Draft data privacy policy for implementation agencies
This document is a sample data privacy and protection policy for the implementation agencies[1] to pick up and replicate on their user-facing web pages. Entities using this document may make modifications as relevant to the context in which they are using this document.
This document is a draft for reference and does not have any legal effect in and of itself.
eGovernments Foundation does not guarantee that this document will correctly represent all relevant laws or legal obligations, as these can vary across jurisdiction and time.
eGovernments Foundation does not guarantee that the use of this draft, with or without modifications, will cover any or all legal obligations of a specific entity in a specific jurisdiction.
Any entity or individual that uses this draft, with or without modifications, does so at their own discretion, and at their own risk.
By using the draft policy provided, you acknowledge and agree that:
The draft policy is provided for informational purposes only and does not constitute legal advice.
The draft policy is a general template and may not be suitable for your specific needs or circumstances. It is your responsibility to review and modify the draft policy to meet your requirements.
We make no representations or warranties, express or implied, regarding the accuracy, completeness, or reliability of the draft policy. We do not guarantee that the draft policy is up-to-date or compliant with current laws or regulations.
You assume all risks and liabilities associated with the use of the draft policy. We shall not be held liable for any direct, indirect, incidental, consequential, or special damages or losses arising from the use or reliance on the draft policy.
We recommend consulting with a qualified legal professional to obtain advice tailored to your specific circumstances before implementing any policy based on the draft provided.
By using the draft policy, you agree to release and discharge us from any claims, demands, liabilities, actions, or causes of action arising out of or in connection with the use of the draft policy."
It is crucial to seek legal advice to ensure that this policy meets your specific requirements and is enforceable in your jurisdiction.
<IMPLEMENTING AGENCY NAME> as an IMPLEMENTING AGENCY (IA)[2] (“we” or “us” or “our”) for <PROGRAM NAME> respects the privacy of the users (“user” or “you” also referred to as ‘your’). Hence, we maintain the highest standards for secure activities, user information/data privacy and security.
<PROGRAM NAME> is implemented through a collaboration between the <ADMINISTRATIVE AUTHORITY NAME>, us and the eGovernments Foundation. It is powered by DIGIT, which is an open-source software platform developed by eGovernments Foundation.
This privacy policy describes and determines how we deal with your personal and usage information in accordance with the applicable laws of India.
<PROGRAM NAME> refers to the services being provided through <PROGRAM NAME> website, mobile App, <OTHER CHANNELS AS RELEVANT>.
Through <PROGRAM NAME>, you can access and avail services offered by <STATE OR ULB NAME> Government departments, Central Government department, Local bodies & their agencies and corporate/private bodies (utility services) (Service Providers).
You can use <PROGRAM NAME> website/application/services in different ways such as service discovery, availing services, registering grievances, and so on.
The purpose of this policy is to maintain the privacy of and protect the personal information of users, employees, contractors, vendors, interns, associates, and partners of <PROGRAM NAME>. The <PROGRAM NAME> ensures compliance with laws and regulations applicable (partner to insert a list of laws they have to comply with ) to <PROGRAM NAME>.
We adhere to the principles of accountability, transparency, purposeful and proportional collection, usage, storage and disclosure of personal data (“PD”)[3].
We do not collect any data/information directly from you. We only access, process and use datasets given to us by the Service providers.
We access data that is required for designing, testing, deployment and configuration. Such data may include PD such as your first name, last name, parent’s / guardian’s name, address, email address, telephone number, age, gender, and identification documents. We may access, process, or use your educational, demographic, location, device and other similar information.
The nature of the data would change as per the needs of the service providers/ULB/State or Central Government. The scope of the datasets/data points we access is thus defined by the Local Government / Program Owner / Administrative Authority who has contracted our services.
We also access, store, process, and share information pertaining to employees and contractors of our own organisation, as well as local government or other government agencies. Specific information can include name, age, gender, details of spouse or dependents, address, administrative details such as employee ID or other reference number, as well as information on bank accounts (used for processing salaries or pensions). As employers, local governments may be required to maintain certain information on their employees and pensioners for tax purposes, such as PAN numbers; this information may also be accessed and processed in case we are asked to perform or support the performance of any of those tasks and functions.
