About Data Empowerment and Protection Architecture (DEPA)

Lending companies use a host of mechanisms to obtain data about users from different sources and in particular, online lending companies (like Kabbage, OnDeck) acquire a lot of digital data about users from other financial service providers before underwriting loans. Health insurance companies need to obtain hospitalization and diagnostic data about patients for them to be able to make insurance payments and this data is shared by hospitals and labs, often in digital form, with such companies.

In these applications, it is essential that users provide consent to the service provider sharing data (the data provider) before they share data with the provider requesting access (the data consumer). It is also essential that privacy of the data be safeguarded i.e. to ensure the data is accessible only by the data consumer, only for a stipulated amount of time and only for a stipulated purpose, as consented to by the user. It is also desirable that all data sharing transactions be traceable and auditable in the future. Finally, the data sharing process itself should be easy, efficient and user-friendly.

We have developed a novel consented data-sharing architecture to accomplish these goals. Our finding till now has been that in current-day applications, consent is handled very loosely and oftentimes, insecurely. For example, some lending applications collect users’ bank passwords in order to “scrape” data about them from bank websites. Other applications use well-established authorization frameworks like OAuth 2.0  to exchange data but these frameworks are inadequate in certain ways, e.g., they fail to ensure secure, auditable data sharing in all scenarios and particularly so for mobile-based applications. This necessitated the design of a new consent framework for data sharing that brings us closer to achieving a Data Democracy, where the user can share his data with service providers.

The vision of DEPA is to break the tension between: (a) maintaining privacy and (b) using the data for good.  Rather than having to balance between them, DEPA aims to provide a third option – enabling safe and trusted sharing of data in which privacy is preserved.

The objective of  DEPA is to provide the tools and utilities that enable us to build systems that can provide the user with mechanisms for protecting and sharing their data. The potential impact of  DEPA is lifechanging. As Indians become data rich at an exponential pace, we can open the doors to trusted sharing of data by giving them control of their data, thus enabling them to become economically rich. DEPA opens up whole new models for privacy protection and auditing data flows while keeping the user in the center.

Guiding principles for the sharing of user data across different services with user consent have been previously outlined in two key policy documents: namely, thePolicy on Open Application Programming Interfaces (APIs) for the Government ofIndia” published by the Ministry of Electronics and Information Technology (MeitY), and the “National Data Sharing and Accessibility Policy (NDSAP) – 2012” by the Department of Science & Technology.

The IT Act also requires that any entity sharing user data that is sensitive in nature must collect consent from the user prior to such sharing.

Important Policy Resources

  1. Financial Data
    1. Account Aggregator Master Directive by RBI: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10598&Mode=0
    2. Public Credit Registry by RBI: https://rbi.org.in/scripts/PublicationReportDetails.aspx?ID=895
  2. Healthcare Data: http://www.niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf
  3. Telecom Data: https://www.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018_0.pdf (Recommendation – 3.3 C)
  4. Private Data: Srikrishna Report for Privacy Bill: http://pibphoto.nic.in/documents/Others/2018727xcxzcx151.pdf (Page 39, Chapter 3F)

Important Technology Resources

  1. Electronic Consent Framework by MeitY: http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf
  2. Digital Locker System by MeitY: http://dla.gov.in/sites/default/files/pdf/DigitalLockerTechnologyFramework%20v1.1.pdf
  3. API Standards: https://api.rebit.org.in/list
  4. Financial Information Standards: https://api.rebit.org.in/schema

Reading List

1. India Must Become the Worlds First Data Democracy – Nandan Nilekani – The Week

2. India can offer a radically new way of looking at data – Nandan Nilekani – The Print

3. India must embrace Data Democracy – Nandan Nilekani – Product Nation

4. The best way forward for privacy is to open up your data – Tanuj Bhojwani – Product Nation

5. Notes from the August 2017 Carnegie India / iSPIRT Event & Youtube Playlist

6. Beyond Consent – Rahul Mathan – The Takshashila Institution

7. Rights-based data protection framework for financial information – RBI Committee on Household Finance

8. Data To The People –  Nandan Nilekani – Foreign Affairs

9. Who controls your data? India may pass a law ensuring that you do – Vasant Dhar – Washington Post