Objectives

1. Create a reference source of globally adopted principles and practices for data privacy and protection (DPP) in e-government services;

2. Present recommendations for eGov and eGov partners (including state governments) to adopt in order to better align with global best practices

3. Audience: Internal - ExCo, especially CTO, COO, and Head of Product/External - data policy & privacy researchers, senior bureaucrats.

Introduction

A. Why is this document needed?

• Create a succinct evidentiary-based research depository of globally adopted principles, requirements and practices for data privacy and protection (DPP) in e-government services

• It is a base to advise state governments and local bodies to adopt principles and practices for DPP.

• Requirement for DPG Certification.

• Assess eGov’s readiness for adopting such principles, requirements and practices ( checklist questions in Table 2 can be used as a readiness/ assessment checklist as well)

B. How is privacy perceived globally?

Privacy, like the freedom of speech, is a fundamental human right that is recognized in the United Nations Declaration of Human Rights (Gritzalis, 2004). Historically in Europe and North America, and based on the Fourth Amendment of the US Constitution, the right to privacy is seen as a defence against any “unreasonable” physical intrusion upon one’s private home, private papers, personal belongings and one’s body. Over the years, the legal and societal definition of the concept has broadened to encompass various types of information that could be available about an individual. These types of information include behavioural, financial, medical, biometric, consumer, and biographical. Additionally, privacy also constitutes information that is derived from the analysis. This means that privacy interests are also linked to the gathering, control, protection, and use of information about individuals and the deliberate invasion of those privacy interests by the state.

In the absence of a single globally accepted definition of privacy, principles play an important role. A principle is a shared value upon which regulations, rules, and standards can be built for the protection and advancement of the stated objective. In many jurisdictions, laws have been shaped around such privacy principles.

C. How does India perceive privacy?

The three pillars of India i.e. the Legislature, Judiciary and the Executive have had their own journeys in discovering the role of privacy in India.

Legislature:

The legal-making body of India is in the process of bringing the data protection law. With the absence of a clear standalone law for data protection, the Information Technology Act of 2000 along with the IT Rules and Regulations are read into as baseline legal compliances to provide for data protection. Laws such as the Right to Information,2000; Indian Registration Act,1908; the Aadhaar Act,2016; Telecom Regulatory Authority of India Act,1997; among others are relied on for protecting the privacy of Indian residents/citizens.

Judiciary:

The Supreme Court through the J.Puttaswamy v. Union Of India declared the right to privacy as a fundamental right for the citizens of India. The popular judgement serves as a detailed guideline for the executive and legislature to create a data protection regime in India on the basis of legality, legitimate state aim and proportionality.

Executive:

The Central government along with the State governments through various executive orders/circulars issued under the power given by the Constitution read with the IT Act, Aadhaar Act, TRAI Act, and Credit Information Companies Regulation Act (among others) have provided for data protection, security and the right to privacy for citizens.

D. What is E-Government & why is DPP needed in e-government services?

E‐government is defined as the use of information technology (IT), especially the Internet, to deliver government services and information to citizens, businesses, and other government bodies. One of the benefits of internet use for service delivery is the possibility to easily collect, store, process, and disseminate citizens' personal information accurately and in real time. Personal information is information that makes specific individuals identifiable.

Government organizations rely on such information to increase the efficiency and effectiveness of government decision‐making, enhance transparency and accountability in service delivery, and empower innovation. Although government organizations gain benefits from extended collection, storage, and dissemination of personal information, these activities often raise users' concerns about possible violations of their privacy. As information technology advances, e‐government users' privacy concerns are getting bigger as more data are collected and used for various purposes including more in‐depth analyses and to make services more efficient.

The literature shows that ensuring the privacy of citizens' information and addressing their privacy concerns are crucial for the adoption of e‐government, as it influences users' trust and willingness to use e‐government services. To fully unleash the potential and benefits of e‐government, government organizations and third parties participating in the e-government ecosystem (such as eGov Foundation) need to adopt information privacy protection (IPP) practices to ensure citizens that their personal information is protected. In developed countries, IPP practices are reflected in national and international regulations and are commonly used to protect users' privacy.

2. Informational Privacy Principles

Information privacy principles concern conditions and/or guidelines for developing information privacy practices and have been identified as an essential baseline for assessing such practices. There exist numerous sets of such principles with different scopes. On a review of several previous studies assessing IPP practices in different countries and regions, we found that the most commonly used sets of principles are:

(1) the Organization for Economic Co‐operation and Development (OECD) principles,

(2) the Fair Information Practice Principles(FIPP),

(3) The international standard for privacy principles developed by ISO,

(4) the General Accepted Privacy principles by the Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants (GAPP), and

(5) the European General Data Protection Regulation (GDPR).

