white_paper_on_data_protection_in_india_171127_final_v2
accurate, complete and kept up-to-date. These principles cast certain obligations on data controllers. The extent of such obligations must be carefully determined. For a fuller discussion, see page 117 above. Questions 1. What are your views on the principles of storage limitation and data quality? 2. On whom should the primary onus of ensuring accuracy of data lie especially when consent is the basis of collection? Alternatives: a. The individual b. The entity collecting the data 3. How long should an organisation be permitted to store personal data? What happens upon completion of such time period? Alternatives: a. Data should be completely erased b. Data may be retained in anonymised form 4. If there are alternatives to a one-size-fits-all model of regulation (same rules applying to all types of entities and data being collected by them) what might those alternatives be? 5. Are there any other views relating to the concpets of storage limitation and data quality which have not been considered above? 8. Individual Participation Rights-1 One of the core principles of data privacy law is the ―individual participation principle‖ which stipulates that the processing of personal data must be transparent to, and capable of being influenced by, the data subject. Intrinsic to this principle are the rights of confirmation, access, and rectification. Incorporation of such rights has to be balanced against technical, financial and operational challenges in implementation. For a fuller discussion, see page 122 above. Questions 1. What are your views in relation to the above? 220
2. Should there be a restriction on the categories of information that an individual should be entitled to when exercising their right to access? 3. What should be the scope of the right to rectification? Should it only extend to having inaccurate date rectified or should it include the right to move court to get an order to rectify, block, erase or destroy inaccurate data as is the case with the UK? 4. Should there be a fee imposed on exercising the right to access and rectify one‘s personal data? Alternatives: a. There should be no fee imposed. b. The data controller should be allowed to impose a reasonable fee. c. The data protection authority/sectoral regulators may prescribe a reasonable fee. 5. Should there be a fixed time period within which organisations must respond to such requests? If so, what should these be? 6. Is guaranteeing a right to access the logic behind automated decisions technically feasible? How should India approach this issue given the challenges associated with it? 7. What should be the exceptions to individual participation rights? [For instance, in the UK, a right to access can be refused if compliance with such a request will be impossible or involve a disproportionate effort. In case of South Africa and Australia, the exceptions vary depending on whether the organisation is a private body or a public body.] 8. Are there any other views on this, which have not been considered above? 9. Individual Participation Rights-2 In addition to confirmation, access and rectification, the EU GDPR has recognised other individual participation rights, viz. the right to object to processing (including for Direct marketing), the right not to be subject to a decision solely based on automated processing, the right to restrict processing, and the right to data portability. These rights are inchoate and some such as those related to Direct Marketing overlap with sectoral regulations. The suitability of incorporation of such rights must be assessed in light of their implementability in the Indian context. For a fuller discussion, see page 129 above. Questions 221
- Page 179 and 180: The Treasury Board of Canada Secret
- Page 181 and 182: Under the EU GDPR, only certain dat
- Page 183 and 184: 5. What range of additional obligat
- Page 185 and 186: D. DATA PROTECTION AUTHORITY 2.18 I
- Page 187 and 188: and approval of the appointment by
- Page 189 and 190: The supervisory authority shall pro
- Page 191 and 192: . Advisory The functions of the OAI
- Page 193 and 194: standards be set by different entit
- Page 195 and 196: maintain reasonable security practi
- Page 197 and 198: notices‘ 827 and ‗information n
- Page 199 and 200: 5. Given that the Appellate Tribuna
- Page 201 and 202: CHAPTER 4: REMEDIES A. PENALTIES In
- Page 203 and 204: sector, size, financial and other r
