The drafts were released last month and the government has sought public comments for them. The last date for submission of comments is September 21
Mobile Security Guidelines aim to ensure the achievement of mobile security goals and protect mobile users’ data privacy
Data Anonymisation aims to reduce risk, optimise privacy while also enabling various entities to process, share and publish data for different purposes
The Ministry of Electronics and Information Technology (MeitY) has released two draft documents on Mobile Security Guidelines (MSG) and Anonymisation of Data (AoD) as part of its e-governance guidelines.
The drafts were released last month and the government has sought public comments for them. The last date for submission of comments is September 21.
As per the draft, MSG covers entities including mobile device manufacturers, mobile application developers, mobile network operators, mobile service providers, mobile security testing organisations, and mobile phone users. The aim is to ensure the achievement of mobile security goals and protect mobile users’ data privacy.
“No personal data of mobile user shall be processed by any person, except for any specific, clear and lawful purpose. The personal data shall be collected digitally only to the extent that is necessary for the purpose of processing of such personal data,” the draft said.
Besides, it also said that the sensitive data of mobile users such as login credentials, passwords, date of birth, Aadhar number, among others, should not be known, collected, or misused by any unauthorised person, entity, or organisation.
Mobile security concerns currently are of “paramount importance” given the large number of mobile users, increasing mobile security threats and dependency on multiple entities of the mobile ecosystem, the MeitY said.
Meanwhile, the draft for AoD said that data anonymisation is another privacy-enhancing technique to remove or minimise the identifiability of individuals in large data sets of personal information.
The aim is to reduce risk, optimise privacy while also enabling various entities to process, share and publish data for different purposes.
“It is recommended that all e-governance projects apply data anonymisation as a norm and identify and record exceptions,” the draft said.
MeitY has entrusted Standardization Testing Quality Certification (STQC) Directorate and Centre for Development of Advanced Computing (C-DAC), Pune to formulate standards and guidelines in the areas of e-governance, and AoD is one of the topics under e-governance applications.
“Anonymisation could be done by using a single or combination of one or more privacy enhancing techniques that help reduce the threat surface and risks emanating from the processing of large scale personally attributable data,” the draft said.
In fact, MeitY said that the Joint Parliamentary Committee (JPC) reviewing Personal Data Protection Bill in its recommendations strongly advocated including anonymised data under the regulatory framework of the broadened Data Protection Bill 2021.
It is pertinent to note in this context that both the drafts were published days before the government withdrew the Personal Data Protection Bill, 2021. The JPC had proposed 81 amendments to the Bill, as proposed by the JPC.
Meanwhile, the government said that it is almost ready with a new Bill, which is expected to be introduced in the next Parliament session.