We derive, store, process, and share transactional data, which describes the progress of any ongoing task (e.g. any service requested by a resident) through the systems of the local government or other government agency. This can include information about the specific role to whom a given task is assigned (or with whom it is pending), the amount of time elapsed on processing / completing a given request (or task / sub-part thereof), and whether this task has been completed within the benchmark or designated amount of time. It can also include details about the channel through which a particular request was received, such as the ULB counter, service centre, website, helpline, mobile app, chatbot, etc.
We derive, store, process, and share aggregated data. These aggregates are derived from the transactional data. This includes data such as aggregate or cumulative revenue collection, aggregate or cumulative number of service requests, percentage of requests resolved within the benchmark time period, etc. The above data may be further analysed and presented in terms of the type of collection, request, or complaint, the channel through which it was received, etc.
We may collect, store, process, and share telemetry data, which studies how much time is spent on a given screen or field in a workflow/user interface (UI). Such data is normally processed and shared in aggregate, and will not be used to identify specific individuals. In the event that specific individuals are sought to be identified, such as for user research, their consent will be sought for the further processing or sharing of their data.
We are either handed over such data by the Service providers or are given authorized permissions to access, process or use such data. We may also collect data from Union, State, and Local governments, including their agents/employees as well as receive data that is available openly for public use.
We do not collect any PD directly from you. We are given authorized access logins by the Program Owners or the Service providers.
We stop accessing, processing, using and storing any PD from the time our role or functions cease i.e. either end of the agreed period or till the final handover.
We do not directly store any data in our systems. We are given access to the databases and systems of the program owner. Such access is required for our functional purposes. Once our purpose is served - i.e. the platform has been implemented, and/or the scope of work specified in our contract with the program owner / administrative agency has been completed or terminated, our access to such storage will be terminated as well.
With respect to data to which we have access, we maintain the following safeguards:
Maintain access audit logs of roles accessing the systems
Data from the platform implementation/program is not stored in our own systems. We have access to this data only through devices or systems approved by the program owner / administrative agency.
Data from the platform implementation/program to which we have access is not shared with any third parties, or in any channel, medium, or forum not specified within our contract with the program owner / administrative agency.
We use this data to enable the program owner with the requirements for which they have contracted our services, such as setting up hardware, customising, extending, configuring and installing the software, assisting in implementation, training etc. Specifically:
We access data (either anonymised/metadata) for:
Studying the feasibility of the requirements asked for by the Service providers
Creating an implementation plan ( the plan would have no PD, but to design the implementation plan, a study of PD would be undertaken)
Measuring performance and adoption metrics
Training and awareness-building activities
We may access and process data for conducting research or analysing user preferences and demographics if asked to by the service providers ( statistical data and not any individual data)
We access PD for:
Testing to be deployed or integrated hardware and software at identified urban local bodies or jurisdictions - as instructed to us by the service providers.
Master data cleaning and validation before deployment and integration
For resolving any disputes, troubleshooting any problems, and solving for critical bugs that may arise with respect to the use of the platform.
Share data in order to comply with the law or any legal process, including when required in judicial, arbitral, or administrative proceedings.
We will not process, disclose, or share your data except as described in this policy, or as otherwise authorized by the program owner / administrative agency.
By default, we do not display, share or store any PD. Only persons with the appropriate authorisation can access PD. We log each such request, thus creating a non-repudiable and auditable trail of each such access to PD[4]. We do not share any PD except as specified in our contract with the program owner / administrative agency.
Yes, this policy is subject to change at any time and without notice, provided that such changes are consistent with our contract with the program owner / administrative agency. This page will be updated with any such modified policy, and such changes will not be deemed to take effect until and unless they are shown on this page. You are reading the current version of the policy.
In case of any grievances, you may send your complaints for redressal over the Grievance Portal available at <LINK TO GRIEVANCE PORTAL / MECHANISM>.
An agency that deploys and configures a platform for the program owner (see below) is an implementing agency (IA). An IA may: set up the hardware necessary for the program; customise, extend, configure, and install/set up the software (platform) as per the needs of the program owner; train staff or contractors of the program owner on how to use the platform; perform other such functions to ensure program readiness as may be agreed upon between the implementing agency and the program owner and/or administrative authority responsible for such platform implementation. ↑
An IA is an agency that deploys and configures a platform for the program owner ↑
Once the PDP Bill is introduced, a formal/detailed Privacy Policy can be drafted and linked here. ↑
As above, this can be detailed in the Full Privacy Policy. ↑
Draft data privacy policy for administrative authority and/or program owner
This document is a sample data privacy and protection policy for the administrative authority and/or the program owner to pick up and replicate on their user-facing web pages. Entities using this document may make modifications as relevant to the context in which they are using this document.
