and/or (b) the digital public infrastructure of the concerned State. Given the nature of information being made accessible to public at large, there could emerge issues relating to privacy and compliance with the Digital Personal Data Protection Act 2023 (DPDP Act).

Moreover, some data policies provide for data categorisation based on the personal and non-personal nature thereof. Such policies may synonymise the chief data officer so identified as the owner of the data gathered and published by the concerned State’s departments. Other data policies may even contain explicit language affirming that the data and information collected will remain the property of the State department/agency/body which collected them. Provisions like the above, could engender questions regarding consent vis-à-vis both sharing and ownership of data (including personal data).

The vulnerabilities in the data policies may prove critical in the context of the tech-driven overhauls in such States. The data policies, therefore, need to be scrutinised and modified to reflect the contemporary data governance related requirements in respect of public data. Reviewing and updating the data policies will hence help ensure the interests of different stakeholders are duly captured by an up-to-date data management regime. It will also help create a conducive environment for commercial and public activities to thrive. Through this enterprise, such States will become capable of espousing the virtues of a data economy.

Subsequent to the NDSAP, the Ministry of Electronics & Information Technology (MeitY) released the National Data Governance Framework Policy on non-personal data. MeitY also made public the India Accessibility and Use Policy, inviting stakeholders’ comments thereon. While such measures signal the intention to create strategic solutions with regard to data management, they remain ad-hoc at best. In this backdrop, State-wide data policies attuned to the regulatory changes in the tech space are sine-qua-non. AI strategies as a complement to such data policies would also be beneficial.

The writer is Research Fellow, Applied Law & Technology Research and Fintech, Vidhi Centre for Legal Policy

comment COMMENT NOW