white_paper_on_data_protection_in_india_171127_final_v2
‗filing system‘. 254 A ‗filing system‘ has been defined as ‗any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.‘ 255 This refers to personal data that is contained in manual records but may be organised in a structured manner. South Africa South Africa follows a similar approach. 256 This approach is based on the premise that easily accessible datasets increase privacy risks and in respect of manual processing such risks arise only if the data is an easily accessible dataset in an organized manner. 257 An example of personal data processed manually is as follows: A hospital collects patient details manually and stores it as physical records. Here, personal data is collected or stored manually and therefore, is processed through non-automated means. 5.3 Provisional Views 1. The data protection law may not attempt to exhaustively list all operations that constitute processing. 2. The definition of processing may be broadly worded to include existing operations while leaving room to incorporate new operations by way of interpretation. 3. The definition may list the three main operations of processing i.e. collection, use and disclosure of data. It may be worded such that it covers the operations/activities incidental to these operations. 4. The law should cover both automated and manual processing. 5.4 Questions 1. What are your views on the nature and scope of data processing activities? 2. Should the definition of processing list only main operations of processing i.e. collection, use and disclosure of data, and inclusively cover all possible operations on data? 3. Should the scope of the law include both automated and manual processing? Should the law apply to manual processing only when such data is intended to be stored in a filing system or in some similar structured format? Alternatives: 254 Article 2(1), EU GDPR. 255 Article 4(6), EU GDPR. 256 Section 3, POPI Act. 257 See also Recital 15, EU GDPR. 46
a. All personal data processed must be included, howsoever it may be processed. b. If data is collected manually, only filing systems should be covered as the risk of profiling is lower in other cases. c. Limit the scope to automated or digital records only. 4. Are there any other issues relating to the processing of personal data which have not been considered? 47
- Page 5 and 6: TABLE OF CONTENTS Foreword.........
- Page 7 and 8: (x) Impact on development of teleco
- Page 9 and 10: 9.1 Introduction ..................
- Page 11 and 12: 1. A Digital India in a Digital Wor
- Page 13 and 14: information can then be used to cre
- Page 15 and 16: Privacy is a complex concept that h
- Page 17 and 18: The FIPPS were soon followed by the
- Page 19 and 20: In light of these developments, the
- Page 21 and 22: OECD Guidelines, 68 and sought to a
- Page 23 and 24: Constitution - the right against un
- Page 25 and 26: visits at night and regular surveil
- Page 27 and 28: or necessary for legal compliance.
- Page 29 and 30: Aadhaar based authentication which
- Page 31 and 32: tested as per the contemporary Indi
- Page 33 and 34: man and woman must be kept in mind.
- Page 35 and 36: of the law. Second, the ease of cro
- Page 37 and 38: ambit of the term organisation. 191
- Page 39 and 40: 1. What are your views on what the
- Page 41 and 42: 2.2 Horizontality of Application (P
- Page 43 and 44: a. The law could regulate personal
- Page 45 and 46: This distinction between data and i
- Page 47 and 48: (iv) Pseudonymisation and Anonymisa
- Page 49 and 50: that the information is not in the
- Page 51 and 52: CHAPTER 4: SENSITIVE PERSONAL DATA
- Page 53 and 54: protection. Subject to an evaluatio
- Page 55: South Africa The POPI Act defines p
- Page 59 and 60: an employee of the controller who g
- Page 61 and 62: . Clear bifurcation of roles and as
- Page 63 and 64: 7.2 Specific Exemptions and Interna
- Page 65 and 66: In India, collection of statistical
- Page 67 and 68: of imposition of similar nature.‘
- Page 69 and 70: mechanism to provide prior approval
- Page 71 and 72: 1. What are your views on including
- Page 73 and 74: To facilitate the cross-border tran
- Page 75 and 76: (ii) Binding Corporate Rules BCR ar
- Page 77 and 78: individual to take action to enforc
- Page 79 and 80: CHAPTER 9 : DATA LOCALISATION 9.1 I