This document is a draft for reference and does not have any legal effect in and of itself.
eGovernments Foundation does not guarantee that this document will correctly represent all relevant laws or legal obligations, as these can vary across jurisdiction and time.
eGovernments Foundation does not guarantee that the use of this draft, with or without modifications, will cover any or all legal obligations of a specific entity in a specific jurisdiction.
Any entity or individual that uses this draft, with or without modifications, does so at their own discretion, and at their own risk.
By using the draft policy provided, you acknowledge and agree that:
The draft policy is provided for informational purposes only and does not constitute legal advice.
The draft policy is a general template and may not be suitable for your specific needs or circumstances. It is your responsibility to review and modify the draft policy to meet your requirements.
We make no representations or warranties, express or implied, regarding the accuracy, completeness, or reliability of the draft policy. We do not guarantee that the draft policy is up-to-date or compliant with current laws or regulations.
You assume all risks and liabilities associated with the use of the draft policy. We shall not be held liable for any direct, indirect, incidental, consequential, or special damages or losses arising from the use or reliance on the draft policy.
We recommend consulting with a qualified legal professional to obtain advice tailored to your specific circumstances before implementing any policy based on the draft provided.
By using the draft policy, you agree to release and discharge us from any claims, demands, liabilities, actions, or causes of action arising out of or in connection with the use of the draft policy."
It is crucial to seek legal advice to ensure that this policy meets your specific requirements and is enforceable in your jurisdiction.
<PROGRAM NAME> (“we” or “us” or “our”) respects the privacy of our users (“user” or “you” also referred to as ‘your’). Hence, we maintain the highest standards for secure activities, user information/data privacy and security.
<PROGRAM NAME> is a collaboration between <PARTNER(S) NAME(S)> and eGovernments Foundation. It is powered by DIGIT, which is an open-source software platform developed by eGovernments Foundation.
This privacy policy describes and determines how we deal with your personal and usage information in accordance with the applicable laws of India.
<PROGRAM NAME> refers to the services being provided through <PROGRAM NAME> website, mobile App, <OTHER CHANNELS AS RELEVANT>.
Through <PROGRAM NAME>, you can access and avail of services offered by <STATE OR ULB NAME> Government departments, Central Government department, Local bodies & their agencies and corporate/private bodies (utility services).
You can use <PROGRAM NAME> website/application/services in different ways such as service discovery, availing services, registering grievances, and so on.
The purpose of this policy is to maintain the privacy of and protect the personal information of users, employees, contractors, vendors, interns, associates, and partners of <PROGRAM NAME>. The <PROGRAM NAME> ensures compliance with laws and regulations applicable (partner to insert a list of laws they have to comply with ) to <PROGRAM NAME>.
We adhere to the principles of accountability, transparency, purposeful and proportional collection, usage, storage and disclosure of personal data (“PD”)[1].
We collect and/or access, store, process, use, and share information/data (“data”) to improve and provide better services to you. We collect and process PII such as your first name, last name, parent’s / guardian’s name, address, email address, telephone number, age, gender, and identification documents. We may collect your educational, demographic, location, device and other similar information.
We collect information such as Internet Protocol (IP) addresses, domain name, browser type, Operating System, Date and Time of the visit, pages visited, IMEI/IMSI number, device ID, location information, language settings, handset make & model etc. However, no attempt is made to link these with the true identity of individuals visiting <PROGRAM NAME> app, website, Whatsapp Chatbot etc.
The information collected by us shall depend on the services being used by you and may vary from time to time, which will be informed through changes in this policy.
We also collect, store, process, and share information pertaining to employees of local government or other government agencies. Specific information can include name, age, gender, details of spouse or dependents, address, administrative details such as employee ID or other reference number, as well as information on bank accounts (used for processing salaries or pensions). As employers, local governments may be required to maintain certain information on their employees and pensioners for tax purposes, such as PAN numbers; this information may also be recorded and shared.
We derive, store, process, and share transactional data, which describes the progress of any ongoing task (e.g. any service requested by a resident) through the systems of the local government or other government agency. This can include information about the specific role to whom a given task is assigned (or with whom it is pending), the amount of time elapsed on processing / completing a given request (or task / sub-part thereof), and whether this task has been completed within the benchmark or designated amount of time. It can also include details about the channel through which a particular request was received, such as the ULB counter, service centre, website, helpline, mobile app, chatbot, etc.
