The Ministry of Electronics and IT (MeitY) on Tuesday released draft documents for guidelines on data anonymisation and mobile security for the e-governance projects conducted by the government. The documents are open for public consultation and the comments would be accepted till September 21.
The drafts, titled ‘Guidelines for Anonymisation of Data (AoD) and Mobile Security Guidelines (MSG)’, were shared on the official portal for e-Governance Standards.
The document on anonymisation of data includes guidelines for all stakeholders involved in the processing of personal data and its subtypes through e-governance projects.
However, the department added that the guidelines could also be referred to by private entities processing personal information.
E-governance projects such as the National Health Mission, Cowin vaccination, Aarogya Setu and healthcare data, Smart cities, and Payment ecosystem (Account Aggregators) generate a huge amount of data. The draft rules aim to lay down the recommended practices for processing this data.
In February 2021, the Standardisation Testing Quality Certification (STQC) Directorate and Centre for Development of Advanced Computing (C-DAC), Pune, were commissioned to formulate standards and guidelines in the areas of e-Governance.
The Mobile Security Guidelines (MSG) have been proposed to achieve mobile security goals such as confidentiality, integrity, authentication, accountability, etc. It categorises mobile security into three sections such as mobile device security, mobile communication security, and mobile services security.
The document has also defined three categories of mobile security control, such as policy-based measures, technology-based measures, and user-oriented measures. These would help in protecting privacy, sensitive data, and the security of transactions.
The scope of the proposed guidelines covers the stakeholders of the mobile ecosystem including device manufacturers, application developers, network operators, mobile service providers, security testing organizations, and mobile phone users.
The draft also prescribes ideal practices for mobile security testing and application vetting processes. It has defined security levels for entities and technology components. Identifying the present security level of an entity or a component may help measure the gap and improve towards higher security levels, according to the document.