Access and Use of Archival Records: Privacy and Data Protection Law
This chapter covers data privacy, personal data protection, and informed consent.
Scenario: An archive with both institutional and collected records from the public has a collection that includes photographs and personal correspondence from individual donations, the institutional records of former employees including health records, and other records that contain information specific to these individuals. The archive includes several ‘oral history’ collections in the form of audio files and transcriptions where interviewees have revealed intimate personal information and experiences. The archive has been conscious of privacy concerns in its functioning, but to what extent is this functioning a matter of legal regulation? What are the legal requirements for archives which deal with information of a personal nature? How can archives navigate these requirements to ensure that they deal with records in a way that respects privacy, while providing access?
Archives regularly deal with records and other material that contain information that pertains to, and identifies, individuals and their attributes or behaviours. For example, some archives might work with institutional employee records, which includes job performance reviews or health information. The individuals to whom such information pertains (or their relations) may have an interest in such records, particularly regarding maintaining confidentiality in such records and controlling its access.
Privacy concerns are integral to the functioning of archives. Such considerations may be reflected within the terms of particular donations or loans that restrict access or dissemination of a record, or may involve broader legal considerations that are not specified within the terms of an acquisition document. This chapter assesses the considerations regarding the law of privacy and the protection of personal data that arise outside of specific contractual restrictions placed within acquisition documents. With digitisation and the increasing ease with which personal information can change hands and be communicated, there is an urgent need for archivists in India to familiarise themselves with legal considerations involved with privacy within the collections, records and other material which they deal with.
Unlike in copyright, when most acts are triggered by the copying of archival records themselves, data protection law is concerned with the collection or use of personal data in any manner, whether made public or not. This has implications not only for the archives in their ability to make copies available for researchers, but also for the provision of referencing services, for example, where the metadata being made available to the public itself might constitute personal information.
Privacy and Data Protection Law in India
In India, legal concerns around privacy can broadly be categorised as those involving specific statutory mandates for data protection, and those which arise out of non-statutory mandates, such as the common law or constitutional law.
Various statutory mandates in India require different forms of compliances from institutions or individuals dealing with information that poses concerns of privacy. Some of these are sector-specific. For example, the sharing of medical or health-related information is regulated by a number of statutes including the Mental Health Act,1 or the Insurance Regulatory and Development Authority of India (IRDAI) Health Service Regulations.2 In addition, the National Medical Commission’s Code of Medical Ethics Regulations (2002), advises medical professionals to retain medical records of patients for three years from the date of commencement of the treatment.3 But it is outside the scope of this guidebook to detail these codes and statutes. At the time of publishing this guidebook, there is no clear and definite guideline in Indian law on confidentiality and long-term retention period for personal health records from an archival point of view. In general, archivists should consider whether disclosure or use of some of their records or collections may be restricted by such laws, particularly when considering information that is generally considered sensitive – such as information relating to official health records or financial information.4
Apart from sector-specific considerations of privacy, there is a broader mandate for the protection of digitised personal data within the Information Technology (IT) Act. Section 43A of the IT Act states that
“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”
Section 43A is quite limited in its scope. First, it only applies to ‘body corporates’ and includes all companies or even groups of individuals engaged in a ‘commercial or professional’ activity. As such, non-profit archives, which are not incorporated as a company, may not be affected by this law (although in certain states, registered societies are also considered ‘body corporates’). Second, it only applies to ‘sensitive personal information’ held in a ‘computer resource’ (digital information). Third, the body corporate must have been negligent in implementing ‘reasonable security practices’. Fourth, such negligence must lead to a wrongful loss or wrongful gain to the affected individual.
The terms ‘sensitive personal information’ and ‘reasonable security practices’ are further defined in the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011.5 We’ll refer to them here as the “SPDI Rules”.
Archives should consult and comply with the procedures indicated in the SPDI Rules in case they are part of an incorporated entity, or a part of any entity conducting for-profit or commercial activities, and are in the process of acquiring digital records or digitising existing collections.
Given the limited scope of the SPDI Rules, there is not much uncertainty or liability associated with archival activity and existing statutory regulation of data protection in India, if the activities of the archive do not involve digitisation and making collections publicly available online. However, the Government of India is in the process of considering a comprehensive new legislation, with a substantially revised scope. Various iterations of a proposed regulation have been tabled by ministries. The latest Bill to be released by the Ministry of Electronics and Information Technology is the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”). The DPDP Bill specifically covers the processing of personal information for online activities and digitised information. The definition of personal information in this Bill includes any information by which a person may be identified.
The DPDP Bill is of concern primarily to archives that work with born-digital material or are digitising their records in which personal information is being ‘processed’, which includes any automated collection, storage, structuring or retrieval of personal information. For any archive that collects or processes such material in an automated manner, the DPDP Bill introduces obligations to provide notice and obtain consent from people whose information is being processed. It further grants subjects the right to access, correct or delete their information. The DPDP Bill also includes a provision whereby the government may exempt its application for ‘archiving purposes’ although the scope of this is not clear, and will likely develop as the Bill and the rules made thereunder are enacted.6
A full discussion of the DPDP Bill is not appropriate at this time, but archivists should be aware of the pending legislation and consult this guide or other legal guidance should the law on personal data protection be enacted. At the time of publishing this guidebook, the Ministry of Electronics and Information Technology of the Government of India has made the text of the DPDP Bill and other documents accessible through its website7 and invited public feedback online8 till January 2, 2023.