We derive, store, process, and share aggregated data. These aggregates are derived from the transactional data. This includes data such as aggregate or cumulative revenue collection, aggregate or cumulative number of service requests, percentage of requests resolved within the benchmark time period, etc. The above data may be further analysed and presented in terms of the type of collection, request, or complaint, the channel through which it was received, etc.
We may collect, store, process, and share telemetry data, which studies how much time is spent on a given screen or field in a workflow/user interface (UI). Such data is normally processed and shared in aggregate, and will not be used to identify specific individuals. In the event that specific individuals are sought to be identified, such as for user research, their consent will be sought for the further processing or sharing of their data.
We collect data directly from you (when you use our services) as and when you register and login into the app/website. We may also collect data from Union, State, and Local governments, including their agents/employees as well as receive data that is available openly for public use.
Your data is stored in a secure manner. <PROGRAM NAME> is powered by the DIGIT platform, which has embedded privacy settings (such as encryption), which do not allow your data to be visible to anyone, except persons who are authorised to do so by virtue of their official role. Unless indicated otherwise, this data will be retained for a minimum period of <AS PER UNION / STATE / ULB LAWS> and a maximum period of <AS PER UNION / STATE / ULB LAWS>. You can review and edit your data, as well as delete your data from the app/website by following the procedures <AS PER UNION / STATE / ULB LAWS>.
You may delete your account at any time you wish. In case of deletion, we will remove all your PD from the system, so that it is not visible and/or accessible from any regular operation. However, the PD may be retained in an encrypted manner for the purpose of legal requirements/compliances <AS PER UNION / STATE / ULB LAWS> from the date of deletion/termination.
After deletion, in case you wish to recreate your profile, the same is permissible and none of the previously captured information will be populated automatically. You need to register as a fresh user.
If you simply delete/remove the application from your mobile device but do not delete your profile or unregister yourself from the app/website, you shall continue to be a registered user of the app and we shall continue to send you all communications that you have opted for unless and until you opt-out of such communications, or <AS PER UNION / STATE / ULB LAW>.
In case you surrender/disconnect your <PROGRAM NAME> registered mobile number it is recommended to delete your profile or unregister yourself from the application also.
With respect to such data, we ensure the following safeguards:
Define roles for our employees, and grant access only to such data as they require to perform these roles (role-based access controls)
Maintain access audit logs of entities accessing data in our systems
Maintain safe retention/storage of datasets in authorised cloud systems
Conduct vetting of contractual agreements with third-party vendors/implementing agencies for data access and processing functions
We use this data to serve you with the best civic experience, such as providing grievance redressal mechanisms, efficient service delivery, creating dashboards of ULB activities, etc. Specifically:
We process this data as necessary to provide you with the services you are requesting.
We may process, disclose, or share certain metadata, as well as aggregated and anonymised data, in order to assess and improve the status of such service delivery over time.
We may disclose or share this data to/with employees and/or contractors of the urban local body, state government, or other government agencies, or service providers, whose role requires them to view or use this information in order to perform their official duties, including providing you the service(s) you are requesting.
Resolving any disputes that may arise with respect to the transactions/deals that you may conduct using the app/website.
Monitoring user activity and preferences as evidenced by user’s activity on the app to provide a better experience in future.
Detecting, investigating and preventing activities that may violate our policies or that may be illegal or unlawful.
Conducting research or analysis of the user preferences and demographics as statistical data and not as individual data.
We may disclose or share this data in order to comply with the law or any legal process, including when required in judicial, arbitral, or administrative proceedings.
Payments made through the <PROGRAM NAME> App/website are processed via secure payment gateways.
We will not process, disclose, or share your data except as described in this policy or as otherwise authorized by you.
By default, we display PII in a masked format. Persons with the appropriate authorisation can request for this data to be unmasked. We log each such request, thus creating a non-repudiable and auditable trail of each such access to PD[2].
Yes, this policy is subject to change at any time and without notice. This page will be updated with any such modified policy, and such changes will not be deemed to take effect until and unless they are shown on this page. You are reading the current version of the policy.
By using this service, you confirm that you have read, understood, and accepted this Policy, and that we may collect, process, disclose, and/or share your data as described in this Policy.
