The Draft National Data Governance Framework Policy – Data Protection

To print this article, all you need to do is be registered or log in to

The Ministry of Electronics and Information Technology (“MEITE“) released the draft National Data Governance Policy Framework (“NDGFP“)1on May 26, 2022, which aims to transform and modernize the processes for collecting and managing government data. The aim of the NDGFP outlined in the project is to enable an artificial intelligence and data-driven research and start-up ecosystem in India by creating a large repository of datasets. The former government data governance project titled “India Data Accessibility and Usage Policy” was released earlier this year in February. Please see our article here to learn more about what this policy entailed.

The previous draft came under heavy criticism over its pricing and licensing provisions that allowed the government to monetize datasets. It was stated in the draft that detailed datasets that have undergone “value addition/transformation” and are eligible for monetization, can be priced appropriately. However, the project did not specify the envisioned value additions or qualification criteria that would enable the commercialization of these datasets. It was also noted that facilitating the monetization of datasets by government departments/agencies would run counter to the policy ethos of creating an open and accessible database. These pricing and licensing provisions are not included in the NDGFP. Additionally, while the old draft provided that certain datasets classified in the negative list of datasets would not be shareable or would only have restricted access to trusted users, the NDGFP makes no stipulation of this. gender.

We have summarized the main highlights of the NDGFP and our observations on it compared to the old draft in the following paragraphs:

  1. Establishment of the India Data Management Office (“IDMO”) NDGFP proposes that IDMO be set up under the aegis of Digital India Corporation and MEITY to oversee, manage, review and revise the policy. The IDMO would be responsible for developing rules, standards and guidelines under the policy. IDMO would also formulate all data/dataset/metadata standards/rules. We note that the duties, functions and rights of IDMO under the NDGFP are similar to those accorded to the India Data Office (“I DO“) that is proposed to be created under the old project.

  2. India Datasets Platform – IDMO would be responsible for designing and managing India’s Dataset Platform which will process dataset requests and provide access to non-personal data and anonymized data to researchers and start-ups. -ups. Datasets will only be accessible through this platform or other platforms designated by IDMO. IDMO would also have the right to approve or deny requests or limit the access granted to such persons/entities. While the old draft also described a platform for datasets, the system for generating requests on the platform and the IDO handling those requests were not defined.

  3. Data Set Requests – The NDGFP states that the datasets would be accessible and available to requesting entities based in India as a priority or exclusively. The IDMO would notify the rules in this regard. As the word “priority” is used in connection with entities/persons based in India/India, it is possible that entities/persons based outside India may also have access to the datasets. The old draft did not mention such priority/exclusivity in the access granted to Indian/India-based entities.

  4. Participation of private entities –The NDGFP encourages private entities to create and share non-personal data and anonymized data to contribute to India’s datasets program. Voluntary participation of private entities in the dataset program was not included in the old project. Since private entities collect and store a colossal amount of personal data, if this anonymized data is provided to the platform, it could maximize the benefits of the created repository and spur greater innovation. However, it remains to be seen whether the program will attract the voluntary participation of private entities without any incentive/benefit being offered to these entities for the same.

  5. Data Principal Use Rights
    The NDGFP clarifies that the IDMO can ensure that the “data use rights as well as permitted purposes” belong to the data principal. This statement is ambiguous and the NDGFP does not explain what data principal’s data use rights or purposes the statement refers to. In the absence of any existing non-personal data legislation in India, there is ambiguity regarding the rights of a data controller over their personal data which is to be or has been anonymized. However, it is pertinent to note that non-personal data would be regulated under the proposed Data Protection Act 2021 should it become law.

Although the NDGFP and the old draft are indeed similar in structure, the NDGFP appears to be a development over the previous draft since it excludes the widely contested provisions on licensing and data pricing. The NDGFP demonstrates the Indian government’s recognition of the immense value that can be unlocked by leveraging non-personal data. The draft is now open for stakeholder comments and contributions until June 11, 2022.



The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Data Protection Laws in India – All You Need to Know

Vaish Associates Lawyers

Data protection refers to the set of privacy laws, policies and procedures that aim to minimize the intrusion into an individual’s privacy caused by the collection, storage and dissemination of personal data. Personal Data generally refers to information or data relating to an individual who can be identified from that information or data, whether collected by a government or private organization or agency.

Data Protection Law Update

Alpha Partners

The right to privacy in India was declared a fundamental right by the Honorable Supreme Court of India on August 24, 2017, in its landmark judgment in the case of Justice KS Puttaswamy (Retired)…

A Guide to the Data Protection Bill, 2021

Spice Route Legal

India’s Data Protection Bill has been in the works for a long time. In 2018, a committee of experts set up by the Indian government published a first draft bill…

Decoding Privacy Coins

Ikigai law

Blockchain is growing in popularity, but it has a privacy issue. Vitalik Buterin, the founder of Ethereum, summarizes the concern:

Helen D. Jessen