Scenario: The corporate archive of a large for-profit corporation collects and preserves documents relating to the history of the corporation, including files of previous employees, records pertaining to their personal lives, such as healthcare and employment assessment forms. To comply with the law, the corporate archive should consider the application of Section 43A of the Information Technology Act, 2000, to its record collection functions, and should consider whether it might require obtaining consent from the individuals whose personal information might be included in the records that it collects and makes public.
Non-Statutory Mandates and the Right to Privacy
The Constitution of India recognises Right to Privacy as a part of the fundamental rights accorded to every individual in India, which was affirmed in 2017 by the 9-judge bench decision of the Supreme Court of India in Justice KS Puttaswamy v Union of India.9 The scope of this right extends to protecting the informational self-determination of individuals – namely, giving individuals control over information that pertains to them, and in which there exists a privacy interest. This constitutional right generally applies against the state – that is, governments and their agencies and instrumentalities. The Right to Privacy is not absolute, and is balanced against competing interests that the state might have in collecting or disseminating about individuals, such as collecting demographic or health information for public health purposes or for the better delivery of state services.
Archives that do not operate as part of government institutions or agencies are unlikely to face claims that they have infringed the fundamental right to privacy of individuals. However, the recognition of privacy as a fundamental right underscores the importance that archives stay sensitive to their roles as custodians of collections of historical importance, which must be balanced against the privacy interests of individuals identified within their collections. There is no formulaic mechanism for identifying compliance with the Right to Privacy, and in practice, the remedy for non-compliance might only be restricted to an injunction. However, ‘public’ archives, which are government instrumentalities, should carefully consider how principles of the right to privacy, such as consent, data protection or security, might apply across the archival process.
Scenario: The archives of a government institution systematically collects and preserves records relating to individuals (for example, former employees) that might contain personal information. As a part of a government institution, the archive has a responsibility to ensure the constitutional Right to Privacy of the individuals that are identified in the records. This might require, for example, that the archive obtains explicit prior informed consent of the identified individuals, and that it puts in place measures to ensure the protection of data from unauthorised third parties. Additionally, the archive should have a strong public interest justification for the collecting and processing of personal information, which should be documented with reference to the kinds of information it is processing.
Breach of Privacy and Breach of Confidence
Another domain of law where privacy interests are recognised is the non-statutory domain of ‘common law’, which protects certain interests of individuals against harm or loss caused in the civil domain. A common law right to privacy has also been recognised by courts in India, which protects individuals from breaches of their privacy, through, for example, the publication of their personal information in public.10 Although the scope of this right has not been explicated in detail, courts do consider the balance of the public interest in the disclosure of personal information with the infraction to privacy interests.11
An additional aspect of privacy arises in the context when information is disclosed ‘in confidence’. The tort of breach of confidence recognises that particular relationships carry duties of confidence, particularly attached to information that may be shared within such relationships (as for example, between doctors and patients, or lawyers and clients).
If the breach of privacy or breach of confidence causes harm to the person to whom an obligation of privacy or confidentiality is owed, it may result in liability for the breach, resulting in an injunction to stop the use of confidential information as well as monetary damages to be paid to the affected individual or entity. In the case that the archive is receiving records that contain confidential information about a third party who is not a party to the transaction, a court would consider whether the archive had or should have had knowledge of the fact that information contained confidential information. If the circumstances do not indicate that the archive knowingly breached a duty of confidentiality owed in information to a third party, the aggrieved party would most likely still be able to obtain an injunction against the further use of that information by the archive. There are various defences to an action for the breach of a duty of confidence, including that there is a justified overriding public interest in the archive disclosing the confidential information.12
The non-statutory rights to privacy described above are considered to be rights that attach only to specific persons during their lifetime, and are not considered to apply posthumously, as per the interpretation provided by various courts in India.13
Archives should protect themselves from liability for such harm by having clear disclosure and access policies, and also by including specific indemnities and warranties in their access policies against wrongful disclosure by third-parties to whom they may provide access, as also indicated in the chapter on access and use of copyrighted material. In addition, there should be a clear process for individuals who are aggrieved by any material in the archives that potentially infringes on their legal rights to privacy to be taken down through a ‘notice and takedown’ process.
The Right to be Forgotten
A developing legal principle that archives should be cognizant of is the so-called ‘right to be forgotten’ or right of erasure. The modern application of this principle developed in the European Union as a right of an individual to be de-indexed from online cataloguing (such as search engines), where the catalogue refers to information that is no longer relevant. Such ‘de-indexing’ rights do not explicitly call for information to no longer be disclosed, but merely for placing impediments on how such information is catalogued (usually in online and publicly available catalogues). The Right to be Forgotten may also, in some circumstances, extend to the right to erasure of information held about an individual by a particular entity, such as all the personal information about an individual held by an archive. In India, the Right to Be Forgotten has been developed in the context of publicly searchable databases of judicial orders and judgements.14
The Right to Be Forgotten, while only a nascent and emerging principle, is an important consideration. Its development could affect the cataloguing and indexing of archival works, and archivists should be aware of further developments in this area.
