white_paper_on_data_protection_in_india_171127_final_v2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2. Should the def<strong>in</strong>iti<strong>on</strong> of process<strong>in</strong>g list <strong>on</strong>ly ma<strong>in</strong> operati<strong>on</strong>s of process<strong>in</strong>g i.e.<br />
collecti<strong>on</strong>, use and disclosure of <strong>data</strong>, and <strong>in</strong>clusively cover all possible operati<strong>on</strong>s <strong>on</strong><br />
<strong>data</strong>?<br />
3. Should the scope of the law <strong>in</strong>clude both automated and manual process<strong>in</strong>g? Should the<br />
law apply to manual process<strong>in</strong>g <strong>on</strong>ly when such <strong>data</strong> is <strong>in</strong>tended to be stored <strong>in</strong> a fil<strong>in</strong>g<br />
system or <strong>in</strong> some similar structured format?<br />
Alternatives:<br />
a. All pers<strong>on</strong>al <strong>data</strong> processed must be <strong>in</strong>cluded, howsoever it may be processed.<br />
b. If <strong>data</strong> is collected manually, <strong>on</strong>ly fil<strong>in</strong>g systems should be covered as the risk of<br />
profil<strong>in</strong>g is lower <strong>in</strong> other cases.<br />
c. Limit the scope to automated or digital records <strong>on</strong>ly.<br />
4. Are there any other issues relat<strong>in</strong>g to the process<strong>in</strong>g of pers<strong>on</strong>al <strong>data</strong> which have not<br />
been c<strong>on</strong>sidered?<br />
6. Def<strong>in</strong>iti<strong>on</strong> of Data C<strong>on</strong>troller and Processor<br />
The obligati<strong>on</strong>s <strong>on</strong> entities <strong>in</strong> the <strong>data</strong> ecosystem must be clearly del<strong>in</strong>eated. To this end a<br />
clear c<strong>on</strong>ceptual understand<strong>in</strong>g of the accountability of different entities which c<strong>on</strong>trol and<br />
process pers<strong>on</strong>al <strong>data</strong> must be evolved.<br />
For a fuller discussi<strong>on</strong>, see page 48 above.<br />
Questi<strong>on</strong>s<br />
1. What are your views <strong>on</strong> the obligati<strong>on</strong>s to be placed <strong>on</strong> various entities with<strong>in</strong> the <strong>data</strong><br />
ecosystem?<br />
2. Should the law <strong>on</strong>ly def<strong>in</strong>e ‗<strong>data</strong> c<strong>on</strong>troller‘ or should it additi<strong>on</strong>ally def<strong>in</strong>e ‗<strong>data</strong><br />
processor‘?<br />
Alternatives:<br />
a. Do not use the c<strong>on</strong>cept of <strong>data</strong> c<strong>on</strong>troller/processor; all entities fall<strong>in</strong>g with<strong>in</strong> the<br />
ambit of the law are equally accountable.<br />
b. Use the c<strong>on</strong>cept of ‗<strong>data</strong> c<strong>on</strong>troller‘ (entity that determ<strong>in</strong>es the purpose of<br />
collecti<strong>on</strong> of <strong>in</strong>formati<strong>on</strong>) and attribute primary resp<strong>on</strong>sibility for privacy to it.<br />
c. Use the two c<strong>on</strong>cepts of ‗<strong>data</strong> c<strong>on</strong>troller‘ and ‗<strong>data</strong> processor‘ (entity that receives<br />
<strong>in</strong>formati<strong>on</strong>) to distribute primary and sec<strong>on</strong>dary resp<strong>on</strong>sibility for privacy.<br />
209