In case of any grievances, you may send your complaints for redressal over the Grievance Portal available at <LINK TO GRIEVANCE PORTAL / MECHANISM>.
Once any data-related legislation is introduced, a formal/detailed Privacy Policy can be drafted and linked here. ↑
As above, this can be detailed in the Full Privacy Policy. ↑
For all the roles we have defined here, find the draft templates of privacy policies listed below which can be used for future purposes. These templates are for reference purposes only. Please consider legal advice before adopting them.
Draft data privacy policy for supporting agencies
This document is a sample data privacy and protection policy for support agencies[1] to pick up and replicate on their user-facing web pages. Entities using this document may make modifications as relevant to the context in which they are using this document.
This document is a draft for reference and does not have any legal effect in and of itself.
eGovernments Foundation does not guarantee that this document will correctly represent all relevant laws or legal obligations, as these can vary across jurisdiction and time.
eGovernments Foundation does not guarantee that the use of this draft, with or without modifications, will cover any or all legal obligations of a specific entity in a specific jurisdiction.
Any entity or individual that uses this draft, with or without modifications, does so at their own discretion, and at their own risk.
By using the draft policy provided, you acknowledge and agree that:
The draft policy is provided for informational purposes only and does not constitute legal advice.
The draft policy is a general template and may not be suitable for your specific needs or circumstances. It is your responsibility to review and modify the draft policy to meet your requirements.
We make no representations or warranties, express or implied, regarding the accuracy, completeness, or reliability of the draft policy. We do not guarantee that the draft policy is up-to-date or compliant with current laws or regulations.
You assume all risks and liabilities associated with the use of the draft policy. We shall not be held liable for any direct, indirect, incidental, consequential, or special damages or losses arising from the use or reliance on the draft policy.
We recommend consulting with a qualified legal professional to obtain advice tailored to your specific circumstances before implementing any policy based on the draft provided.
By using the draft policy, you agree to release and discharge us from any claims, demands, liabilities, actions, or causes of action arising out of or in connection with the use of the draft policy."
It is crucial to seek legal advice to ensure that this policy meets your specific requirements and is enforceable in your jurisdiction.
<SUPPORT AGENCY NAME> as a SUPPORT AGENCY (SA)[2] (“we” or “us” or “our”) for <PROGRAM NAME> respects the privacy of the users (“user” or “you” also referred to as ‘your’). Hence, we maintain the highest standards for secure activities, user information/data privacy and security.
<PROGRAM NAME> is implemented through a collaboration between the <ADMINISTERING AUTHORITY NAME>, and/or <IMPLEMENTATION AGENCY NAME>> and eGovernments Foundation. It is powered by DIGIT, which is an open-source software platform developed by eGovernments Foundation.
This privacy policy describes and determines how we deal with your personal and usage information in accordance with the applicable laws of India.
<PROGRAM NAME> refers to the services being provided through <PROGRAM NAME> website, mobile App, <OTHER CHANNELS AS RELEVANT>.
Through <PROGRAM NAME>, you can access and avail services offered by <STATE OR ULB NAME> Government departments, Central Government department, Local bodies & their agencies and corporate/private bodies (utility services) (Service Providers).
You can use <PROGRAM NAME> website/application/services in different ways such as service discovery, availing services, registering grievances, and so on.
The purpose of this policy is to maintain the privacy of and protect the personal information of users, employees, contractors, vendors, interns, associates, and partners of <PROGRAM NAME>. The <PROGRAM NAME> ensures compliance with laws and regulations applicable (partner to insert a list of laws they have to comply with ) to <PROGRAM NAME>.
We adhere to the principles of accountability, transparency, purposeful and proportional collection, usage, storage and disclosure of personal data (“PD”)[3].
We only access, store, process, use, or share any information/data (“data”) to assist the program owner/implementation agency. None of the above takes place without a written authorization agreement with the program owner/administering authority.
Data includes PII such as your first name, last name, parent’s / guardian’s name, address, email address, telephone number, age, gender, and identification documents. We may collect your educational, demographic, location, device and other similar information. The nature of the data would change as per the needs of the service providers/ULB/State or Central Government. We do not define the scope of the datasets, the Service Providers do.
We do not collect any data directly from you. We only access, process, use, store, and share datasets given to us by the Administering authority/Program owner/Service providers/Implementing Agencies.
We access data that is required to provide for the functional working, upkeep, troubleshooting and/or any functional support required by the program owner or administering authority .
