The Telecom Regulatory Authority of India (TRAI) on Monday released the recommendations on "Privacy, Security and Ownership of Data in the Telecom Sector", where it has mentioned each user owns his/her personal information/ data collected by/stored with the entities in the digital ecosystem.
"The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data," it stated.
The TRAI recommended that a study should be undertaken to formulate the standards for annonymisation/de-identification of personal data generated and collected in the digital eco-system. "All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users."
It mentions that the existing framework for protection of the personal information/ data of telecom consumers is not sufficient. "To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework," it adds.
TRAI said that till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to telecom service providers (TSP) for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
"For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers, and applications."
The principle of privacy by design coupled with data minimisation should be made applicable to all the entities in the digital ecosystem like, service providers, devices, browsers, operating systems and applications.
It said: "The Right to Data Portability and Right to be Forgotten are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard."
Consumer awareness programs be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data, the sector regulator suggested.
"Data Controllers should be prohibited from using 'pre-ticked boxes' to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements. Devices should disclose the terms and conditions of use in advance, before sale of the device," it said.
"For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law," it said.
The TRAI said all entities in the digital ecosystem including telecom service providers should be encouraged to share the information relating to vulnerabilities and threats in the digital ecosystem/networks to mitigate the losses and prevent recurrence of such events.
"A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including telecom service providers. It should be made mandatory for all entities in the digital ecosystem including all such service providers to be a part of this platform," TRAI said.
It further said data security breaches may take place in-spite of adoption of best practices, adding: "Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/mitigate such occurrences in future."