Govt panel wants curbs on phone taps

Read the original published in the Times of India on October 19, 2012.

The group led by former Delhi High Court chief justice A P Shah was set up by the Planning Commission to identify privacy issues and prepare a document to facilitate the proposed Privacy Act.

The group was set after concerns were raised about the impact on privacy of individuals with the emergence of several national programmes such as Unique Identification number, NATGRID, DNA profiling, Reproductive Rights of Women, privileged communications and brain mapping, most of which will be implemented through information and communication technology (ICT) platforms.

The panel recommended that reasons for interception must be specified and be recorded in writing and the provisions establish conditions for authorization by the competent authority. It said that all interceptions can be in force for 60 days and renewed for not more than 180 days. The panel said records of interception be destroyed by the security agencies after six months or nine months and service providers must destroy records after two months or six months. It also said that intermediaries must provide an internal check to ensure the security, confidentiality and privacy of intercepted material, and intermediaries would be held legally responsible for any unauthorized access or disclosure of intercepted materials.

The panel said the proposed Act should extend the right of privacy to individuals and bring under its regulation data controllers, which includes all corporates, public/ governmental bodies and organizations. Minister of State for Planning Ashwani Kumar said, "The group has evaluated what is happening in the other country and what is the constitutional position in India... how imperatives of national security and right to privacy of individual can be harmonized."

It said the Act should clarify that publication of personal data for artistic and journalistic purposes in public interest, use of personal information for household purposes and disclosure of information as required by the RTI Act should not constitute an "infringement of privacy".

The proposed Privacy Act should also articulate national privacy principles. The principles will extend and be binding to all private/ public data controllers. It said the principles must establish safeguards and procedures over the collection, processing, storage, retention, access, disclosure, destruction of sensitive personal information, personal identifiable information and identifiable information.

The Act should establish the Central office of the privacy commissioner, regional level privacy commissioner, self regulating organizations at the industry level and data controllers and privacy officers if required at the organization level, the report recommended.

The panel also recommended that the infringement of any provision under the Act should constitute as an "offence" and individuals may seek "compensation" from organizations/ bodies held accountable.

The group agreed that any proposed framework for privacy legislation must be technologically neutral and interoperable with international standards. "Specifically, the Privacy Act should not make any reference to specific technologies and must be generic enough such that principle and enforcement mechanisms adaptable to changes in society, the market place, technology and government," the report said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.