We process data as a byproduct of the work we undertake for the program owner or administering authority.
We may store and share data that is required to execute the responsibilities given to us. Such storage will be temporary till the period of our work ends. Such sharing shall be restricted to internal teams, for third-party sharing of data, we would have authorizations in place by administering authorities or the program owners.
We also access, store, process, and share information pertaining to employees of our own as well as local government or other government agencies. Specific information can include name, age, gender, details of spouse or dependents, address, administrative details such as employee ID or other reference number, as well as information on bank accounts (used for processing salaries or pensions).
We also access, store, process, and share transactional data, which describes the progress of any ongoing task (e.g. any service requested by a resident) through the systems of the local government or other government agency. This can include information about the specific role to whom a given task is assigned (or with whom it is pending), the amount of time elapsed on processing / completing a given request (or task / sub-part thereof), and whether this task has been completed within the benchmark or designated amount of time. It can also include details about the channel through which a particular request was received, such as the ULB counter, service centre, website, helpline, mobile app, chatbot, etc.
We derive, store, process, and share aggregated data. These aggregates are derived from the transactional data. This includes data such as aggregate or cumulative revenue collection, aggregate or cumulative number of service requests, percentage of requests resolved within the benchmark time period, etc. The above data may be further analysed and presented in terms of the type of collection, request, or complaint, the channel through which it was received, etc.
We may collect, store, process, and share telemetry data, which studies how much time is spent on a given screen or field in a workflow/user interface (UI). Such data is normally processed and shared in aggregate, and will not be used to identify specific individuals. In the event that specific individuals are sought to be identified, such as for user research, their consent will be sought for the further processing or sharing of their data.
We are either handed over such data by the Service providers or are given authorized permissions to access, process or use such data. We may also collect data from Union, State, and Local governments, including their agents/employees as well as receive data that is available openly for public use.
We do not collect any PD directly from you. We are given authorized access logins by the Program Owners or the Service providers.
We stop accessing, processing, using and storing any PD from the time our role or functions cease i.e. either end of the agreed period or till the final handover.
We do not directly store any data in our systems. We are given limited-time access to the storage of the service providers. Such access is required for our functional purposes. Once our purpose is served, our access to such storage ceases to exist.
With respect to the data that we access, we adopt the following safeguards:
Define roles for our employees, and only grant access to such data as is needed for them to perform their roles
Maintain logs of access to the program’s systems by these roles, and enable the program owner / administrative agency or other authorised agencies to audit these access logs periodically
We do not store data from the platform implementation/program in our own systems; the employees who have access to this data work on the devices and/or systems of the program owner
We do not share data from the platform implementation/program with any third party, except as specified in our contract with the program owner / administrative authority.
We use this data to enable the service providers with the requirements they appoint us for, such as setting up hardware, customising, extending, configuring and installing the software, assisting in implementation, training etc. Specifically:
We access data (either anonymised/metadata) for:
Studying the feasibility of the requirements asked for by the Service providers
Creating an implementation plan for the administering authority ( the plan would have no PD, but to design the implementation plan, a study of PD would be undertaken)
Measuring the performance and adoption metrics
Training and awareness-building activities
We may access and process data for conducting research or analysing user preferences and demographics if asked to by the service providers ( statistical data and not any individual data)
We access PII for:
Testing for to be deployed or integrated hardware and software at identified urban local bodies or jurisdictions - as instructed to us by the service providers.
Master data cleaning and validation before deployment and integration
For resolving any disputes, troubleshooting any problems, and solving for critical bugs that may arise with respect to the use of the platform.
Sharing data in order to comply with the law or any legal process, including when required in judicial, arbitral, or administrative proceedings.
We will not process, disclose, or share your data except as described in this policy or as otherwise authorized by the Service Providers..
By default, we do not display, or store any PD. Only persons with the appropriate authorisation can access PII. We log each such request, thus creating a non-repudiable and auditable trail of each such access to PD[4]. We do not share any PD unless asked to do as under a contractual understanding with the Service provider.
Yes, this policy is subject to change at any time and without notice. This page will be updated with any such modified policy, and such changes will not be deemed to take effect until and unless they are shown on this page. You are reading the current version of the policy.
By using this service, you confirm that you have read, understood, and accepted this Policy, and that we may access, process, disclose, and/or share your data as described in this Policy.
In case of any grievances, you may send your complaints for redressal over the Grievance Portal available at <LINK TO GRIEVANCE PORTAL / MECHANISM>.
