Panel wants industry to set up self-regulatory privacy regime

An experts’ panel has suggested that each industry set up a self-regulatory privacy regime under a new law to protect the private information of citizens.

Judge A P Shah, who heads the panel, said his report on Thursday had called for a ‘privacy commissioner’ at the Central and regional levels to whom the industry regulatory bodies would be answerable.

The group was set up last year to recommend the framework for a Privacy Bill, after concerns were raised on the possible invasion of citizen’s fundamental rights.

Privacy protection came under focus after the initiation of programmes such as the unique identification number (UID), Natgrid (a hub for data collected by security agencies) and DNA profiling were mooted. It is necessary because, for example, when an individual gives his UID number to open a bank account, all his personal details are passed on to the bank, and then to the credit card provider, and so on.

 

Shah said each sectors such as telecom, banking and financial services, and social media sites and search engines such as Google will need to have the self-regulatory mechanism at industry level to develop privacy standards, approved by a privacy commissioner.

If Google had a policy, he said, it would have to be in tune with the Indian law.

The group also recommended that individuals had the choice of providing their personal details themselves. Also, the data controller of a project should collect only details necessary for the project. The information thus collected should be used only for the purpose for which it was collected. Any change in the usage would be done with the consent of the citizen concerned, the report said.

Interception orders, the report said, should only be for a period of 60 days, renewable for a maximum of 180 days. Security agencies must destroy intercepted records after six months or nine months, and service providers after two months or six months, it added.

Individuals can seek compensation if there is an infringement of any provision under the proposed Act. Citizens can approach courts or privacy commissioners for compensation, said Shah.

Operators in telecom, banking, UID and such sectors who transfer and receive data about individuals should be made accountable for any leakage of personal data.

Shah said the new law was unlikely to pose any threat to right to information, as the RTI Act has its own privacy clause.