In today’s world, there can be no question that the pervasion of personal data is rampant in every aspect of our lives, as data has become essential for the smooth functioning of our lives. It cannot be doubted that the data generated by us daily has made certain aspects of our lives smoother. Who amongst us would have thought as recently as ten to fifteen years ago that data generated by us would have made our lives so much easier? This is as much true for Public Private Partnership Projects where the Government, in concert with one or more private parties, seeks to construct a project or provide a service. In this Blog Post, the Authors attempt to decode both aspects of data privacy and management, i.e., storage and ensuring the confidentiality of particular data as mandated by law and general principles of storage and control of all types of data.
The simple fact that many of us are unaware of is that, though most of the data generated by us may seem harmless and inconsequential to us, it can be used by others, often to their profit, and sometimes, it can be used by others to our detriment. Certain types of data generated by us are not only highly private and sensitive, but if such data were to fall into the wrong hands, it has the potential to cause us grave harm and damage and bring our lives to a complete standstill.
Certain types of data generated and collected during the execution of the Public Private Partnership (“PPP Projects”) are also required under law to be maintained in a particular manner, failing which they may be subject to specific penalties. In this aspect, all entities involved in the transmission and storage of such data are under a legal obligation to ensure the privacy of the individual to whom such data pertains and to ensure proper storage and security of such data. Even for the data which is not required to be maintained, stored, and/or secured in a specific manner, it is always better to ensure proper and adequate data collection, retention, and storage practices as the same would almost come to one’s advantage at some point in the future, especially in the event of a party being subject to a dispute either before a court of law or an arbitral tribunal. Hence, it becomes crucial for us to discuss the issue of data privacy and data management within the evolving field of PPP Projects.
2. Data Privacy in PPP Projects
With the recent release of theDigital Personal Data Protection Bill, 2022 (“DPDP Bill”) for public consultations, the existence of security for data privacy in India is not anymore entirely dependent on theInformation Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) [issued under theInformation Technology Act, 2000 (“IT Act”)]. Though the DPDP Bill is currently only a draft and not binding, it still shows a ray of hope for the scope of improvement in the present legal scenario. It is also quite possible that the DPDP Bill may go through various iterations before becoming binding law.
According to the latest DPDP Bill, “data” has beendefined as “a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.” In addition, this Bill has stated that offline personal data (which is not digitized) would not be within the purview of the legislation.
The SPDI Rules deal with “Personal Information,”defined as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.” This may include basic details such as a person’s name/surname but may also extend to documents such as a person’s Aadhaar Card, PAN Card, Driving License, and other similar documents.
Examples of Personal Information collected in PPP Projects could include the following:
- Identification details of employees and contract workers.
- Identification details of suppliers/vendors.
- Identification details of users of services for users of public utilities such as highways (when collecting tolls).
The SPDI Rules alsodefine “Sensitive Personal Data/Information” to include personal information consisting of information relating to:
- Financial information (e.g., Bank account or credit card or debit card, or other payment instrument details);
- Any physical, physiological, and mental health condition;
- Sexual orientation;
- Medical records and history; and
- Biometric information.
Sensitive Personal Data/Information wouldalso include:
- Any “data” relating to the above which has been provided to a body corporate to enable that body corporate to provide service.
- Any “information” received under the above-mentioned by a body corporate for processing and which has been stored or processed under lawful contract or otherwise.
If such data is collected, the data must be necessary for the function or activity of the collector of such data. TheSDPI Rules mandate that the information should only be used for the purpose that it has been collected and that such information cannot be retained for longer than required. These Rules must be strictly followed, and breach of the same may lead to penalties and criminal action.
Examples of Sensitive Personal Information collected in PPP Projects could include the following:
- Financial records of employees and contract workers.
- Financial records of sub-contractors, suppliers, and vendors.
- Medical records of employees and contract workers.
- Medical records of patients using hospitals and medical services.
- Passwords and financial information for users of public utilities such as highways (when collecting tolls) and passengers in transportation projects such as trains and metros.
