white_paper_on_data_protection_in_india_171127_final_v2
3. Reasonable exceptions to the right to access and rectification exist in all jurisdictions. Such exceptions must also be carved out to ensure that organisations are not overburdened by requests which are not feasible to respond to. 8.5 Questions 1. What are your views in relation to the above? 2. Should there be a restriction on the categories of information that an individual should be entitled to when exercising their right to access? 3. What should be the scope of the right to rectification? Should it only extend to having inaccurate date rectified or should it include the right to move court to get an order to rectify, block, erase or destroy inaccurate data as is the case with the UK? 4. Should there be a fee imposed on exercising the right to access and rectify one‘s personal data? Alternatives: a. There should be no fee imposed. b. The data controller should be allowed to impose a reasonable fee. c. The data protection authority/sectoral regulators may prescribe a reasonable fee. 5. Should there be a fixed time period within which organisations must respond to such requests? If so, what should these be? 6. Is guaranteeing a right to access the logic behind automated decisions technically feasible? How should India approach this issue given the challenges associated with it? 7. What should be the exceptions to individual participation rights? [For instance, in the UK, a right to access can be refused if compliance with such a request will be impossible or involve a disproportionate effort. In case of South Africa and Australia, the exceptions vary depending on whether the organisation is a private body or a public body.] 8. Are there any other views on this, which have not been considered above? 128
CHAPTER 9: INDIVIDUAL PARTICIPATION RIGHTS-2 Rights: Right to Object to Processing, Right to Object to processing for purpose of Direct Marketing, Right to not be subject to a decision based solely on automated processing, Right to Data Portability, and, Right to restrict processing. 9.1 Introduction In addition to confirmation, access and rectification, certain other individual participation rights have been recognised. 594 While their recognition is primarily in the EU and countries which follow a similar model for regulation, the rationale for their inclusion in this
- Page 87 and 88: Distribution of Insurance Products)
- Page 89 and 90: Another advantage of relying on con
- Page 91 and 92: individuals may find it impossible
- Page 93 and 94: that the collection is reasonably n
- Page 95 and 96: CHAPTER 2: CHILD’S CONSENT 2.1 In
- Page 97 and 98: the cloud service provider as to st
- Page 99 and 100: The PIPEDA does not specifically de
- Page 101 and 102: 7. How can the requirement for pare
- Page 103 and 104: mechanism still continues to play a
- Page 105 and 106: 3.3 International Practices Despite
- Page 107 and 108: (CALOPPA) 466 and the GLB Act requi
- Page 109 and 110: CHAPTER 4: OTHER GROUNDS OF PROCESS
- Page 111 and 112: This ground covers two types of sce
- Page 113 and 114: that there may be certain situation
- Page 115 and 116: CHAPTER 5: PURPOSE SPECIFICATION AN
- Page 117 and 118: collected for more than one purpose
- Page 119 and 120: enable data controllers to understa
- Page 121 and 122: CHAPTER 6: PROCESSING OF SENSITIVE
- Page 123 and 124: may instrumentally be caused if the
- Page 125 and 126: PIPEDA does not specifically deal w
- Page 127 and 128: CHAPTER 7: STORAGE LIMITATION AND D
- Page 129 and 130: solely for archiving purposes in th
- Page 131 and 132: 2. Data Quality: The principle of d
- Page 133 and 134: data protection laws across jurisdi
- Page 135 and 136: The requirement to be provided the
- Page 137: Information Act, 1982 or other appr
- Page 141 and 142: . the processing is unlawful and th
- Page 143 and 144: such a right may be unsuitable in t
- Page 145 and 146: from being taken solely on the basi
