About Data Empowerment and Protection Architecture (DEPA)

Lending companies use a host of mechanisms to obtain data about users from different sources and in particular, online lending companies (like Kabbage, OnDeck) acquire a lot of digital data about users from other financial service providers before underwriting loans. Health insurance companies need to obtain hospitalization and diagnostic data about patients for them to be able to make insurance payments and this data is shared by hospitals and labs, often in digital form, with such companies.

In these applications, it is essential that users provide consent to the service provider sharing data (the data provider) before they share data with the provider requesting access (the data consumer). It is also essential that privacy of the data be safeguarded i.e. to ensure the data is accessible only by the data consumer, only for a stipulated amount of time and only for a stipulated purpose, as consented to by the user. It is also desirable that all data sharing transactions be traceable and auditable in the future. Finally, the data sharing process itself should be easy, efficient and user-friendly.

We have developed a novel consented data-sharing architecture to accomplish these goals. Our finding till now has been that in current-day applications, consent is handled very loosely and oftentimes, insecurely. For example, some lending applications collect users’ bank passwords in order to “scrape” data about them from bank websites. Other applications use well-established authorization frameworks like OAuth 2.0  to exchange data but these frameworks are inadequate in certain ways, e.g., they fail to ensure secure, auditable data sharing in all scenarios and particularly so for mobile-based applications. This necessitated the design of a new consent framework for data sharing that brings us closer to achieving a Data Democracy, where the user can share his data with service providers.

The vision of DEPA is to break the tension between: (a) maintaining privacy and (b) using the data for good.  Rather than having to balance between them, DEPA aims to provide a third option – enabling safe and trusted sharing of data in which privacy is preserved.

The objective of  DEPA is to provide the tools and utilities that enable us to build systems that can provide the user with mechanisms for protecting and sharing their data. The potential impact of  DEPA is lifechanging. As Indians become data rich at an exponential pace, we can open the doors to trusted sharing of data by giving them control of their data, thus enabling them to become economically rich. DEPA opens up whole new models for privacy protection and auditing data flows while keeping the user in the center.

Key Tools of DEPA

1. Electronic Data Consent by MeitY: http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf

2. Digital Locker System by MeitY: http://dla.gov.in/sites/default/files/pdf/DigitalLockerTechnologyFramework%20v1.1.pdf

Key Resources

Guiding principles for the sharing of user data across different services with userconsent have been previously outlined in two key policy documents: namely, thePolicy on Open Application Programming Interfaces (APIs) for the Government ofIndia” published by the Ministry of Electronics and Information Technology (MeitY), and the “National Data Sharing and Accessibility Policy (NDSAP) – 2012” by theDepartment of Science & Technology.

The IT Act also requires that any entity sharing user data that is sensitive in nature must collect consent from the user prior to such sharing.

Within the financial domain, a legal framework was put forth by the RBI’s notification titled “Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016” for financial data sharing. This notification clearly articulates the need for a consent framework to enable data sharing.

Reading List

1. India Must Become the Worlds First Data Democracy – Nandan Nilekani

2. India must embrace Data Democracy – Nandan Nilekani

3. The best way forward for privacy is to open up your data – Tanuj Bhojwani

4. Notes from the August 2017 Carnegie India / iSPIRT Event &Youtube Playlist from this event

5. Beyond Consent – Rahul Mathan

6. Rights-based data protection framework for financial information – RBI Committee on Household Finance