- Page 205 and 206: to an overly adverse impact on smal
- Page 207 and 208: B. COMPENSATION Awarding of compens
- Page 209 and 210: United Kingdom As per the guidance
- Page 211 and 212: C. OFFENCES There are certain types
- Page 213 and 214: 4.11 Provisional Views 1. The law m
- Page 215 and 216: SCOPE AND EXEMPTIONS 1. Territorial
- Page 217 and 218: 6. Are there any other views relati
- Page 219 and 220: 2. Should the definition of process
- Page 221 and 222: 1. What are your views on including
- Page 223 and 224: 9. Data Localisation Data localisat
- Page 225 and 226: 2. Child’s Consent It is estimate
- Page 227 and 228: Alternatives: a. Assigning a ‗dat
- Page 229: If ‗sensitive personal data‘ is
- Page 233 and 234: 3. Does a right to be forgotten add
- Page 235 and 236: 1. What are your views on the use o
- Page 237 and 238: oth for principled and practical re
- Page 239 and 240: Questions 1. What are your views on
- Page 241 and 242: 12. In cases where compensation cla
- Page 243: 3. What are the mitigating circumst
2. Should there be a restricti<strong>on</strong> <strong>on</strong> the categories of <strong>in</strong>formati<strong>on</strong> that an <strong>in</strong>dividual should<br />
be entitled to when exercis<strong>in</strong>g their right to access?<br />
3. What should be the scope of the right to rectificati<strong>on</strong>? Should it <strong>on</strong>ly extend to hav<strong>in</strong>g<br />
<strong>in</strong>accurate date rectified or should it <strong>in</strong>clude the right to move court to get an order to<br />
rectify, block, erase or destroy <strong>in</strong>accurate <strong>data</strong> as is the case with the UK?<br />
4. Should there be a fee imposed <strong>on</strong> exercis<strong>in</strong>g the right to access and rectify <strong>on</strong>e‘s<br />
pers<strong>on</strong>al <strong>data</strong>?<br />
Alternatives:<br />
a. There should be no fee imposed.<br />
b. The <strong>data</strong> c<strong>on</strong>troller should be allowed to impose a reas<strong>on</strong>able fee.<br />
c. The <strong>data</strong> protecti<strong>on</strong> authority/sectoral regulators may prescribe a reas<strong>on</strong>able fee.<br />
5. Should there be a fixed time period with<strong>in</strong> which organisati<strong>on</strong>s must resp<strong>on</strong>d to such<br />
requests? If so, what should these be?<br />
6. Is guarantee<strong>in</strong>g a right to access the logic beh<strong>in</strong>d automated decisi<strong>on</strong>s technically<br />
feasible? How should India approach this issue given the challenges associated with it?<br />
7. What should be the excepti<strong>on</strong>s to <strong>in</strong>dividual participati<strong>on</strong> rights?<br />
[For <strong>in</strong>stance, <strong>in</strong> the UK, a right to access can be refused if compliance with such a<br />
request will be impossible or <strong>in</strong>volve a disproporti<strong>on</strong>ate effort. In case of South Africa<br />
and Australia, the excepti<strong>on</strong>s vary depend<strong>in</strong>g <strong>on</strong> whether the organisati<strong>on</strong> is a private<br />
body or a public body.]<br />
8. Are there any other views <strong>on</strong> this, which have not been c<strong>on</strong>sidered above?<br />
9. Individual Participati<strong>on</strong> Rights-2<br />
In additi<strong>on</strong> to c<strong>on</strong>firmati<strong>on</strong>, access and rectificati<strong>on</strong>, the EU GDPR has recognised other<br />
<strong>in</strong>dividual participati<strong>on</strong> rights, viz. the right to object to process<strong>in</strong>g (<strong>in</strong>clud<strong>in</strong>g for Direct<br />
market<strong>in</strong>g), the right not to be subject to a decisi<strong>on</strong> solely based <strong>on</strong> automated process<strong>in</strong>g, the<br />
right to restrict process<strong>in</strong>g, and the right to <strong>data</strong> portability. These rights are <strong>in</strong>choate and<br />
some such as those related to Direct Market<strong>in</strong>g overlap with sectoral regulati<strong>on</strong>s. The<br />
suitability of <strong>in</strong>corporati<strong>on</strong> of such rights must be assessed <strong>in</strong> light of their implementability<br />
<strong>in</strong> the Indian c<strong>on</strong>text.<br />
For a fuller discussi<strong>on</strong>, see page 129 above.<br />
Questi<strong>on</strong>s<br />
221