Under the DPDP Bill, a“Data Protection Impact Assessment” Exercise is supposed to be conducted by a Data Fiduciary, i.e.,any person who solely or combinedly with other persons determines the means and purpose to process personal data — to make sure that the data is processed and secured in proportion to its level of sensitivity. According to Section 11 of the DPDP Bill, this process would include risk management procedures, purpose, risk assessment, description, and any other matters on personal data processing.
i) the types of Personal Data or Sensitive Personal Data/Information collected;
ii) the purpose of its collection and usage;
iii) the disclosure and dissemination of Personal Data or Sensitive Personal Data/Information; and
iv) reasonable security practices and procedures relating to such information.
When any Sensitive Personal Data/Information is obtained, prior consent from the provider of such data must be obtained. This is especially true when such data is shared with a third party. This consent must be explicit, as theSDPI Rules mandate that the provider should know that the information is being collected. The data provider must be given the option to not provide the data and withdraw consent for the use of the data at any point in time.According to the DPDP Bill, the withdrawal of consent has no bearing on the legality of the handling of personal data. Prior to its withdrawal, data depending on consent must have been collected. The ease of withdrawal must be equivalent to the ease with which consent was provided.
Furthermore, the provider must be able toascertain that:
i) the fact that the information is being collected;
ii) the purpose of collecting the information;
iii) the intended recipients of the information; and
iv) the name and address of the agencies collecting and retaining the data.
TheSDPI Rules also put the onus on the receiver of the data to implement reasonable security practices and procedures of a certain nature, includingIS/ISO/IEC 27001. These practices are required to be audited regularly through an independent auditor.
UnderSection 43(A) of the IT Act, if any body corporate that possesses, deals with, or handles any Sensitive Personal Data/Information is found negligent in implementing and maintaining reasonable security practices in the course of its operations, and such negligence causes wrongful loss or gain to any person, the body corporate is mandated to compensate the wronged party in the form of damages. It is pertinent to note that there has been no cap placed on damages under the IT Act; thus, the damages awarded may be astronomical in terms of the amount.
It would also be helpful to review and keep in line with the Ministry of Information and Technology’sguidance notes for Information Technology PPP Projects. These include guidelines for bidding processes, references for good practices for PPP Projects, and model RFP (Request for Proposal) templates for projects. Although these guidelines have been issued specifically for PPP Projects related to Information Technology, they could quickly be adopted/modified for other PPP Projects as well. They may serve as a valuable benchmark for best practices relating to PPP Projects and data.
When dealing with Aadhaar cards, entities sometimes use the same for authentication of the customer/employee. In such cases, theAadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”) and the accompanyingAadhaar (Authentication and Offline Verification) Regulations, 2021 provide for specific regulations during such use, including a requirement of prior consent for particular uses. Further, the Aadhaar Act also provides for penalties and imprisonment for unauthorized dissemination of information or dissemination of knowledge in contravention of agreements. Thus, entities must be careful when dealing with Aadhaar cards and information and strictly comply with the relevant rules and regulations.
As can be seen from the whatsoever limited data protection regulations currently in force in India, it is evident that Companies and LLPs who operate in the PPP Infrastructure sector must take special care on multiple fronts to ensure that they do not fall short of any laws or data security regulations when dealing with copious amounts of data being processed on an almost daily basis. Entities need the robust data management and protection practices to effectively manage data coming through and going out, including continuous and effective training of personnel handling data for these entities. Further, the high volume of data being held by PPP Projects may incur increased costs to meet such standards. Although this higher cost may be an initial barrier, shouldering a higher price in the early stages would provide much more significant benefits to private entities when executing PPP Projects.
3. Data Management in PPP Projects
Another often overlooked/lightly taken aspect is the issue of proper data management and preservation in PPP Projects. Callous behavior at all levels of an organization results in data being stored haphazardly and spread out over a large number of digital systems. Data relating to the same issue can be spread between multiple devices over e-mails, physical documents, documents in the cloud, WhatsApp messages, and Short Message Service (“SMS”). While organizations can and have been functioning on this basis, the actual difficulty arises when any kind of dispute rears its head, and the proverbial damage hits the ceiling. In other words, people often find that their attitude has severely hampered their ability to present a cogent and comprehensive case in their favor in handling and storing information in the digital format. This leads to a mad scramble at the end to collate multiple forms of data over a plethora of devices during the limited time of trial, which can easily be avoided by inculcating and strictly enforcing proper data management practices from the inception of a PPP Project.