A ‘Supporting agency’ is one that provides support in any functional aspect required by the program owner with respect to that platform implementation (e.g. assistance in maintenance of the platform, technical or operational problem-solving, bug/error resolution). ↑
An IA is an agency that deploys and configures a platform for the program owner ↑
Once the PDP Bill is introduced, a formal/detailed Privacy Policy can be drafted and linked here. ↑
As above, this can be detailed in the Full Privacy Policy. ↑
Data privacy policy for eGov
eGov Foundation is a philanthropic mission that cares deeply about making the lives of ordinary citizens better, including health, sanitation, public finance management systems, and access and delivery of services from the government, by creating open digital infrastructure and ecosystems.
Digital Infrastructure for Governance, Impact & Transformation (DIGIT) is an open-source platform created by eGov (). It helps governments collect revenues, deliver services, and manage operations and workflows in an efficient, reliable, and transparent manner.
The DIGIT platform is built and designed to:
Improve the delivery of services for citizens, making such services more accessible, inclusive, and easy to use
Simplify the work of frontline workers, through streamlined workflows and easy-to-use interfaces
Enable government employees to transition daily routine and repeatable work items from manual to digital systems, driving efficiency in public service delivery
Provide tools to improve local government revenue mobilisation, through dashboards, systemized demand generation, and collection of taxes, user charges, fees, licences etc.
Empower government administrators / to access relevant data for timely decision-making and action.
For a full list of products/services available on DIGIT, see here.
For a description of data security measures built into DIGIT, see here.
As an open-source platform, DIGIT in & of itself does not collect, store, use, process, or share data.
DIGIT is deployed by national, state, or local government bodies. Such deployment may be done by in-house teams of the government, third-party service providers, or – in a small number of cases – by eGov.
Where eGov is participating in a deployment, whether as an implementing agency or supporting agency, this is on the basis of a Memorandum of Understanding (MoU) or agreement with the relevant government entity.
eGov is compliant with the relevant laws and regulations of India.[4]
When the DIGIT platform is implemented in a particular place, that particular implementation will collect, store, use, process, and share data relevant to the specific purposes for which it is being used (i.e. the services it is enabling the local government or other service providers to provide). The party that is given the authority to implement DIGIT at a government entity level is called the implementing agency. Each implementation is carried out at a program level by program owners. The administering authority defines what the scope of a program can be[5].
All data collected, stored, used, processed, or shared by a DIGIT implementation is the property of the individuals to whom it pertains. The administering authority that is responsible for the implementation is also responsible for the management of this data.
This data is not, under any circumstances, the property of the implementing agency or the supporting agency.
A DIGIT implementation/ program collects and processes personal data[6] such as the first name, last name, parent’s / guardian’s name, address, email address, telephone number, age, gender, and identification documents. It may collect your educational, demographic, location, device and other similar information.
The DIGIT implementation may also collect information such as Internet Protocol (IP) addresses, domain name, browser type, Operating System, Date and Time of the visit, pages visited, IMEI/IMSI number, device ID, location information, language settings, handset make & model etc.
A DIGIT implementation may derive, store, process, and share transactional data, which describes the progress of any ongoing task (e.g. any service requested by a resident) through the systems of the local government or other government agency. This can include information about the specific role to whom a given task is assigned (or with whom it is pending), the amount of time elapsed on processing / completing a given request (or task / sub-part thereof), and whether this task has been completed within the benchmark or designated amount of time. It can also include details about the channel through which a particular request was received, such as ULB counter, service centre, website, helpline, mobile app, chatbot, etc.
A DIGIT implementation can derive, store, process, and share aggregated data. These aggregates are derived from the transactional data. This includes data such as aggregate or cumulative revenue collection, aggregate or cumulative number of service requests, percentage of requests resolved within the benchmark time period, etc. The above data may be further analysed and presented in terms of the type of collection, request, or complaint, the channel through which it was received, etc.
A DIGIT implementation can also collect, store, process, and share telemetry data, which studies how much time is spent on a given screen or field in a workflow/user interface (UI). Such data is normally processed and shared in aggregate, and will not be used to identify specific individuals. In the event that specific individuals are sought to be identified, such as for user research, their consent will be sought for the further processing or sharing of their data.
