Data governance

Data governance denotes the structured exercise of authority and control over data as a strategic resource, encompassing the legal regime, institutional architecture, and technical standards that determine how data is collected, classified, stored, shared, monetised, and secured. In India, the foundational constitutional anchor is the recognition of informational privacy as a fundamental right under Article 21, settled by the nine-judge bench in Justice K.S. Puttaswamy v. Union of India (2017), which held privacy intrinsic to life and liberty and mandated a data-protection law. The statutory edifice now rests on the Digital Personal Data Protection Act, 2023 (DPDP Act), which replaced Section 43A of the Information Technology Act, 2000, and operationalises consent-based processing of digital personal data. Globally, the reference standard is the EU's General Data Protection Regulation (GDPR), 2018, whose principles of purpose limitation, data minimisation, and the right to erasure (Article 17) shape comparative debates.

Operationally, data governance functions through a set of actors and obligations. The DPDP Act creates the role of the Data Fiduciary (the entity determining purpose and means of processing) and the Data Principal (the individual), borrowing the controller-subject logic of GDPR. It establishes a Data Protection Board of India as the adjudicatory body, prescribes consent through clear notice, mandates breach notification, and empowers the Central Government to notify Significant Data Fiduciaries subject to heightened duties such as audits and Data Protection Impact Assessments. Cross-cutting governance also covers data localisation (storage of data within national borders, debated since the Srikrishna Committee Report, 2018, and the RBI's 2018 directive on payment data), non-personal data (addressed by the Kris Gopalakrishnan Committee, 2020), and data sovereignty asserting national jurisdiction over data.

Named instances illustrate the field's stakes. The Cambridge Analytica–Facebook episode (2018) crystallised global concern over data harvesting and electoral manipulation. India's Aadhaar programme, validated with restrictions in Puttaswamy (Aadhaar), 2018, remains the largest biometric database and a recurring governance flashpoint. The Data Empowerment and Protection Architecture (DEPA) and the Account Aggregator framework operationalise consent-based data sharing in finance. As of 2026, the DPDP Act awaits full enforcement pending notification of its subordinate DPDP Rules, released in draft in January 2025, with phased implementation of the Data Protection Board and compliance timelines under active rollout.

For competitive examinations, data governance is tested in the Current Affairs, Governance, and Science & Technology segments. In UPSC GS Paper II it appears under governance, e-governance, and the protection of vulnerable sections' data; in GS Paper III under internal security and the challenges of cyberspace. Typical question angles include the salient features of the DPDP Act, 2023; the implications of Puttaswamy for privacy jurisprudence; the data-localisation versus free-data-flow debate; and comparison with GDPR. Aspirants should be able to cite Article 21, the relevant committee reports, and the institutional design of the Data Protection Board, while linking data governance to wider themes of digital public infrastructure, surveillance, and the political economy of data.