[et_pb_section fb_built=”1″ _builder_version=”4.5.1″ _module_preset=”default”][et_pb_row _builder_version=”4.5.1″ _module_preset=”default” min_height=”181px” custom_padding=”|0px||||”][et_pb_column type=”4_4″ _builder_version=”4.5.1″ _module_preset=”default”][et_pb_text _builder_version=”4.5.1″ _module_preset=”default” inline_fonts=”Cormorant Garamond,Molengo,Cormorant”]<\/p>\n
Abstract<\/span><\/strong><\/span><\/p>\n In today\u2019s world, there can be no question that the pervasion of personal data is rampant in every aspect of our lives, as data has become essential for the smooth functioning of our lives. It cannot be doubted that the data generated by us daily has made certain aspects of our lives smoother. Who amongst us would have thought as recently as ten to fifteen years ago that data generated by us would have made our lives so much easier? This is as much true for Public Private Partnership Projects where the Government, in concert with one or more private parties, seeks to construct a project or provide a service. In this Blog Post, the Authors attempt to decode both aspects of data privacy and management, i.e., storage and ensuring the confidentiality of particular data as mandated by law and general principles of storage and control of all types of data.<\/span><\/p>\n <\/strong><\/p>\n 1. Introduction<\/strong><\/span><\/p>\n The simple fact that many of us are unaware of is that, though most of the data generated by us may seem harmless and inconsequential to us, it can be used by others, often to their profit, and sometimes, it can be used by others to our detriment. Certain types of data generated by us are not only highly private and sensitive, but if such data were to fall into the wrong hands, it has the potential to cause us grave harm and damage and bring our lives to a complete standstill.<\/span><\/p>\n Certain types of data generated and collected during the execution of the Public Private Partnership (\u201cPPP Projects\u201d<\/strong>) are also required under law to be maintained in a particular manner, failing which they may be subject to specific penalties. In this aspect, all entities involved in the transmission and storage of such data are under a legal obligation to ensure the privacy of the individual to whom such data pertains and to ensure proper storage and security of such data. Even for the data which is not required to be maintained, stored, and\/or secured in a specific manner, it is always better to ensure proper and adequate data collection, retention, and storage practices as the same would almost come to one\u2019s advantage at some point in the future, especially in the event of a party being subject to a dispute either before a court of law or an arbitral tribunal. Hence, it becomes crucial for us to discuss the issue of data privacy and data management within the evolving field of PPP Projects.<\/span><\/p>\n <\/strong><\/p>\n 2. Data Privacy in PPP Projects<\/strong><\/span>\u00a0<\/span><\/p>\n With the recent release of the<\/span>Digital Personal Data Protection Bill, 2022<\/a> (\u201cDPDP Bill\u201d)<\/strong> for public consultations, the existence of security for data privacy in India is not anymore entirely dependent on the<\/span>Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011<\/a> (\u201cSPDI Rules\u201d)<\/strong> [issued under the<\/span>Information Technology Act, 2000<\/a> (\u201cIT Act\u201d)<\/strong>]. Though the DPDP Bill is currently only a draft and not binding, it still shows a ray of hope for the scope of improvement in the present legal scenario. It is also quite possible that the DPDP Bill may go through various iterations before becoming binding law.\u00a0<\/span><\/span><\/p>\n According to the latest DPDP Bill, \u201cdata<\/em>\u201d has been<\/span>defined<\/a> as \u201ca representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.<\/em>\u201d In addition, this Bill has stated that offline personal data (which is not digitized) would not be within the purview of the legislation.\u00a0<\/span><\/span><\/p>\n The SPDI Rules deal with \u201cPersonal Information<\/em>,\u201d<\/span>defined<\/a> as \u201cany information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.<\/em>\u201d This may include basic details such as a person\u2019s name\/surname but may also extend to documents such as a person\u2019s Aadhaar Card, PAN Card, Driving License, and other similar documents.