As data becomes increasingly critical in shaping economies and industries worldwide, countries are grappling with the need for robust governance frameworks that balance innovation with privacy. India, in particular, has introduced a novel approach through its Data Empowerment and Protection Architecture (DEPA) a tech-legal framework designed to address data-sharing challenges while ensuring privacy. DEPA, as articulated in the Data Protection Bill, integrates legal principles directly into the technological infrastructure, providing a consent-based system that offers a unique solution to issues faced by data fiduciaries and individuals alike.
Also Read: Digital Personal Data Protection Act
What Is Data Empowerment and Protection Architecture (DEPA)?
Even though privacy laws give people rights over their data, it’s often hard for them to control or access it. For example, if someone wants to use financial services that need proof of creditworthiness, they may struggle to get their own data. Usually, this means gathering documents from different financial institutions, printing them, getting them notarized, and submitting them manually, which is a difficult process. Digital solutions for sharing data face problems because there are many ways data is stored, and there’s no standard system for everyone to follow.
To solve this issue, India introduced DEPA, a tech-legal solution that uses an electronic, consent-based system to give people more control over how their data is shared, especially in areas like finance and healthcare. DEPA allows individuals to decide how their personal data is transferred, empowering them to make better use of their data. A key privacy-enhancing feature of the framework is the use of consent managers—special organizations that handle consent. This setup separates the process of giving consent from the actual data sharing: data providers manage the data and consent managers handle consent. This arrangement enables a double-blind data-sharing environment that maximally protects the private information of data principals.
In figure 1 below, entities requesting access to data (known as data users) have been arrayed on the right while the entities that have the data that the data users require (data providers) have been arrayed on the left. In the middle is the consent manager and right on top is the data principal.
This model has been fully implemented in India’s financial sector under the Reserve Bank of India’s Nonbanking Financial Company Account Aggregator Directions, 2016. It implements consented data sharing between different parties in the financial ecosystem including banks, insurance companies, pension funds, and all entities regulated by the country’s securities regulator. Specific financial entities have been permitted to register as account aggregators, which play the role of consent managers and oversee financial data flows between service providers in the sector.
First, any data principal who wishes to transfer their financial data between various fiduciaries so as to use various financial services must first enroll with an account aggregator (or consent manager). At this stage, the data principal provides the consent manager with a list of all the financial service providers (that is to say, data providers—including insurers, banks, brokers, credit rating agencies, and others) with whom the person has an account. The consent manager then creates links to all these data providers; this way, when a data transfer request is received, it has an approved list of data providers from which data can be requested. At no stage does the consent manager have any visibility into the contents of these accounts or into any of the personal or financial data of the data principal. After this initial preparatory work, the data principal is ready to approve financial data transfers using the DEPA infrastructure.
To initiate a data transfer, financial institutions that require customer data to provide services can direct such a request (step 1) to the consent manager. The request is made using a digital consent artefact, a “machine-readable document” that records the details and specifications of consent provided alongside a data-sharing request. A digital consent artefact requires the data user to provide details on the information sought, the purpose for the request, the duration for which the information will be retained, and the financial institution seeking this information. The consent manager then sends this request to the data principal (step 2) and, if the data principal consents to the data transfer (step 3), sends the digitally signed request for data to the data provider (step 4). Having verified that the data transfer request was approved by the data principal, the data provider then transfers the required financial data in accordance with the request. The data are encrypted and transferred from the data provider to the data user through the consent manager (step 5).
As of August 2022, six nonbanking financial companies have been given a license to operate as authorized aggregators, and five of them have launched client-facing mobile applications. At this time, the authorized aggregator ecosystem has successfully fulfilled more than 1 million consent requests.
Privacy by Design
Many global data protection laws align with a common set of privacy by design principles. Data Empowerment and Protection Architecture (DEPA) implements a technological framework that supports these principles effectively.
Notice and consent. DEPA encodes all required notices within its electronic consent requests. It collects consent specifically for each data transfer, allowing data principals to give more informed consent than typical processes.
