The Ethical Data Steward: Understanding the Duties of Data Fiduciaries under DPDPA 2023

Admin

Author: Rusheetulya Subramanyam, a student at ICFAI Law School, Hyderabad

Abstract

This article explores the obligations of the Data Fiduciaries as well as the Significant Data Fiduciaries under the Digital Personal Data Protection Act (DPDPA) 2023. The DPDPA is designed to safeguard the personal data and impose stringent responsibilities on entities handling such data termed as ‘Data Fiduciaries’. This article dwells on the core responsibilities of such Data Fiduciaries including processing principles, data security measures, accountability mechanisms, etc. The article also discusses the mandatory requirements for Data Fiduciaries to maintain accurate and up-to-date records, conduct regular data protection impact assessments (DPIA), and ensure data portability and erasure upon request. Furthermore, it addresses the accountability and compliance mechanisms that Data Fiduciaries must establish, including appointing Data Protection Officers, facilitating audits, and reporting data breaches promptly.

Keywords: Data Fiduciaries, Significant Data Fiduciaries, Personal Data, DPDPA, DPIA

INTRODUCTION

Privacy forms one of the most pivotal rights of the citizens of any country especially in the Developed and Developing countries. Therefore, it is important to note that there are proper legislations monitoring the flow of various types of data and information. India has committed to bringing such monitoring by initially introducing the Information Technology Act 2000. It is the law that bought mandates regarding data usage, whether personal or non-personal. Additionally, the K.S Puttaswamy Judgement gave immense focus on the importance of Privacy in the lives of any individual. India introduced the DPDPA i.e., the Digital Personal Data Protection Act 2023 to provide a comprehensive law on the country’s approach toward protecting data privacy and security. 

There are various important characters in data processing under the monitoring of DPDPA. They are the Data Principal, Data Fiduciary, Significant Data Fiduciary, Data Processor and Consent Manager. The Data Principal is the person whose data is being processed. It is important to note that the Data Principal is always a Natural Person. The Data Fiduciary is the person who alone or in conjunction with other persons determines the purpose and means of processing personal data. A significant Data Fiduciary is a Data fiduciary or a class of such data fiduciaries that are classified as SDFs by the Central Government. This may be on several factors, some of which are based on the volume of the data being processed, the risk of harm to the data principals, and any impact of such data processing on the sovereignty and security of the country. The Data Processor is the person who processes the data on behalf of the Data Fiduciary. The Consent Manager is a person who works for the benefit of the Data Principal. They act as a single point of contact to enable a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform to the Data Fiduciaries or the Data Processors.

Obligations of the Data Fiduciaries

Chapter II of the Digital Personal Data Protection Act discusses the Obligations of Data Fiduciary. 

Section 5 of the Act mentions about the Notice

The Data Fiduciary is obligated to send a notice to the Data Principal with regards to the Personal Data and the purpose for which that data is processed, how they may exercise their rights, and the procedure in which the Data Principal may make a complaint to the Board, in such manner as may be prescribed. Additionally, the Data Fiduciary shall give an option to the Data Principal to access the contents of the notice in English or any other language mentioned in the Eighth Schedule of the Constitution. 

Section 6 of the Act mentions Consent of the Data Principal

Under this Section, the Data Fiduciary is obligated to cease and cause its Data Processers to cease any processing of the personal data in the case when the Data Principal withdraws their consent.  

Section 7 of the Act mentions about Certain Legitimate Uses

A Data Fiduciary is allowed to process personal data only in the following scenarios:

  1. For any purpose specified and the Data Principal has consented to only such purpose;
  2. For the state or any of its other authorities to provide or issue to the Data Principal any benefit, subsidy, license, certificate, etc;
  3. For the performance of any function of the state in the interest of sovereignty and integrity of the country;
  4. For compliance with any judgment or decree or order issued under any law for the time being in force in India;
  5. For responding to any medical emergency involving a threat to the health of any Data Principal or any other individual;
  6. For providing medical treatment or any other health services to the Data Principal during an epidemic, outbreak of disease, or any other threat to public health;
  7. For taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order
  8. For the purposes of employment mainly to avoid the employer from loss or any liability in cases of corporate espionage, maintenance of confidentiality of trade secrets, protection of intellectual property, etc.