\u00a0<\/span><\/span><\/p>\n Examples of Personal Information collected in PPP Projects could include the following:\u00a0<\/span><\/p>\n The SPDI Rules also<\/span>define<\/a> \u201cSensitive Personal Data\/Information<\/em>\u201d to include personal information consisting of information relating to:\u00a0<\/span><\/span><\/p>\n Sensitive Personal Data\/Information would<\/span>also<\/a> include:\u00a0<\/span><\/span><\/p>\n If such data is collected, the data must be necessary for the function or activity of the collector of such data. The<\/span>SDPI Rules<\/a> mandate that the information should only be used for the purpose that it has been collected and that such information cannot be retained for longer than required. These Rules must be strictly followed, and breach of the same may lead to penalties and criminal action.\u00a0<\/span><\/span><\/p>\n Examples of Sensitive Personal Information collected in PPP Projects could include the following:\u00a0<\/span><\/p>\n Under the DPDP Bill, a<\/span>\u201cData Protection Impact Assessment<\/em>\u201d<\/a> \u00a0Exercise is supposed to be conducted by a Data Fiduciary, i.e.,<\/span>any person<\/a> who solely or combinedly with other persons determines the means and purpose to process personal data \u2014 to make sure that the data is processed and secured in proportion to its level of sensitivity. According to Section 11 of the DPDP Bill, this process would include risk management procedures, purpose, risk assessment, description, and any other matters on personal data processing.\u00a0<\/span><\/span><\/p>\n On a similar ground under Rule 4 of the<\/span>SDPI Rules<\/a>, any body corporate collecting, receiving, possessing, storing, dealing with, or handling information, or providing any information, is required to have a privacy policy in place for handling or dealing with such Personal Information. This privacy policy must also be published on the website of the body corporate. Further, it must be easily accessible and provide for the following:\u00a0<\/span><\/span><\/p>\n i) the types of Personal Data or Sensitive Personal Data\/Information collected;<\/span><\/p>\n ii) the purpose of its collection and usage;<\/span><\/p>\n iii)\u00a0 the disclosure and dissemination of Personal Data or Sensitive Personal Data\/Information; and<\/span><\/p>\n iv) reasonable security practices and procedures relating to such information.<\/span>\u00a0<\/span><\/span><\/p>\n Thus, keeping such a privacy policy in place would go far in insulating a body corporate against any liability caused by leaks of such information.<\/span>\u00a0<\/span><\/span><\/p>\n When any Sensitive Personal Data\/Information is obtained, prior consent from the provider of such data must be obtained. This is especially true when such data is shared with a third party. This consent must be explicit, as the<\/span>SDPI Rules<\/a> mandate that the provider should know that the information is being collected. The data provider must be given the option to not provide the data and withdraw consent for the use of the data at any point in time.<\/span>According to the DPDP Bill,<\/span><\/a> the withdrawal of consent has no bearing on the legality of the handling of personal data. Prior to its withdrawal, data depending on consent must have been collected. The ease of withdrawal must be equivalent to the ease with which consent was provided.<\/span>\u00a0<\/span><\/span><\/p>\n Furthermore, the provider must be able to<\/span>ascertain<\/a> that:<\/span>\u00a0<\/span><\/span><\/p>\n i) the fact that the information is being collected;<\/span><\/p>\n ii) the purpose of collecting the information;<\/span><\/p>\n iii) the intended recipients of the information; and<\/span><\/p>\n iv) the name and address of the agencies collecting and retaining the data.<\/span>\u00a0<\/span><\/span><\/p>\n The<\/span>SDPI Rules<\/a> also put the onus on the receiver of the data to implement reasonable security practices and procedures of a certain nature, including<\/span>IS\/ISO\/IEC 27001<\/a>. These practices are required to be audited regularly through an independent auditor.<\/span>\u00a0<\/span><\/span><\/p>\n Under<\/span>Section 43(A)<\/a> of the IT Act, if any body corporate that possesses, deals with, or handles any Sensitive Personal Data\/Information is found negligent in implementing and maintaining reasonable security practices in the course of its operations, and such negligence causes wrongful loss or gain to any person, the body corporate is mandated to compensate the wronged party in the form of damages. It is pertinent to note that there has been no cap placed on damages under the IT Act; thus, the damages awarded may be astronomical in terms of the amount.