https://www.youtube.com/shorts/H30Fri91It8

Across most data protection laws worldwide, there is a shared set of core principles. While national approaches to privacy may differ, the following principles should be considered a minimum precondition for establishing trust in digital public infrastructure (DPI):

1. Lawfulness, Fairness, and Transparency

• Personal Data must be collected and processed in a lawful and fair manner. No processing of personal information should happen without a legal basis. For example, informed consent, the fulfilment of a contract, public health or security, or other purposes clearly defined by law may serve as lawful grounds.
• Individuals must be informed about the collection and use of their data. This should happen in the form of a data protection policy that clearly explains what personal information is processed for which purpose, how its processed, under which legal basis and which rights people have. Easy to read privacy policies help people understand how their data is used, how they can exercise their rights and builds trust in the organisation’s handling of personal information. Users also have the individual right to inquire about how their data is being processed and to obtain a copy of it.
• In the context of DPI, users must be informed about what data is being collected, for what purpose, and by whom. When the use of a DPI is not genuinely voluntary, informed consent cannot be considered a valid legal basis, as it is not freely given.

2. Purpose Limitation

• Personal data must be collected for specified, explicit, and legitimate purposes. These purposes must be defined at the time of collection and must remain consistent throughout the entire processing.
• Reusing personal data for unrelated purposes is prohibited. It requires further consent from the user to a new specific purpose.
• We are currently witnessing a worrying trend of reusing existing personal information to train artificial intelligence systems. This practice raises serious concerns regarding data protection and the safeguarding of intellectual property.
• In DPI, the large amount of personal information usually creates a strong incentive of the public and private sector to reuse it for other purposes. CSOs should be vigilant about any extension in the purpose of data processing. We call this show extension of purposes ‘mission creep’.

3. Data Minimisation

• Only the minimum amount of personal data necessary for the intended purpose should be collected and processed. Collecting unnecessary data that is not relevant to the intended purpose goes against this principle. For example, if a company needs your address to deliver a product, they don’t need your income or family status.
• Data minimisation is a key protection. Personal data that is never collected, can never be stolen or abused. Storing personal data also entails liability and complicates systems. Every additional attribute that is collected increases the risk of incorrect or outdated information. Reducing the data trail helps make the systems not just safer, but also more efficient. Hence, Aadhaar famously decided against including too many attributes.
• In the context of DPI, data minimisation helps prevent the creation of unnecessary data trails that could enable profiling or surveillance.

4. Accuracy

• Personal Data must be kept accurate and up to date. Incorrect information can have negative consequences for an individual. Personal data should be regularly checked if it is still correct and up to date.
• Individuals usually have the right to correct inaccurate data.
• In DPI, incorrect or incomplete data can have severe consequences. Individuals may be excluded from essential services or face restrictions in their participation in society.

5. Storage Limitation