Administering authorities and Program Owners - State or Central government, government department employees and third-party contractors or agents( hired by governments): interact with the citizens, provide services, collect payments, and collect feedback, view real-time or compiled/aggregated data on city operations, which can inform performance management and policy-making.
Implementing agencies and Supporting agencies: implement, customise, and maintain and support a DIGIT implementation.
eGov employees, contractors, and consultants - when eGov is appointed as an implementing agency for implementing DIGIT in a few States, otherwise for support and maintenance.
eGov may access, use, and share any data made public by government entity/ies, including in combination with aggregate and/or derived data as described below.
eGov does not collect, use or share any personal data (other than of its own employees)
eGov may access information about usage of the DIGIT platform, including any specific product or feature, for the purposes of understanding usage of the platform/product/feature, and for making or testing improvements to these.
Such information may include metadata; aggregate statistics on usage, revenue, and service requests; aggregate statistics on the status of a particular service/request/complaint type; and aggregate or anonymised information about user behaviour in navigating workflows or screens (‘telemetry data’).
Such information may also include derived data, e.g. averages or trends calculated from the aggregate statistics described above. This data may be derived by eGov, by the government entity, or by any authorised third party.
eGov may have additional access to data under three circumstances:
eGov may request access to contact information of specific individuals/users, in order to contact them as participants in research conducted or commissioned by eGov or eGov’s collaborators.
Upon receiving permission from the relevant government entity to access and use this information, eGov may contact these individuals, and seek their consent for participation in the research in question.
eGov may share this information with research partners, upon the signing of suitable data sharing/data use agreements, which impose upon such partner obligations and conditions for data access/use/sharing that are at least no less stringent than those applicable to eGov.
eGov may serve as an implementing partner for part or the entirety of a DIGIT implementation. For such areas where and for such duration when eGov is an implementing partner, as part of the implementation process, eGov collects, store, process, use, and share all data relevant to the implementation, including personal data.
All terms and conditions related to such data access shall be included in a formal agreement between eGov and the relevant government entity responsible for that implementation.
eGov shall not collect, store, process, use, or share such data for any purpose other than that specific implementation, and shall not share such data with any third party unless specifically authorised to do so in writing by the relevant government entity, or unless required to do so by law.
In all cases where eGov has access to personal data, eGov shall ensure that:
Such access is authorised on the basis of an agreement with the relevant government entity, or otherwise authorised in writing by the relevant government entity.
The purpose of such access and the nature of data that may be accessed are specified in the document that authorises such access.
The channel through which such data may be accessed/shared is specified in the document that authorises such access, and such channel is generally accepted as a secure channel for data sharing.
eGov may collect, store, process, use, access or share data from a DIGIT implementation to support said implementation.
All terms and conditions related to such data access shall be included in a formal agreement between eGov and the relevant government entity responsible for that implementation.
In addition to the data described above, eGov has access to two broad categories of data.
Employee data: eGov may collect, store, process, use, and share data pertaining to employees, contractors, and consultants of eGov. This includes:
Name, address, phone number, address, contact information, date of birth
Login IDs and passwords for work-related software
Information pertaining to academic and/or professional history
Information necessary for processing payments and taxes, including bank account, PAN, GST, Aadhar, and Provident Fund information
Information necessary for providing insurance, including some health-related information of the employee; name, age, date of birth, and health-related information of the employee’s dependents or nominees.
Partner or contact data: eGov may collect, store, process, use, and share data of organisations or individuals with whom eGov has contact in the ordinary course of its business.
This includes name, organisation, designation, contact details, etc.
eGov shall use this information for normal business purposes, such as sharing business communications (emails, newsletters, etc.)
This policy is subject to change.
Please refer to this webpage for the latest version of the policy.
By using the products of eGov, you confirm that you have read, understood, and accepted this Policy, and that we may collect, process, disclose, and/or share your data as described in this Policy.
Name:
Address:
Phone Number:
E-mail:
Date:
This entity creates the infrastructural design of the platform (architects of the platform). They are responsible for the design of the platform ↑
Government bodies mandated to provide a government service usually an agency or department of the State government agencies have the power to decide who has access and control of the DIGIT systems ↑
For definitions of key terms – data, PII, platform, platform implementation, program, platform owner, implementing agency, support agency, program owner, administrative authority – please see GIU_DPP_DEFINITIONS_V1_04_07 ↑
As defined in the Digital Personal Data Act, 2023 - Sec 2 (t) “personal data” means any data about an individual who is identifiable by or in relation to such data ↑