Nine point code by the Justice A. P. Shah panel

The group led by former Delhi High Court chief justice A P Shah was set up by the Planning Commission to identify privacy issues and prepare a document to facilitate the proposed Privacy Act.

The group was set after concerns were raised about the impact on privacy of individuals with the emergence of several national programmes such as Unique Identification number, NATGRID, DNA profiling, Reproductive Rights of Women, privileged communications and brain mapping, most of which will be implemented through information and communication technology (ICT) platforms.

The Justice A. P. Shah panel has recommended an over-arching law to protect privacy and personal data in the private and public spheres. The report also suggested setting up privacy commissioners, both at the Central and State levels. It has spelt out nine national privacy principles that could be followed while framing the law.

The report comes at a time when there is growing concern over unique identity numbers, DNA profiling, brain-mapping, etc, most of which will be implemented on the ICT platform.

The report has listed certain exceptions in the right to privacy such as national security, public order, disclosure in public interest, prevention, detection, investigation and prosecution of criminal offences and protection of the individual or of the rights of freedom of others.

In certain cases, historical or scientific research and journalistic purposes can also be considered as exceptions, says the report.

Referring to social networking sites and search engines, which have their own privacy code, Justice Shah said these will either have to follow the model provided in the proposed Act or have a self-regulatory mechanism approved by the privacy commissioner.

The report suggests harmonising the proposed privacy Act with the RTI Act.

The high-level panel submitted its report to the Planning Commission and now it will be forwarded to the Department of Personnel and Training, which is already looking into the privacy law.

Nine National Privacy Principles:

• A data controller should give prior notice of collection and information to all individuals before taking consent.
• Individuals should be given choice to opt in/out with regard to providing personal information.
• Data collectors should only collect personal information necessary for the purpose identified.
• If there is change of purpose, it must be notified to the individual. After use in identified purpose, data should be destroyed.
• Individuals should have access to persoanl information for seking correction, changes, deletion, etc.
• Personal information to third parties should only be disclosed or made public after giving notice and seeking informed consent.
• Data collectors should ensure security safeguards against loss, unauthorised access, destruction, use, etc.
• For openness, information should be made in an intelligible form, using clear and plain language, available to all individuals.
• Data controller should be accountable for complying with privacy measures such as external, internal audits and extending necessary support to privacy commissioners.