Section 8 of the Act mentions the General Obligations of a Data Fiduciary

A Data Fiduciary is obligated to comply with the provisions of this act and additionally, the rules made thereupon in respect of any processing undertaken by it or its behalf by a Data Processor. Further, when any personal data that is to be processed is susceptible to being used to make a decision that affects the Data Principal or disclosed to another Data Fiduciary, the data Fiduciary initially processing such data shall ensure its completeness, accuracy, and consistency.

In the event of any Personal Data breach, the Data Fiduciary shall give the Data Protection Board and each concerning Data Principal, an intimation of such breach. Moreover, A Data Fiduciary should delete personal data in case its storage is unnecessary as stipulated by any prevailing law unless it is compulsory; Discontinuation of consumer’s approval or whenever apparent is not anymore available for its intended use, review particular use, as considered appropriate, and delete data whichever comes first as described above. Also, command a data processor operating under him or her to remove all information shared by him or her for processing. Additionally, the Data Fiduciary must publish the contact information of the Data Protection Officer or any other person on behalf of the Fiduciary to take redressal duties and answer the questions, if raised by the Data Principal regarding the processing of data. 

Section 9 of the Act refers to the Processing of personal data of children 

The Data Fiduciary must obtain verifiable consent from the parent or the lawful guardian of a child or a person with a disability before processing their personal data. The Fiduciary must not undertake any processing that may cause any detrimental impact to the child or the person with a disability. The Data Fiduciary must not undertake the tracking or behavioural monitoring of children or targeted advertising directed at children. 

Section 10 of the Act refers to the Additional Obligations of Significant data Fiduciary

The SDF shall appoint a Data Protection Officer who shall be an individual responsible for the Board of Directors or similar governing body of the Significant Data Fiduciary; and be the point of contact for the redressal mechanism. The SDF must also appoint an independent data auditor to carry out a data audit, who shall evaluate the compliance of the SDF in accordance with the provisions of this Act and undertake periodic Data Protection Impact Assessments, which include the rights of Data Principals and the purpose of the processing of their personal data, assessment, and management of the risk to the rights of the Data Principals, and other matters regarding such process. 

CONCLUSION

The DPDPA imposes comprehensive and rigorous obligations on the Data Fiduciaries and SDFs including their duty to create a valid contract with data processors, maintenance of accuracy and efficient Reasonable security standards to prevent any breach, Notify the Data Protection Board and the concerning Data Principals in case of any breach, Erasure of Data as a part of the right utilized by the Data Principal unless there are any Data Retention requirements and mandates as per the law, Ultimate responsibility and the onus of compliance lying with the Data Principal, Establishment of efficient grievance redressal mechanism, performance of periodic audits etc. Data Fiduciaries also prioritize transparency, fairness, and security in their data processing activities, and individuals’ rights are upheld. By embracing these obligations, Data Fiduciaries foster a culture of accountability and trust, which is essential for sustainable digital growth and innovation. To navigate through the intricacies of the DPDPA, one needs a proactive data governance strategy that constantly monitors regulation changes and adapts to them. Compliance with the provisions of the DPDPA ensures that personal information is safe while at the same time improving how those entrusted with it are viewed online and offline. Therefore, the role of a Data Fiduciary forms a crucial chunk in the functioning of the DPDPA. 

Frequently Asked Questions:

Q1. Are there scenarios where data can be processed without explicit consent?
Yes, data may be processed for:

  1. Public services like subsidies or licenses.
  2. Sovereignty and security interests.
  3. Compliance with judicial orders.
  4. Emergency health situations or epidemics.
  5. Employment purposes to protect trade secrets or intellectual property.

Q2. What steps must be taken in case of a data breach?
The Data Fiduciary must:

  • Notify the Data Protection Board and affected Data Principals.
  • Take corrective actions to mitigate risks.
  • Ensure that breaches are documented and addressed promptly.

Q3.  What measures ensure compliance with DPDPA?
Data Fiduciaries must:

  • Conduct regular audits and assessments.
  • Establish grievance mechanisms.
  • Appoint officers and auditors to oversee compliance.
  • Monitor and adapt to regulatory changes.

Q4. What are the exceptions to data deletion requirements?
Data must be retained if:

  • There is a legal obligation to keep the data.
  • It is needed for compliance with judicial orders or regulatory purposes.

Q5. How does the DPDPA impact corporate data governance strategies?

Corporates must adopt:

  • Strong data protection policies.
  • Periodic training for employees.
  • Advanced monitoring systems for compliance.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Powered by Joinchat
Hello 👋
Can we help you?