The Personal Data Protection Bill is reportedly doing the rounds and moving towards becoming a law. While the need for such a Bill is appreciated, I found it to be long, vague, and subject to interpretations.

The current Bill appears to be the result of “mistrust” amongst the key stakeholders involved — the person or “data principal”, the company or “data fiduciary” as they call them, and the government who seems to be a superuser of data. And this begs the question: Why the mistrust?

Governments are elected for a short period of time and key personnel change; similarly with bureaucrats, who are often transferred. It is important to ensure that our lawmakers and law enforcers are subject to laws that allow them to use data for very specific purposes and not have an overreach on data from private and public data fiduciaries. Perhaps a system of “distributed privacy” can be implemented for specific cases of lawmaking or law enforcement.

There are sentences in the Bill that allow the government and possibly the private parties they collaborate with on large projects to get access to anonymised data — for instance, “Government can have access to anonymised data for better targeting of service delivery or to aid evidence-based policymaking”. Such sentences are vague and can be used for anything, thereby nullifying the privacy of the individual for whom the Bill was intended for in the first place.

As we move towards a more globalised and digital economy, it is important to protect the privacy of an individual; else, he/she may be subject to discrimination or unfair treatment or, in general, be identified with data that has been acquired by the data fiduciaries. One feels that using blockchain technology would give our consumers more control over their data.

Genetic data

While genetic data is classified as personal, it is unclear how much of this data can be considered personal. For instance, a single SNP (single-nucleotide polymorphism) or a gene may be called genetic data but it cannot identify an individual with just that piece of data. Also, when data is properly anonymised, it is not possible to trace back to the individual, so it is unclear if any “genetic data” will then be considered “personal” as not all genetic data is identifiable.

It is important to look at the positive and negative aspects of collecting large volumes of genomic data with accompanying phenotype information. The positive aspects, of course, being that precision medicine revolves around the use of good quality data and algorithms. These data sets will be useful for making medicines more precise, improving nutrition, and much more.

On the negative side, especially from a privacy perspective, a consumer may be worried about two things. First, of being discriminated against for employment and for insurance premiums. These are handled well with laws that prevent discrimination — like the GINA in the US. And, second, using databases for potentially catching criminals using these databases. We find a clampdown on these by genetic testing companies in the US where companies would only give this data for a specific legal case during a grand jury or a trial.

Privacy is, therefore, ultimately for the consumers or the data principals to consent if they believe that the value of research on their anonymised data outweighs the threats they see. As long as data is properly anonymised, most people prefer to go with the greater good, for healthcare in particular. But I worry for researchers who collaborate internationally on specific conditions with samples that come from many countries. By the time they can comply with all regulations, it is possible that the technology becomes outdated.

The other challenge, of course, will be compliance, especially for larger companies which did not collect appropriate consent in the first place and for others who are likely to have data from offshore activities or are multinational in structure. At a time when the industry is growing not so rapidly, it may not be wise to impose such strict restriction, as it will result in the need to allocate more capital for a non-revenue-generating activity.

As an entrepreneur in India for two decades, one of the words we dread is “retroactive”. Any law that is brought in should allow the data fiduciaries to comply from a certain date, else this would add to the pile of tax notices they already face. The lawmakers do need to be applauded for introducing a Bill on personal data protection and reaching out to everyone for comments. One hopes that in this age of technology, there are solutions that protect an individual while encouraging anonymised solutions using artificial intelligence.

The writer is CEO, Mapmygenome

comment COMMENT NOW