Page 33 - Proceedings of the 2017 ITU Kaleidoscope

P. 33

Challenges for a data-driven society

Section 6 of the Aadhaar data security regulations also lay including valuable location information shared by users,
down a requirement that no government agency should with trusted organizations like UNICEF and Red Cross
publish Aadhaar numbers, unless they are redacted or (Facebook Research, 2017 [15]) and ‘data grants’ by the
blacked out “through appropriate means”. Absent clear Mastercard Centre for Inclusive Growth (Randy Bean, 2017
specifications about these means, governments could err on [14]) offer some examples.
the side of caution by removing entire datasets. In the next We also find similar instances from the telecommunications
section we explore how best to achieve the balance between sector. Orange Telecom’s Data for Development challenge
the goals of open data for research and transparency for encouraged researchers to use aggregate data in pursuit of
accountability on one hand, and privacy concerns on the development goals like health, transport and agriculture
other. (Orange Telecom, 2015 [17]). They also rewarded best
practices of anonymization and cross-referencing of data. In
3.2. For private bodies 2014, it was reported that South African telecom operator
MTN made anonymized call records available to
As discussed, Aadhaar is a public infrastructure being used researchers through a data analytics firm that provides
predictive solutions (UN Global Pulse, 2014 [18]).
by various private companies for authentication (through
seeding) and verification (through eKYC). These It is however useful to distinguish these voluntary
companies, like telecom operators or banks, are custodians initiatives, which focus on disclosures to certain trusted
of several useful demographic data points, some of which intermediaries, from actual open data that strives to create
have been identified above. We argue that there is scope to unrestricted public access. While these restricted
encourage and facilitate disclosure of information held by disclosures are valuable, it is important to think about
entities that use Aadhaar. additional frameworks that enable the release of data points
This could be done through various means. In the next publicly making it accessible to a larger and growing pool
of researchers and policy makers. The next section explores
section we propose a proactive disclosure regime, akin to
the one in the RTI Act, which will be enforced through the ways in which this may be made possible.
UIDAI’s contracts with such entities. Other options could
include encouraging disclosures by way of non-enforceable 4. PRIVACY AND IMPLEMENTATION
but enabling government policies. This could be coupled FRAMEWORK
with ongoing guidance on kinds of data that would be a
priority for disclosure, along with the necessary safeguards. While we have made the case for responsible data
Specific disclosures might also be mandated by particular disclosures by the UIDAI and other government and private
government agencies or sector regulators users of Aadhaar, the contours of this responsibility also
This debate also needs to be situated within a broader need to be spelt out. First and foremost, is the concern that
global push to encourage private companies to contribute any open data disclosures should not threaten the privacy of
more to publicly available data, particularly for research the individual data subjects, leaving them vulnerable to a
and policy making. Although, the term open data is usually host of harms, including financial fraud.
used in the context of government or government funded
data, some like the Open for Business Report, 2014 (Gruen 4.1. Privacy framework for open data
et al, 2014 [2]) suggest that the term would also encompass
private sector data. For private sector data, the challenge is Most data protection regimes today afford legal protection
to incentivize the companies to release non-strategic data
that would contribute to research and development. only to personal data or “personally identifiable
information” (PII). The ability of this information to be
The International Open Data Charter (a collaboration traced to a particular individual is what creates the potential
between more than 70 governments and stakeholders) also for harming the person’s privacy. It is therefore
questions the boundaries of the data that a typical policy unsurprising that anonymization, which refers to the
should cover. They state that while the focus has been process by which information is manipulated to make it
primarily on “government owned data” - “often the datasets difficult to identify data subjects, has come to be adopted
that most matter, and that could have the most impact if as safeguard to privacy concerns. As a result, anonymized
they were open, do not belong to governments” (Davies & data is often carved out as an exception to privacy
Tennison, 2017 [3]). In fact, it goes further to recommend principles. The European Data Protection Directive,
that governments should have the power to mandate open arguably one of the most comprehensive legal regimes on
data publication as part of giving licences to run a register, this subject, states that the principles of data protection
or negotiating directly with private providers to secure shall not apply to “data rendered anonymous in such a way
access to data which can then be shared as open data. that the data subject is no longer identifiable”.
1
Apart from government facilitated or enforced disclosures, However, in the last few years, there is mounting evidence
the coinage of “data philanthropy” has been used to
describe the trend of companies volunteering anonymized
and aggregated data with (usually select) third party users 1 Recital 26, European Data Protection Directive, http://eur-
who might use this for research or policy purposes. lex.europa.eu/legal-
Facebook’s decision to share data on disaster maps, content/EN/TXT/?uri=celex:31995L0046

– 17 –

28 29 30 31 32 33 34 35 36 37 38