Data (Section 2(h)) – means any form of information—like facts, ideas, opinions, or instructions—that can be understood or processed by people or computers. This definition is consonant with the definition of data under the IT Act under Section 2(1)(o), which includes information, knowledge, facts, concepts or instructions that have been or are set to be processed by a computer/similar device. The IT Act, interestingly also focuses on the form in which such data is represented or stored – which is absent but implied in the DPDPA.
Data Fiduciary (Section 2(i)) – also simply referred to as the "fiduciary," this term refers to any entity(ies) who decide why and how data collected is going to be processed. The entity referred to as a data fiduciary under the DPDPA is referred to as a "data controller" under the GDPR. The distinction in terminology is a conscious decision made by the legislature, who wished to signify that whereas the fiduciary exercises control over the personal data, they are doing so in the capacity of a fiduciary – i.e., they are required to act in the best interests of the data principal.
Data Principal (Section 2(j)) – also simply referred to as the "principal," this term refers to the individual to whom the personal data relates. In the case of a child, this would refer to the parent/lawful guardian of the child, and in the case of a person with disability, this would refer to the lawful guardian acting on their behalf. Data principals are referred to as "data subjects" under the GDPR. Again, the distinct terminology is a conscious decision, with the Indian legislature signifying that regardless of who controls the data, the final decision with respect to how the data is to be managed shall come from the owner of the data – i.e., the data principal.
Data Processor (Section 2(k)) – also simply referred to as the "processor," this term refers to the individual who processes data on behalf of the data fiduciary. Section 2(x) defines "processing" to be a wholly or partly automated activity with digital personal data – like collecting, storing, organizing, using, sharing, combining, restricting, deleting, or destroying it. Since the Act does not provide for punitive measures against processors who are carrying out the instructions of the fiduciary (treating the processor as an agent of the fiduciary), many entities attempt to declare themselves as processors and not fiduciaries. The processor does not decide why or how the data is used – that is the fiduciary's role. In practice, a processor has little autonomy and acts like an agent. If an entity controls the purpose and method of data collection, it is a fiduciary, not a processor.
Personal Data (Section 2(t)) – this refers to any data using which an individual can be identified in relation to such data. This appears to depart from the approach of the SPDI Rules, which includes data which can be used indirectly (in conjunction with other data that is likely accessible to the entity (body corporate) that collects that data, but the interpretation of the term "in relation to such data" may include indirect identification.
Made with Bullet