Lending companies use a host of mechanisms to obtain data about users from different sources and in particular, online lending companies (like Kabbage, OnDeck) acquire a lot of digital data about users from other financial service providers before underwriting loans. Health insurance companies need to obtain hospitalization and diagnostic data about patients for them to be able to make insurance payments and this data is shared by hospitals and labs, often in digital form, with such companies.
In these applications, it is essential that users provide consent to the service provider sharing data (the data provider) before they share data with the provider requesting access (the data consumer). It is also essential that privacy of the data be safeguarded i.e. to ensure the data is accessible only by the data consumer, only for a stipulated amount of time and only for a stipulated purpose, as consented to by the user. It is also desirable that all data sharing transactions be traceable and auditable in the future. Finally, the data sharing process itself should be easy, efficient and user-friendly.
We have developed a novel consented data-sharing architecture to accomplish these goals. Our finding till now has been that in current-day applications, consent is handled very loosely and oftentimes, insecurely. For example, some lending applications collect users’ bank passwords in order to “scrape” data about them from bank websites. Other applications use well-established authorization frameworks like OAuth 2.0 to exchange data but these frameworks are inadequate in certain ways, e.g., they fail to ensure secure, auditable data sharing in all scenarios and particularly so for mobile-based applications. This necessitated the design of a new consent framework for data sharing that brings us closer to achieving a Data Democracy, where the user can share his data with service providers.
The vision of DEPA is to break the tension between (a) maintaining privacy and (b) using the data for good. Rather than having to balance between them, DEPA aims to provide a third option – enabling safe and trusted sharing of data in which privacy is preserved.
The objective of DEPA is to provide the tools and utilities that enable us to build systems that can provide the user with mechanisms for protecting and sharing their data. The potential impact of DEPA is lifechanging. As Indians become data rich at an exponential pace, we can open the doors to trusted sharing of data by giving them control of their data, thus enabling them to become economically rich. DEPA opens up whole new models for privacy protection and auditing data flows while keeping the user in the centre.
Guiding principles for the sharing of user data across different services with user consent have been previously outlined in two key policy documents: namely, the“Policy on Open Application Programming Interfaces (APIs) for the Government ofIndia” published by the Ministry of Electronics and Information Technology (MeitY), and the “National Data Sharing and Accessibility Policy (NDSAP) – 2012” by the Department of Science & Technology.
The Indian IT Act also requires that any entity sharing user data that is sensitive in nature must collect consent from the user prior to such sharing.
We have collated important resources related to the DEPA’s ecosystem.
- Account Aggregators in India
- Banks, NBFCs using AA Framework
- Frequently Asked Questions For Account Aggregators
- Account Aggregator Master Directive by RBI
- Public Credit Registry (PCR) by RBI
- Draft of The Personal Data Protection Bill, 2018 (Srikrishna Committee Report on Data Protection)
- The Personal Data Protection Bill, 2019 was introduced in Lok Sabha on December 11, 2019
- UK Sinha’s Report of the Expert Committee on MSMEs: Loan Service Providers (LSPs) will be an agent of the borrowers is recommended for consideration by RBI: Announcement, Full Report (Section 8.2.1 on page 108 about LSPs and Section 9.26 on page 126 about Cash Flow-based lending)
- Healthcare Data: http://www.niti.gov.in/
writereaddata/files/document_ publication/NHS-Strategy-and- Approach-Document-for- consultation.pdf
- Telecom Data: https://www.trai.gov.in/
sites/default/files/ RecommendationDataPrivacy16072 018_0.pdf (Recommendation – 3.3 C)
- Private Data: Srikrishna Report for Privacy Bill: http://pibphoto.nic.in/
documents/Others/ 2018727xcxzcx151.pdf (Page 39, Chapter 3F)
- Account Aggregator (AA) API
- Financial Information Provider (FIP) API
- Financial Information User (FIU) Callback API
- Account Aggregator Schema Definitions (FI Types)
- Account Aggregator Purpose Definitions
- Electronic Consent Framework by MeitY
- Steps to connect FIP/FIU with Account Aggregators
- Digital Locker System by MeitY
- Healthcare (Project EKA): API Documentation for the HDCM, HIP and HIU
Sahamati.org.in – A new collective group for Account Aggregators to build awareness and provide technical support to potential AAs, GSPs, FIPs, and FIUs.
1. India Must Become the Worlds First Data Democracy – Nandan Nilekani – The Week
2. India can offer a radically new way of looking at data – Nandan Nilekani – The Print
3. India must embrace Data Democracy – Nandan Nilekani – Product Nation
4. The best way forward for privacy is to open up your data – Tanuj Bhojwani – Product Nation
6. Beyond Consent – Rahul Mathan – The Takshashila Institution
7. Rights-based data protection framework for financial information – RBI Committee on Household Finance
8. Data To The People – Nandan Nilekani – Foreign Affairs
9. Who controls your data? India may pass a law ensuring that you do – Vasant Dhar – Washington Post