Personal Data Life Cycle in the Context of Privacy

In Depth

Personal Data Life Cycle in the Context of Privacy

Sayantan Dey | September 2021

The journey of Personal Data for a natural person who is often termed as Data Subject or Data Principal primarily goes through four stages.

The four stages are: Collection, Processing, Analytics and Deletion. We have tried to co-relate the privacy aspects to the respective stages of Personal Data life cycle. However, prior delving into the primary topic, let us understand some key terms.

Personal Data means;
- all types of information that anyone can use to directly or indirectly, identify a person, such as name, picture, IP address, employee ID etc.1
- data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling2 .

Thus, in a nutshell, any data either in isolation or in combination with other data sub types or information that directly or indirectly identify a natural person, either online or offline is Personal Data.

Data Fiduciary or Data Controller means any person, including the State (which means Govt.), a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data3 . It is referred to as Data Fiduciary in the PDPB 2019. The foregoing meaning is similar to the EUGDPR version, where the term is referred as Data Controller.

Thus, one who decides what to do with personal data is a Data Fiduciary or Data Controller.

Data Processor means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary /data controller4 . The foregoing meaning is like the EUGDPR version.

Generally, Personal Data flows through four stages viz. (1) Collection, (2) Processing, (3) Analytics or Profiling and (4) Deletion. When Analytics is a separate stage, it may/may not be devoid of personal data. It is often resorted to by corporates, even government authorities to understand the behavioural pattern of users on a macro basis for decision making, policy change etc. It is often termed as profiling. Alternatively, it can be simultaneous with Stage (2) Processing. Likewise, Deletion (4) can be a separate stage or part of Processing (Stage 2).

COLLECTION

This is the stage wherein user’s personal data, particularly First & Last name, mobile no, email id etc. are sought either online or offline. The most applicable objectives are provided as follows:

create / manage user account (e.g., creation of log-in information and to provide user access)
customer support (e.g., the service provider or data controller can contact the user about the service or for any issue / feedback redressal)
transfer of such personal data collected to a third party who may be supporting the service provider or data controller collecting such personal data.

It may be provided that post collection of basic personal data, additional information may be further be sought by the data controller or data processor acting on its behalf.

In privacy context, any such personal data should be received and/or further processed under a privacy notice stating out the purpose for which personal data is needed, legal ground of processing, setting out that only relevant personal data has been sought( purpose limitation & data minimization) which is needed to meet the objective. The PDPB 2019 does provide on this requirement5 , while it already forms part of EUGDPR.

PROCESSING

The following processing activities have been identified under PDPB 20196 . However, in common practice the processing activities can extend beyond the list captured here.

In privacy context, processing of personal data has to be for legal grounds only viz. 1. Consent 2. Performance of Contract 3. Where a legitimate interest is involved on the part of data controller or processor. 4.Legal obligation 5. Exercise of official authority or task in public interest 6. Fundamental interest7 . These legal grounds have been provided under EUGDPR.

The PDPB 2019 also provides for instances where processing is permitted with consent of data subject or data principal and where no consent is required.

When personal data is processed by a data processor under the instructions of the data controller, there is a requirement to have a data processing agreement (DPA) between data processor and data controller8 . This finds resonance with similar provision in GDPR.

As regards the effective provision in place as on date in absence of PDPB 2019 being not implemented, for Sensitive Personal Data (viz. Password, Financial Information, Biometric Information, Medical records & history, Sexual Orientation) notice followed by consent is mandatory from the person providing such information.

ANALYTICS

This stage reflects analysis of data (may /may not be personal one) with an overview of aggregation of behavioural trends. It is often referred to as profiling, based on which predictions can be made on behaviour and interests.

In privacy context under GDPR, entities generally need to provide prior information about profiling in its privacy notices.

In evolving Indian privacy context, a report was prepared by the Committee of Experts on Non-Personal Data Governance around December 202011. It lays down that anything which does not fall within Personal Data can be carved out to be Non-Personal Data. The criteria is that Personal Data should be anonymized i.e. it cannot be re-identified to its origin. The Govt. of India intends to promote business or activities around Non-Personal Data which creates economic value and wealth, apart from social and public value etc. So, data subjects will not have rights over Non – Personal Data.

DELETION

This is perhaps the last stage of personal data life cycle when personal data collected or processed has outlived its purpose and demands deletion. Thus, from a privacy context, it makes sense to have a retention policy which should trigger either archiving or deletion of personal data. The PDPB 2019 lays down restriction on retention of personal data beyond what is necessary.

In a privacy context, personal data can also be deleted at the behest of data subject request, commonly being referred to as (DSAR or Data Subject Access Rights). This is also being referred to as Right to Erasure or Right to be Forgotten13. This right is not absolute and other parameters have to be factored in.

Thus, we see the different stages any personal data can go through and the associated privacy requirements to it.

About Author

Sayantan Dey

Sayantan Dey is currently working as a Compliance Officer with Sandvik Mining & Rock Technology India Pvt Ltd. He has worn several hats to that of a Legal Counsel, Compliance Officer, Advisor, Investigator and Auditor during his professional journey. He has worked on numerous contract areas including celebrity engagements, distribution, supply, licensing etc. and other areas on litigation, Anti-Bribery Compliance, Trademarks/Copyright and Data Privacy. He has had exposure to a wide range of sectors viz. Education, IT/ITES, Engineering, Pharmaceutical.