Peek Into Upcoming Personal Data Protection Bill For Sri Lanka

The Ministry of Digital Infrastructure and Information Technology (MDIIT) has recently published a framework for the proposed Data Protection Bill. With personal data being an important asset; especially in the digital age, MDTII has penned a framework document outlining the core stakeholders and key principles for personal data protection.

Photo by [Taylor Vick](https://unsplash.com/@tvick?utm_source=medium&utm_medium=referral) on [Unsplash](https://unsplash.com?utm_source=medium&utm_medium=referral)

Photo by Taylor Vick on Unsplash

Ajith P. Perera of Non-Cabinet Minister of MDIIT stated the importance of cybersecurity and data protection and how it’s paramount moving towards a digital economy.

He further said that the IT sector is the country’s fourth largest foreign exchange earner and with the enactment of the new data protection and cyber security laws, it will become the country’s largest foreign exchange earners within the next 10 years.

He also added that the Ease of Doing Business Index of the country will be increased with the improvement of country’s digital infrastructure facilities.

( Ishara Mudugamuwa, Daily News)

Tech-savvy data protection acts have been taking over and transforming the way data is procured and exposed. The drafting community of the framework made sure to take an example from regulations such as GDPR in the EU.

Understanding the nuts and bolts of the framework

At the current stage, a full framework is outlined for the proposed bill which identifies the main actors and principles. The main actors one should be aware of is the Data Subject-the person whose data is at stake, controller a body who is interested in the processing of data.

Main Stakeholders In The Framework

The following stakeholders play some of the main roles in the framework.

Data Subject — Directly or indirectly identified or identifiable natural person, This is not limited to a name and can contain unique identification numbers, online identifier, location, etc.

Controller — Legal person, authority or a body that collects data and engages in the processing of said data, through a processor with a clear purpose and consent. “Consent” is freely given, specific, and unambiguous written declaration by the data subject.

Processor — Legal person, authority or a body which processes data on behalf of a controller. A Processor shall be a separate entity from the controller which includes said entity not taking any part in the hierarchy of the controller. “Processing” is an operation of personal data which is not limited to collection, storage, preservation, making available, consultation, logical operations, etc.

Authority — Body that is appointed to register and govern controllers, In charge of certifying controllers and revoking in case of foul play is some of the tasks held by the authority.

Rights Of Data Subjects / Consumers

Data subjects such as you and I interact with certain bodies who are interested in processing data through processors. In Part 3 of the framework outlines the primary rights of data subjects.

  • Consent — Subject has rights to withdraw consent of the processing of personal data from controllers, “ For the Data Subject it shall be as easy to withdraw as to give consent”
  • Right Of Access — Subject is entitled to request from controllers whether their personal data is being processed and the purpose and legal basis for processing.
  • Rectification — In the case, the data processed is inaccurate the data subject is able to correct any data with the controller.
  • Erasure — Data subject is able to in written request the erasure of the data held by the controller to a certain extent.

Data Protection Principles

Data protection principles are covered in part 2 of the framework outlines core values to be preserved in the handling of personal data.

  • Lawfulness in processing — Personal data is processed in a lawful and transparent manner.
  • Purpose limitation — Personal data collected is for an explicit and legitimate purpose and no further processing can take place outside the intended purpose. This has exceptions when it comes to archival and scientific and public interest.
  • Data Minimisation — The data collected should be minimized to be adequate and relevant for the original reason.
  • Accuracy — Controller should ensure the data is accurate and up to date.
  • Storage Limitation — Personal data kept in a manner where identification of data subject may be kept for the period of time that is required for processing, otherwise data may be stored for archival reasons. It’s unclear at the moment if archival data contain uniquely identifiable tags for data subjects.
  • Integrity and Confidentiality — Personal data is processed ensuring appropriate security and protection against unlawful/unauthorized processing.

With acts such as this, Sri Lanka maybe ushering a new generation for technology that will allow safe and secure data processing and may pave the way for Open Data architecture for creating applications with consent like Open Banking. You can read the following to learn more about Open Banking and how it can transform financial technology.

Open Banking and PSD2 simplified.
_The wave of Open Banking has hit the shore, is it a fad or a goldmine? only time will decide, I believe in the latter…_medium.com