E-governance: Draft rules on data anonymisation, mobile security released

The documents are open for public consultation and the comments would be accepted till September 21

The Ministry of Electronics and IT on Tuesday released draft documents for guidelines on data anonymisation and mobile security for e-governance projects conducted by the government. The documents are open for public consultation and the comments will be accepted by September 21.

The draft, titled Guidelines for Anonymisation of Data (AoD) and Mobile Security Guidelines (MSG), were shared on the official portal for e-Governance Standards.

Mobile Security Guidelines (MSG) have been proposed to achieve mobile security goals such as confidentiality, integrity, authentication, accountability, etc. It categorises mobile security into three sections such as mobile device security, mobile communication security, and mobile services security.

The document has also defined three categories of the mobile security control measures, such as policy-based measures, technology-based measures, and user-oriented measures. The measures will help protect privacy, sensitive data, and the security of transactions.

The scope of the proposed guidelines covers the stakeholders of the mobile ecosystem, including device manufacturers, application developers, network operators, mobile service providers, security testing organisations, and mobile phone users.

The draft also prescribes ideal practices for mobile security testing and application vetting processes. It has also defined the security levels for entities and technology components. Identifying the present security level of an entity or a component may help to measure the gap and improve towards higher security levels, according to the document.

The document on anonymisation of data includes guidelines for all stakeholders involved in the processing of personal data and its subtypes through e-governance projects. However, the department added that the guidelines could also be referred to by private entities processing personal information.

E-governance projects such as National Health Mission, Cowin vaccination, Aarogya Setu and health care data, smart cities, payment ecosystem (account aggregators), etc, generate a huge amount of data. The draft guidelines aim to lay down the recommended practices for processing this data.

In February 2021, the Standardisation Testing Quality Certification (STQC) Directorate and Centre for Development of Advanced Computing (C-DAC) Pune were commissioned to formulate standards and guidelines in the areas of e-Governance.

Advocacy groups that Business Standard spoke to were surprised with the sudden announcement. “It is too early to comment on what this implies, as it is a big document and would need time to review. We must be very cautious as it includes a huge personal database collected from important portals like Cowin and Arogya Setu,” a person from a civil society group said.

“It is a draft document open for public review, but the ministry has not made the document easily available on its official website,” he said.