- Page 81 and 82: (iii) IT-BPO/BPM Industrial Growth
- Page 83 and 84: amounts of computer hardware, they
- Page 85 and 86: In Indonesia, the regulation regard
- Page 87 and 88: Distribution of Insurance Products)
- Page 89 and 90: Another advantage of relying on con
- Page 91 and 92: individuals may find it impossible
- Page 93 and 94: that the collection is reasonably n
- Page 95 and 96: CHAPTER 2: CHILD’S CONSENT 2.1 In
- Page 97 and 98: the cloud service provider as to st
- Page 99 and 100: The PIPEDA does not specifically de
- Page 101 and 102: 7. How can the requirement for pare
- Page 103 and 104: mechanism still continues to play a
- Page 105 and 106: 3.3 International Practices Despite
‗fil<strong>in</strong>g system‘. 254 A ‗fil<strong>in</strong>g system‘ has been def<strong>in</strong>ed as ‗any structured set of pers<strong>on</strong>al <strong>data</strong><br />
which are accessible accord<strong>in</strong>g to specific criteria, whether centralised, decentralised or<br />
dispersed <strong>on</strong> a functi<strong>on</strong>al or geographical basis.‘ 255 This refers to pers<strong>on</strong>al <strong>data</strong> that is<br />
c<strong>on</strong>ta<strong>in</strong>ed <strong>in</strong> manual records but may be organised <strong>in</strong> a structured manner.<br />
South Africa<br />
South Africa follows a similar approach. 256 This approach is based <strong>on</strong> the premise that easily<br />
accessible <strong>data</strong>sets <strong>in</strong>crease privacy risks and <strong>in</strong> respect of manual process<strong>in</strong>g such risks arise<br />
<strong>on</strong>ly if the <strong>data</strong> is an easily accessible <strong>data</strong>set <strong>in</strong> an organized manner. 257 An example of<br />
pers<strong>on</strong>al <strong>data</strong> processed manually is as follows: A hospital collects patient details manually<br />
and stores it as physical records. Here, pers<strong>on</strong>al <strong>data</strong> is collected or stored manually and<br />
therefore, is processed through n<strong>on</strong>-automated means.<br />
5.3 Provisi<strong>on</strong>al Views<br />
1. The <strong>data</strong> protecti<strong>on</strong> law may not attempt to exhaustively list all operati<strong>on</strong>s that<br />
c<strong>on</strong>stitute process<strong>in</strong>g.<br />
2. The def<strong>in</strong>iti<strong>on</strong> of process<strong>in</strong>g may be broadly worded to <strong>in</strong>clude exist<strong>in</strong>g operati<strong>on</strong>s<br />
while leav<strong>in</strong>g room to <strong>in</strong>corporate new operati<strong>on</strong>s by way of <strong>in</strong>terpretati<strong>on</strong>.<br />
3. The def<strong>in</strong>iti<strong>on</strong> may list the three ma<strong>in</strong> operati<strong>on</strong>s of process<strong>in</strong>g i.e. collecti<strong>on</strong>, use and<br />
disclosure of <strong>data</strong>. It may be worded such that it covers the operati<strong>on</strong>s/activities<br />
<strong>in</strong>cidental to these operati<strong>on</strong>s.<br />
4. The law should cover both automated and manual process<strong>in</strong>g.<br />
5.4 Questi<strong>on</strong>s<br />
1. What are your views <strong>on</strong> the nature and scope of <strong>data</strong> process<strong>in</strong>g activities?<br />
2. Should the def<strong>in</strong>iti<strong>on</strong> of process<strong>in</strong>g list <strong>on</strong>ly ma<strong>in</strong> operati<strong>on</strong>s of process<strong>in</strong>g i.e.<br />
collecti<strong>on</strong>, use and disclosure of <strong>data</strong>, and <strong>in</strong>clusively cover all possible operati<strong>on</strong>s <strong>on</strong><br />
<strong>data</strong>?<br />
3. Should the scope of the law <strong>in</strong>clude both automated and manual process<strong>in</strong>g? Should the<br />
law apply to manual process<strong>in</strong>g <strong>on</strong>ly when such <strong>data</strong> is <strong>in</strong>tended to be stored <strong>in</strong> a fil<strong>in</strong>g<br />
system or <strong>in</strong> some similar structured format?<br />
Alternatives:<br />
254 Article 2(1), EU GDPR.<br />
255 Article 4(6), EU GDPR.<br />
256 Secti<strong>on</strong> 3, POPI Act.<br />
257 See also Recital 15, EU GDPR.<br />
46