<\/span>\u00a0<\/span><\/span><\/p>\n It would also be helpful to review and keep in line with the Ministry of Information and Technology\u2019s<\/span>guidance notes<\/a> for Information Technology PPP Projects. These include guidelines for bidding processes, references for good practices for PPP Projects, and model RFP (Request for Proposal) templates for projects. Although these guidelines have been issued specifically for PPP Projects related to Information Technology, they could quickly be adopted\/modified for other PPP Projects as well. They may serve as a valuable benchmark for best practices relating to PPP Projects and data.<\/span>\u00a0<\/span><\/span><\/p>\n When dealing with Aadhaar cards, entities sometimes use the same for authentication of the customer\/employee. In such cases, the<\/span>Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016<\/a> (\u201cAadhaar Act\u201d)<\/strong> and the accompanying<\/span>Aadhaar (Authentication and Offline Verification) Regulations, 2021<\/a> provide for specific regulations during such use, including a requirement of prior consent for particular uses. Further, the Aadhaar Act also provides for penalties and imprisonment for unauthorized dissemination of information or dissemination of knowledge in contravention of agreements. Thus, entities must be careful when dealing with Aadhaar cards and information and strictly comply with the relevant rules and regulations.<\/span>\u00a0<\/span><\/span><\/p>\n As can be seen from the whatsoever limited data protection regulations currently in force in India, it is evident that Companies and LLPs who operate in the PPP Infrastructure sector must take special care on multiple fronts to ensure that they do not fall short of any laws or data security regulations when dealing with copious amounts of data being processed on an almost daily basis. Entities need the robust data management and protection practices to effectively manage data coming through and going out, including continuous and effective training of personnel handling data for these entities. Further, the high volume of data being held by PPP Projects may incur increased costs to meet such standards. Although this higher cost may be an initial barrier, shouldering a higher price in the early stages would provide much more significant benefits to private entities when executing PPP Projects.<\/span><\/p>\n <\/strong><\/p>\n 3. Data Management in PPP Projects<\/strong>\u00a0<\/span><\/span><\/p>\n Another often overlooked\/lightly taken aspect is the issue of proper data management and preservation in PPP Projects. Callous behavior at all levels of an organization results in data being stored haphazardly and spread out over a large number of digital systems. Data relating to the same issue can be spread between multiple devices over e-mails, physical documents, documents in the cloud, WhatsApp messages, and Short Message Service (\u201cSMS\u201d)<\/strong>. While organizations can and have been functioning on this basis, the actual difficulty arises when any kind of dispute rears its head, and the proverbial damage hits the ceiling. In other words, people often find that their attitude has severely hampered their ability to present a cogent and comprehensive case in their favor in handling and storing information in the digital format. This leads to a mad scramble at the end to collate multiple forms of data over a plethora of devices during the limited time of trial, which can easily be avoided by inculcating and strictly enforcing proper data management practices from the inception of a PPP Project.\u00a0<\/span><\/p>\n The essential part of proving any piece of data, whether a letter or report, is demonstrating the integrity and chain of custody of a document from the time it was made to the time it was presented to the adjudicating authority. The basis in law for this principle stems from<\/span>Section 65(B) of the Indian Evidence Act 1872<\/a> (\u201cEvidence Act\u201d)<\/strong>. In<\/span>Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal<\/em><\/strong><\/a>, the Supreme Court categorically stated that, to render any electronic record admissible and prove the same in an Indian court, the procedure outlined in Section 65B of the Evidence Act must be strictly followed. The natural corollary to this is that, if the process is not followed, the electronic record cannot be admitted or proved in evidence. This results in a situation where the electronic data will not be considered by the court and may lead to disastrous consequences, including possibly the judgment going against a party.\u00a0<\/span><\/span><\/p>\n\n
\n
\n
\n