- Page 147 and 148: CHAPTER 10: INDIVIDUAL PARTICIPATIO
- Page 149 and 150: emove data for ―the processing of
- Page 151 and 152: South Africa Section 24 of the POPI
- Page 153 and 154: PART IV REGULATION AND ENFORCEMENT
- Page 155 and 156: they form core, substantive element
- Page 157 and 158: CHAPTER 2: ACCOUNTABILITY AND ENFOR
- Page 159 and 160: have been taken or that the data su
- Page 161 and 162: The EU GDPR focuses on a ―risk ba
- Page 163 and 164: person who processes personal infor
- Page 165 and 166: with developing certain baseline ac
- Page 167 and 168: ENFORCEMENT TOOLS 2.6 Introduction
- Page 169 and 170: Australia The Privacy Act makes ext
- Page 171 and 172: B. PERSONAL DATA BREACH NOTIFICATIO
- Page 173 and 174: eputation, and loss of confidential
- Page 175 and 176: There is a need to put in place a n
- Page 177 and 178: C. CATEGORISATION OF DATA CONTROLLE
- Page 179 and 180: The Treasury Board of Canada Secret
- Page 181 and 182: Under the EU GDPR, only certain dat
- Page 183 and 184: 5. What range of additional obligat
- Page 185 and 186: D. DATA PROTECTION AUTHORITY 2.18 I
- Page 187 and 188: and approval of the appointment by
3. Reas<strong>on</strong>able excepti<strong>on</strong>s to the right to access and rectificati<strong>on</strong> exist <strong>in</strong> all jurisdicti<strong>on</strong>s.<br />
Such excepti<strong>on</strong>s must also be carved out to ensure that organisati<strong>on</strong>s are not<br />
overburdened by requests which are not feasible to resp<strong>on</strong>d to.<br />
8.5 Questi<strong>on</strong>s<br />
1. What are your views <strong>in</strong> relati<strong>on</strong> to the above?<br />
2. Should there be a restricti<strong>on</strong> <strong>on</strong> the categories of <strong>in</strong>formati<strong>on</strong> that an <strong>in</strong>dividual should<br />
be entitled to when exercis<strong>in</strong>g their right to access?<br />
3. What should be the scope of the right to rectificati<strong>on</strong>? Should it <strong>on</strong>ly extend to hav<strong>in</strong>g<br />
<strong>in</strong>accurate date rectified or should it <strong>in</strong>clude the right to move court to get an order to<br />
rectify, block, erase or destroy <strong>in</strong>accurate <strong>data</strong> as is the case with the UK?<br />
4. Should there be a fee imposed <strong>on</strong> exercis<strong>in</strong>g the right to access and rectify <strong>on</strong>e‘s<br />
pers<strong>on</strong>al <strong>data</strong>?<br />
Alternatives:<br />
a. There should be no fee imposed.<br />
b. The <strong>data</strong> c<strong>on</strong>troller should be allowed to impose a reas<strong>on</strong>able fee.<br />
c. The <strong>data</strong> protecti<strong>on</strong> authority/sectoral regulators may prescribe a reas<strong>on</strong>able fee.<br />
5. Should there be a fixed time period with<strong>in</strong> which organisati<strong>on</strong>s must resp<strong>on</strong>d to such<br />
requests? If so, what should these be?<br />
6. Is guarantee<strong>in</strong>g a right to access the logic beh<strong>in</strong>d automated decisi<strong>on</strong>s technically<br />
feasible? How should India approach this issue given the challenges associated with it?<br />
7. What should be the excepti<strong>on</strong>s to <strong>in</strong>dividual participati<strong>on</strong> rights?<br />
[For <strong>in</strong>stance, <strong>in</strong> the UK, a right to access can be refused if compliance with such a<br />
request will be impossible or <strong>in</strong>volve a disproporti<strong>on</strong>ate effort. In case of South Africa<br />
and Australia, the excepti<strong>on</strong>s vary depend<strong>in</strong>g <strong>on</strong> whether the organisati<strong>on</strong> is a private<br />
body or a public body.]<br />
8. Are there any other views <strong>on</strong> this, which have not been c<strong>on</strong>sidered above?<br />
128