These five sets of principles are widely recognized. In particular, globalization has increased the importance of shared principles and led to the GDPR, affecting most organizations in the world as it sets mandatory principles for not only the EU but for every organization doing any business with the EU. Each set is applied and considered important in a certain context or region.

Based on research when considering which data privacy principles may be the most important to address in any standards or procedures, the twelve that occur the most frequently include: notice, use restriction, quality, retention, minimization, security, enforcement, access, consent, participation, transparency, and disclosure. Those that occur infrequently include information flow, context, identifiability, consolidation, sensitivity, confidentiality, breach, and accountability. The specific application of data privacy principles will vary given the context and goals of an individual country, jurisdiction, industry, or organization. However, by basing these applications upon an agreed acceptance of principles, the privacy rights of the individual can be acknowledged.

Analysis

The above ‘sets’ of principles when analyzed together have 7 individual principles commonly running across them. The most frequently occurring, important principles are enlisted in the Table below ( Table 1)

They are:

• Notice and awareness

• Differentiated Access

• User Control

• Storage limitation

• Safeguard, accuracy and security

• Enforcement

• Accountability

Column 2 of the table contains the broadly accepted meaning of each of the corresponding principles. Detailed definitions of all these principles are provided in Appendix A.

To Note: In some cases, elements of one principle could be included in more than one category. For example, elements of, openness, transparency, and notice were categorized into notice and awareness as well as accountability. Also, the category of notice and awareness includes all elements concerning notifying users (data subject, here citizens) about activities related to the collection, use, or extended use of their information, together with an explanation of why the information is used. Notice and awareness includes elements of principles notice and collection present in principle number 2 of the GAPP principles, purpose specification, individual participation and openness of principle number 3,6, and 7 of the OECD principles, openness, transparency, and notice in principle number 7 of ISO, and notice and awareness of principle number 1 of FIPP ( all of the principles can be read in Appendix A).

In this way, we formulated a new set comprising seven principles presented in Table 1 which eGov could refer to as common principles table for DPP references.

Appendix B consists of a checklist for entities such as eGov Foundation as well as other e-government service-providing organisations/government departments to assess their readiness/compliance with the common data privacy and protection principles ( including the 7 we defined in Table 1 ). The checklist consists of questions one can ask to assess the presence or absence of common practices in the data privacy and protection space.

References used in Table 1:

• Entities - local governing bodies providing e-government services, third-party egovernment service providers (including eGov Foundation) and implementing partners (e.g.- EY and KPMG in Punjab)

• Individuals - citizens, data subjects, users of e-government services ( can be individuals or groups). The term user and citizen is interchangeably used.

• Abbreviations used below:

• GAPP: General Accepted Privacy;

• OECD: Organization for Economic Co‐operation and Development;

• ISO: International Standards Organization; FIP: Fair Information Practice;

• GDPR: General Data Protection Regulation

Table 1- Informational Privacy Principles & Practices - Definition & Practices

Appendix A

DEFINITION OF PRIVACY PRINCIPLES

A1. Fair Information Practice Principles (FIPP)

Fair Information Practice Principles (FIPP) principles In 1973, the USA Department of Health, Education, and Welfare conducted a study, which brought out a set of privacy principles known as the FIPP. Later, the FIPPs became the core of the US Privacy Act of 1974. Currently, it is mirrored in the laws of many states of the United States, as well as many other nations and international organizations. FIPP is the most comprehensive privacy principle that was sufficiently influential to propagate governmental, private sector, and self‐regulatory approaches to privacy policymaking in the United States. The FIPPs include:

1. Notice or awareness: Data collectors must alert individuals of the potential for capture, processing, and use of their information.

2. Choice or consent: The individual must be allowed options to control how their information is used. They must also be allowed to make the final decision before the collection and use of their information.

3. Access or participation: Individuals must be allowed to view the collected information and verify and contest its accuracy. This access must be inexpensive and timely in order to be useful to the consumer.

4. Integrity or security: Information collectors should ensure that the data they collect are accurate and secure.

5. Enforcement or redress: The data controller must identify enforcement measures and policies and adhere to those policies while processing and collecting users' information

A2. Organization for Economic Co‐operation and Development (OECD) principles

The OECD presented a set of privacy guidelines in 1980, revised in 2013. The first attempt of OECD principles was to protect information privacy at the global level. OECD set is composed of eight principles defined as follows:

1) Principle of collection limitation: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2) Principle of data quality: Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up‐to‐date.