As described above, archival practice can intersect with data protection and privacy law in different ways. Commonly, archives may ‘process’ personal data when appraising or acquiring personal information, when engaging in preservation activities, or when describing the information or creating ‘metadata’. As a matter of practice, wherever practicable, archives should attempt to gain explicit, written consent from living persons whose personal information is being archived, describing the uses to which such information may be put. Moreover, as a general principle, archives should demonstrate that personal information that they acquire, or allow for access, is only that which demonstrates archival value and is necessary to fulfil the archival function. This is best done through incorporating an ‘impact assessment’ into archives acquisition, access and use policies.15 As mentioned, data protection law in India is at a nascent stage, and specific regulatory compliances may still be forthcoming. It is important that archives be prepared for compliances with privacy mandates through demonstrable, written, instruments and policies. More substantive advice on measures archives can take to comply with data protection best practices has been made available by the National Archives of the UK. Although these are made specifically with reference to UK data protection law, they provide important insight into the kinds of mechanisms (like impact assessments) that archives may employ as best practices for data security and privacy.16
- Section 23, Mental Healthcare Act 2017. Retrieved from https://www.indiacode.nic.in/handle/123456789/2249↩
- Insurance Regulatory and Development Authority (IRDA). (2019). IRDA health service regulations. Insurance Regulatory and Development Authority. Retrieved from https://www.irdai.gov.in/ADMINCMS/cms/Uploadedfiles/Regulations/Consolidated/IRDAI%20TPA%20consolidated%20Reg%20may%202020.pdf↩
- National Medical Commission. (2002). Code of Medical Ethics Regulation. Retrieved from https://www.nmc.org.in/rules-regulations/code-of-medical-ethics-regulations-2002↩
- Centre for Internet and Society. Draft - Health Privacy. Retrieved from https://cis-india.org/internet-governance/health-privacy.pdf; Centre for Internet and Society. State of Data Regulation in India: A Compendium. Centre for Internet and Society. Retrieved from https://cis.pubpub.org/data-regulation-india-compendium↩
- India Code. (n.d.). The Information Technology Rules 2011. Retrieved from https://www.indiacode.nic.in/handle/123456789/1362/simple-search?query=The%20Information%20Technology%20(Reasonable%20Security%20Practices%20and%20Procedures%20and%20Sensitive%20Personal%20Data%20or%20Information)%20Rules,%202011.&searchradio=rules↩
- Digital Personal Data Protection Bill 2022. Retrieved from https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf↩
- Ministry of Electronics and Information Technology. (2022). Data Protection Framework. Retrieved from https://www.meity.gov.in/data-protection-framework↩
- Innovate India. (2022). Inviting Feedback on Draft Digital Personal Data Protection Bill. Retrieved from https://innovateindia.mygov.in/digital-data-protection↩
- Justice KS Puttaswamy (Retd.) and Anr. v. Union Of India And Ors  10 SCC 1. Retrieved from https://indiankanoon.org/doc/91938676↩
- R Rajagopal v State of Tamil Nadu  6 SCC 632. Retrieved from https://indiankanoon.org/doc/501107↩
- Kharbanda, V. (2017). Relationship between privacy and confidentiality. Centre for Internet and Society. Retrieved from https://cis-india.org/internet-governance/blog/relationship-between-privacy-and-confidentiality↩
- Lomas, E. (2019). Navigating confidentiality, legal privilege and GDPR to maintain legal records for future generations: The case for archiving. In Cowling, C, (Ed.) Legal Records at Risk: A Strategy for Safeguarding our Legal Heritage. (pp. 150-155)↩
- Justice KS Puttaswamy (Retd.) and Anr. v. Union Of India And Ors ; Managing Director, Makkal Tholai Thodarpu Kuzhumam Limited Vs. Mrs. V. Muthulakshmi  6 MLJ 1152. Retrieved from https://indiankanoon.org/doc/47400↩
- Sinha, A. (2017). Right to be forgotten: A tale of two judgements. Centre for Internet and Society. Retrieved from https://cis-india.org/internet-governance/blog/right-to-be-forgotten-a-tale-of-two-judgments; Sridhar, S. (2021). ‘Walking the tightrope of the right to be forgotten’. SpicyIP. Retrieved from https://spicyip.com/2021/05/walking-the-tightrope-of-the-right-to-be-forgotten-analyzing-the-delhi-hcs-recent-order.html↩
- 'Data Protection Impact Assessments’ (“DPIA”) are common mechanisms for institutions to assess and appraise potential regulatory compliance and data protection requirements, for example, under the European Union’s General Data Protection Regulation. Some guidance on DPIA is available at https://gdpr.eu/data-protection-impact-assessment-template/↩
- National Archives. (2018). Guide to Archiving Personal Data. Retrieved from https://www.nationalarchives.gov.uk/documents/information-management/guide-to-archiving-personal-data.pdf↩