Let’s talk ‘documents’ containing sensitive personal information

When we share copies of our documents such as Passport, Driving License, Educational Certificates and other types of personal and sensitive documents, they can primarily fall into two ways -

• ‘Non-digital’ forms of data - ‘Subsequently’ digitized
  • physical forms filled up with PII data
  • photocopies of all sorts of documents
• Scanned copies shared over -
  • whatsapp
  • email
  • google drive
  • usb drive

What does the Indian Digital Personal Data Protection(DPDP) Act say about these ?

The DPDP Act says that the act will apply to data that is collected -

(i) in digital form; or
(ii) in non-digital form and digitised subsequently;

Data lifecycle and data protection

When we talk about data protection, we have to think of this throughout the lifecycle of the data - from when it was initially collected, to when it is stored and to who it is shared with and for what purpose.

When it comes to data that is directly collected in ‘digital’ form in the first place, applying the principles of data protection is clear in the sense that the ‘source’ of this data is directly a database or a store that is machine-readable and hence data protection measures can be automated through technical controls.

But when we look at the ‘documents’, this becomes more complicated.

Lifecycle of physical or scanned documents

Nowadays, whenever I go to get any service like getting a phone connection or checking-in into a hotel, I need to provide a ‘photocopy’ of my identity and similarly sensitive documents. This is because the government has given guidelines to these service providers to collect this photocopy. Last year, there was even a fiasco from the UIDAI (people who manage Aadhar card) where they issued a press statement saying photocopies should not be shared where they said -

"Unlicensed private entities like hotels or film halls are not 
permitted to collect or keep copies of Aadhaar card."

before retracting the same by saying cardholders are only advised to exercise normal prudence.

Make what you will of such retraction by an organization handling the most sensitive information for the whole country.

Welcome to the analog world

Irrespective of such directives, commonsense says that sharing a physical or scanned documents is as good as sharing all the sensitive information with another party without any way to ’track’ how that information will be used. Essentially, there’s no easy way to ‘audit’ the use of these documents since the documents are now in an ‘analog’ world, where multiple copies of these documents can be made without leaving any trace of who made those copies or what those copies are being used for or might be used for.

Data subject rights and informal channels of sharing

Sharing scanned documents through email, chat or through drive links like Google Drive is essentially the same thing as sharing a photocopy - you are no longer in control of how this information will be used - you have lost control of your own information in terms of how it is further shared or misused.

The DPDP Act talks about data subject access rights (DSARs), which include right to delete information when its retention is no longer necessary. When most of India runs on sharing PII sensitive documents on informal channels like WhatsApp, what does this mean to all the information that is already shared through email, chat and other means ?

Data subject rights and physical documents

The same question applies to physical documents collected by these organizations ‘as per government guidelines’. With the introduction of the DPDP Act, do these guidelines change to now allow for data subject rights to apply to physical documents as well ?

Papering over the cracks

In a highly ‘analog’ country like India, where photocopies and scanned documents sent through WhatsApp are the primary ways of sharing identity and PII information, a data protection act has to look at and cover these ‘analog’ source of data as well if it has to be true to its motivation and intent.