3) Principle of purpose specification: the purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

4) Principle of use limitation: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with (principle 3) except: with the consent of the data subject or (b) by the authority of law.

5) Principle of security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.

6) Principle of openness: There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data and the main purposes of their use as well as the identity and usual residence of the data controller.

7) Principle of individual participation: An individual should have the right (a) to obtain from a data controller or otherwise, confirmation of whether or not the data controller has data relating to him, (b) to have the data relating to him communicated to him (c) to be given reasons if a request made under subparagraphs (a) and is denied, and to be able to challenge such denial, and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amend.

8) Principle of accountability: a data controller should be accountable for complying with measures, which give effect to the principles stated above

A3. GAPPs

The American Institute of Certified Public Accountants, Inc. and the Canadian Institute of Chartered Accountants introduced 10 information principles, known as the General Accepted Privacy Principles (GAPP). GAPP was first published in 2003 and revised in 2004 and in 2006.

Although GAPP was developed to address information privacy protection on a global level, it is commonly used in the United States and Canada (Dayarathna, 2013). The 10 GAPP principles are:

1) Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

2) Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

3) Choice and consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4) Collection: The entity collects personal information only for the purposes identified in the notice. 5) Use, retention, and disposal: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

6) Access: The entity provides individuals with access to their personal information for review and update.

7) Disclosure to third parties: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8) Security for privacy: The entity protects personal information against unauthorized access (both physical and logical).

9) Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10) Monitoring and enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

A4. International Organization for Standardization (ISO) Principles

In December 2011, the ISO published an international standard for privacy principles. The principles were derived from existing principles developed by various states, countries, and international organizations (ISO, 2011). Those privacy principles are:

1) Consent and choice: presenting to the personal information subject, the choice of whether or not to allow the processing of her personal information.

2) Purpose legitimacy and specification: ensuring that the purpose(s) complies with applicable law.

3) Collection limitation: limiting the collection of personal information to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s).

4) Data minimization: minimizing the personal information, which is processed and the number of privacy stakeholders and people to whom personal information is disclosed or who have access to it. 5) Use, retention, and disclosure limitation: limiting the use, retention, and disclosure (including transfer) of personal information to that which is necessary in order to fulfil specific, explicit, and legitimate purposes.

6) Accuracy and quality: ensuring that the personal process is accurate, complete, up‐to‐date (unless there is a legitimate basis for keeping outdated data), adequate, and relevant for the purpose of use.

7) Openness, transparency, and notice: providing personal information principals with clear and easily accessible information about the personal information controller's policies, procedures, and practices with respect to the processing of personal information.

8) Individual participation and access: giving data subjects the ability to access and review their personal information, provided their identity is first authenticated.

9) Accountability: assigning to a specified individual within the organization the task of implementing the privacy‐related policies, procedures, and practices.

10) Information security: protecting personal information under an organization's control with appropriate controls at the operational, functional, and strategic level to ensure the integrity, confidentiality, and availability of the PII and to protect it against risks such as unauthorized access, destruction, use, modification, disclosure, or loss.

11) Privacy compliance: verifying and demonstrating that the processing meets data protection and privacy safeguards (legislation and/or regulation) by periodically conducting audits using internal or trusted third‐party auditors.

A5. General Data Protection Regulation (GDPR )

In 2016, the European Parliament and the European Council adopted the EU data protection framework in the form of a regulation, called GDPR. This framework replaced the EU Directive 95/45/EC which all member nations were required to implement national privacy legislation in compliance with. This new regulation can be applied in member nations without national regulations in regard to data protection. The GDPR entered into force on May 24, 2016, and took effect on May 25, 2018. This framework contains principles on the protection of persons with regard to the processing of personal information and the flow of such information. These principles mainly concern:

1) Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

2) Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3) Data minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4) Accuracy: Personal data shall be accurate and, where necessary, kept up‐to‐date.

5) Storage limitation: Personal data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6) Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

7) Accountability: The controller shall be responsible for and be able to demonstrate compliance with the GDPR.

Appendix B

Table 2

Checklist for data privacy and protection assessment

Common requirements for the IPPs and questions to assess whether an organization meets these requirements are represented in Table 2 below.

Table 2 (Requirement/ Practices for Principle implementation)