The essential part of proving any piece of data, whether a letter or report, is demonstrating the integrity and chain of custody of a document from the time it was made to the time it was presented to the adjudicating authority. The basis in law for this principle stems fromSection 65(B) of the Indian Evidence Act 1872 (“Evidence Act”). InArjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, the Supreme Court categorically stated that, to render any electronic record admissible and prove the same in an Indian court, the procedure outlined in Section 65B of the Evidence Act must be strictly followed. The natural corollary to this is that, if the process is not followed, the electronic record cannot be admitted or proved in evidence. This results in a situation where the electronic data will not be considered by the court and may lead to disastrous consequences, including possibly the judgment going against a party.
A requisite of compliance with the procedure in Section 65B alsomandates furnishing a certificate to prove the electronic data being sought to be tendered into evidence. This can be given by (a) “any person who occupies a responsible official position” concerning the operation of the relevant device; or (b) any person who would be in “the management of appropriate activities.”
It is pertinent to note that, in the Arjun Panditrao case, the Supreme Court also understood that the period between the creation of the electronic record on the electronic device and the submission of a certificate under Section 65B might conceivably be a long time due to which the person submitting the certificate under Section 65B would be doing so to the best of their knowledge or belief. This would help alleviate situations where the person who created the electronic record had left the organization and would not be able to provide the certificate. This would also help to cover situations where, in a big organization, each person who creates the record is not needed to come and give a certificate in relation to a specific record.
Thus, it is always preferable to keep all vital records and correspondence via e-mail instead of WhatsApp or SMS unless entirely unavoidable. The reason is that it is always easier to prove e-mails rather than WhatsApp messages in evidence during the course of a trial. WhatsApp forwards is also highly susceptible to being treated as hearsay, especially in cases where the originator of the forward cannot be ascertained. Though there has been a trend to create multiple WhatsApp groups in PPP Projects to coordinate multiple sub-projects, especially with government-appointed officials, the benefits of the ease of use of these groups must be weighed with the types and number of electronic records being created and the probability of the said electronic records being used in any dispute.
Data privacy and management issues are not novel to the legal arena, but their application in the PPP Project regime is. Often being side-lined, these issues must be seen from a more holistic approach. The DPDP Bill has recently been released for public comments to make its approach more holistic and comprehensible. However, the DPDP Bill, like its past editions, enables the Government to remove the applicability of specific or even all of the DPDP Bill’s provisions to Government agencies on premises like public order, national security, and so on. The DPDP Bill also repeals the 2021 provisions requiring the Government to follow a “just, fair, reasonable, and proportionate” procedure before granting an exemption and the 2018 provision requiring exemption to be “authorized by law.” Furthermore, the Government has the authority to keep personally identifiable information for an indefinite period. Additionally, there is an instantaneous exemption for handling personal data for crime prevention, investigation, and so on, without the necessity for the Government to release any notification. This gives an unreasonable upper hand to the public enterprises in the PPP Projects.
When coming to data-related issues in the PPP Project regime, the issues are not new, but the approach taken to resolve them must be. PPP has been active enough in cyber security in fashioning resolutions and extenuations for handling modern threats that are sensible and effective. Therefore, currently, the same should be done for infrastructure projects as well, giving equal power to the private sector as it is given to public entities.
The views, thoughts, and opinions expressed in the article belong solely to the authors, and not necessarily to their employers, organizations, committees, or other groups or individuals to which they are affiliated.
About the Authors
Mr. Rushad Irani is a Senior Associate at Pioneer Legal and practices primarily at the High Court of Bombay.
Ms. Parishti Kaushik is a Third-year law student at Gujarat National Law University and an Associate Editor at IJPIEL. .
Managing Editor: Naman Anand
Editors-in-Chief: Muskaan Singh and Hamna Viriyam
Senior Editor: Pushpit Singh
Associate Editor: Parishti Kaushik
Junior Editor: Kaushiki Singh
Preferred Method of Citation
Rushad Irani and Parishti Kaushik, “Stepping the Game Up – Data Privacy and Data Management in the Broader Realm of PPP Projects” (IJPIEL, 17 December 2022)