Purpose limitation. Data users must specify the intended use of the data before it is collected. DEPA enhances this by notifying the data principal for each transfer request, ensuring effective purpose limitation.
Data minimization. DEPA allows the purpose to be narrowly defined since it must be stated proximate to the time of the data transfer request.
Retention limitation. Each data transfer request under DEPA includes how long the personal data will be kept. Since the data are transferred only for as long as it is needed for processing and after that must either be transferred back or destroyed, data users are not permitted to retain such data any longer than specified.
Data integrity and confidentiality. Since all data transfers under DEPA are encrypted end-to-end, data confidentiality is built into the system’s design. DEPA was designed with privacy at its core. Consent managers are, as a matter of design, data blind and have no visibility into the contents of encrypted data packages. Since data requests are not made directly from data users to data providers, data principals’ privacy is protected vis-à-vis data users. Since consent managers are data blind, data principals’ privacy is also protected vis-à-vis consent managers.
The Digital Consent Artefact
Consent is processed using the digital consent artefact. The electronic consent artefact used by DEPA implements the so-called ORGANS principles: open, revocable, granular, auditable, notice and secure (see below).
- Open: The consent standard is open and interoperable, ensuring consistency across institutions.
- Revocable: the consent is designed to be revocable at any point in time by the data principal who provided it.
- Granular: consent needs to be provided in each instance and must specify what data has been requested, how long it will be retained and who will process it.
- Auditable: records of all consents provided by a data principal can be retained in machine-readable logs.
- Notice: data principals will be provided notice of how their data will be used, the parties that will process it and the duration for which it will be retained.
- Secure: The digital consent artefact is secure by design, ensuring the protection of consented data.
When a request to transfer data is made, the consent manager (the system or authority responsible for verifying and handling consent) checks the details in the consent artefact (a digital document that contains all the necessary permissions and rules for using someone’s data). The data users, or those receiving the data, must store and handle it according to the rules set out in the consent artefact.
When DEPA (Data Empowerment and Protection Architecture, a framework for managing consent and data sharing in a secure and user-friendly way) is combined with the right to data portability (the legal right for individuals to move their data from one service provider to another) under the Data Protection Bill, this system can be applied to important sectors like healthcare and finance. This would help make the DEPA framework a formal part of these industries, improving how consent and data sharing are managed.
For instance, a core component of India’s healthcare digitization mission is the creation of digitized healthcare records that citizens can easily access and transfer to different service providers in the healthcare ecosystem, per their requirements. Citizens may need to transfer healthcare records from a hospital or clinic to their health insurance provider to file an insurance claim. Rather than reproducing their healthcare records or status, they can use DEPA to transfer their health records from the hospital (data provider) to the insurer (data user) through a data intermediary designed specifically for the healthcare sector (consent manager) to oversee the transfer of this sensitive medical data. This arrangement would go a long way toward facilitating constructive public health outcomes. The DEPA framework is being used for this purpose, ensuring the privacy and authenticity of healthcare data transfers.
Another technolegal framework for data sharing is the Open Government Data Platform. The platform hosts all government data published under the National Data Sharing and Access Policy and enables public access to and the downloading of such data. Developed using open-source stack, the platform contains multiple modules and APIs, including a module for data management that hosts data catalogues by various government agencies and a module for visitor relationship management, which collates and disseminates viewer feedback on various data catalogues.
Several state governments have launched their own open data portals using the Open Government Data Platform’s software as a service model, including the Open Government Data Portal by the state government of Sikkim and a portal by the Surat Municipal Corporation. India’s Open Government Data Platform is also packaged as a product and has been “made available in open source” for countries around the globe to implement.
Further Read: Transforming Healthcare through Data Analytics
https://scikiq.com
https://scikiq.com/supply-chain
https://scikiq.com/marketing-use-cases
https://scikiq.com/retail
https://scikiq.com/healthcare-analytics
https://scikiq.com/banking-and-finance
https://scikiq.com/telecom