Personal Data – User’s Right to Access Information
The Data Principal (i.e. the user) has a right to access information about their personal data processed by a company or a firm (i.e. the Data Fiduciary).
To provide this information, the company has to build channels that allow such information to be processed. This information is to be provided by the Data Fiduciary in the form of a summary. To be able to provide these records, the Data Fiduciary must have the information available with them.
This will require storing information related to the users such that the details can be easily accessed. Additionally, a mechanism to verify the records and provide them to the user has to be devised. Non-compliance triggers penalties upto Rs. 50 crores and reputational risk due to public scrutiny.
What details of personal data can the user ask for ?
The user can request for the following information from the Data Fiduciary:
- Summary of personal data processed and the processing activities undertaken with respect to the personal data
- Identities of all Data Fiduciaries and Data Processors with whom the personal data is shared and a description of the personal data so shared
- Any other information that the rules or regulations may allow the user to ask for
The DPDPA leaves room for the government to prescribe other information that the user may be entitled to. However, the Draft Rules did not include any provisions prescribing such information.
How can the user exercise these rights regarding their personal data?
The DPDPA sets out the details of what the Right to access covers. It does not prescribe how this right should be exercised. The Draft Rules gave some clarity on how the user may exercise these rights.
The Draft Rule 13 provides that:
- The user has to access their information through the means provided by the Data Fiduciary.
- The user has to provide the details as required by the terms of service of the Data Fiduciary.
The Draft Rules also set out that the Data Fiduciary must provide the following details on its website or app to enable the user to exercise their rights:
- Means by which the user can make a request to exercise the right
- Particulars such as any identifiers required to identify the user under the Data Fiduciary’s terms of service
What should the Data Fiduciary do?
To comply with this requirement, the Data Fiduciary must ensure that they have the following information with them:
- The details of personal data processed with respect to the user
- Information on what personal data of a user is shared with which Data Fiduciary
- Information on what personal data of a user is shared with which Data Processor
The requirement is not straightforward. The following scenarios introduce complexity in compliance:
- The users can provide consent for processing of data for specific purposes while not providing consent for processing data for other purposes.
- For example, the user can provide consent for processing of data for analytics but not for marketing.
- Similarly, the processing of personal data by the Data Fiduciary or Data Processor will vary depending on the uses for which consent was provided.
What can be done to comply ?
Accounts center: Although the DPDPA or the Draft Rules do not explicitly state that the information on access should be readily available. However, the Data Fiduciary will likely be compliant by:
- providing an account center of some sorts that can provide the data at the click of a button.
- a set template to provide a summary of the personal data.
AI-based chatbots: AI-based chatbots will likely be an acceptable solution as:
- they can go through unstructured data (if the Data Fiduciary stores it) and provide a summary in compliance with the DPDPA.
- they can also sift through data to provide the list of Data Fiduciaries and Data Processors as required.
The specifics of such implementation will require a comprehensive survey of the organisations’ data practices in line with the DPDPA.
