SEBI proposes new Data Sharing Policy

December 12, 2024
Data Sharing Policy

By Anuradha Gandhi and Rachita Thakur

A Consultation paper on draft circular for “Policy for Sharing Data for the Purpose of Research / Analysis” was issued by the Securities and Exchange Board of India (hereinafter referred to as the “SEBI”) on October 08, 2024 in exercise of powers conferred under Section 11(1)[1] of the Securities and Exchange Board of India Act, 1992 (hereinafter referred to as the “SEBI Act”) to protect the interests of investors in securities and to promote the development of, and to regulate, the securities market. [2]

Based on the result of the Consultation Paper, the market regulator has proposed new draft rules to create a standardized policy for sharing financial market data with research institutions, analysis and other stakeholders.

The Consultation Paper revealed the following points:

1. SEBI had received numerous data sharing request since the inception of its Data Sharing Policy which was formulated in 2018 (hereinafter referred to as ‘DSP 2018’) to meet a variety of requirements like to undertake analytics projects, research activities etc.

2. Based on these requests, certain issues were outlined, such as:

  • Data sharing process was cumbersome
  • Authenticity and adequacy of data
  • Privacy of the data being shared
  • Data from authentic sources
  • Balance between data privacy vis-a-vis providing access to data,

To address these issues, certain modifications were made in the DSP and the same was submitted to the SEBI Market Data Advisory Committee (hereinafter referred to as “MDAC”) for their deliberation and recommendations.

MDAC opined that to address the gaps in the DSP 2018,[3] SEBI should share only the data that is under its ownership and the data should be shared by the respective Market Infrastructure Institution (MII) and therefore, each MII should have its own data sharing policy. This would further promote democratization, data privacy and data accountability at all times. To balance data privacy vis-à-vis providing access to data, organisations will need to have policies on data collection, processing, storage, dissemination and sharing.

Revised Framework on Data Sharing practices

SEBI’s proposed changes suggest that Stock Exchanges, depositories, and clearing corporations will each be responsible for establishing their own data-sharing policies, specifically for research purposes only and not for any commercial purposes. However, data shared by vendors will not fall under this policy.

Two facilitate seamless and protected data sharing practices, SEBI has advised the MIIs to segregate data available for each market segment into two distinct categories:

First basket

This basket would include data which can be shared with the public and would also include reporting and disclosure data that are mandated by the regulators. The principle should be to avoid disclosing any personal, sensitive and confidential information in public domain. This data basket would include:

  • Data which is publicly available on respective websites of each Stock Exchange, Depository and Clearing Corporation.
  • Data which is voluminous and cannot be accessed through MIIs website. An indicative list of such data would be made available on the portals
  • MIIs would provide a reasonable amount of data requested by a researcher free of cost i.e. up to 2 GB of data that requires no extra computation cost
  • If the requested data is very high in volume and needs further processing/value addition, MIIs may charge a cost-basis fee from the researcher.

Examples of this data include category-wise turnover data, members and enforcement actions against members, corporate bonds traded report, historical public issues of securities, and historical trading data across segments, Foreign Portfolio Investors (FPI) investment details, etc.

This data would not come under the purview of the Digital Personal Data Protection Act, 2023 as the said Act does not apply to the data made publicly available. [4]

Second Basket

Data in this basket includes information that cannot be shared with the public. This type of data should be anonymized data that could be used to identify an individual/entity directly or indirectly.

Examples of this data would include, Know Your Customer (KYC) Information, PAN-wise trade data for all segments, holding details of an entity and individuals, etc. Which would be identified as personal information of a data principal and subject to greater controls.

All Stock Exchanges, Depositories and Clearing Corporations are further advised to identify data in the abovementioned baskets and accordingly frame their data sharing policies.

Furthermore, MIIs are directed to share the data list under each baskets with SEBI within 60 days of the issuance of the Circular.

Alignment of the New Data Policy with the Digital Personal Data Protection Act, 2023

Under the new DSP, the MIIs will be required to have their own data sharing practices with an emphasis on data collection, processing, storage and dissemination and sharing. Further, while inducing the broad principles of DPDP Act such as, data minimization, purpose limitation and security measures, SEBI has ensured that the data sharing practices in the financial sector are in alignment with the data governance in the country.

This policy is likely to induce responsibility amongst organisations (MIIs) regarding handling practices of sensitive data (financial data) and further the adoption of global concept of data privacy.

This classification between data sets and the requirements of having respective data sharing policies will determine what data can be shared and what cannot be shared is in alignment with the Personal Digital Personal Data Protection Act, 2023 promoting transparency and ease of access.

Constitution off first basket fulfils the requirement of certain data that is to be made available to conduct research, which is another exception under the DPDP Act[5]. However, such data has to be made available in the form and format which no longer allows the data to identify an individual and/or entity. This data can further also be used to train Artificial Intelligence data sets and tools to enhance their productivity and reduce algorithmic bias.

Second basket, however, involves sensitive personal data that can identify individuals and/entities which cannot be shared adheres to the requirements of DPDP Act.

Regulations in Foreign Markets

Not only India, in the coming age of Digital era, economies have realized the importance of setting data sharing practices to promote legitimate and ethical access and sharing of personal and sensitive personal information. The European Commission in June, 2023, had published a proposal for a regulation on a framework for Financial Data Access (hereinafter referred to as the “FiDA”), a flagship initiative of the EU Digital Finance Strategy, in alignment with the General Data Protection Regulations (GDPR). The FiDA proposal is a sectoral building block that fits into the broader European strategy for data to enable data sharing within the financial sector with other sectors.

FiDA establishes rules on the access, sharing and use of certain categories of consumer data in financial services. This Regulation also establishes rules concerning the authorization and operation of financial information service providers.[6]

While in the United States there is a Financial Privacy Rule that that requires financial institutions to provide particular notices and to comply with the certain limitations on disclosure of non-public personal information. [7]

Advantages of Data Sharing Policy in Financial Markets

  1. The implementation of this Policy will ensure protection and security of data by requiring the MIIs to be more diligent while handling their client data;
  2. Segregation of data with allow operational efficiency with faster access to the segregated data;
  3. Reduced risk of data breaches since MIIs will be required to formulate their own policies to keep data safe and secure
  4. Increased accountability and responsibility of organisations and MIIs for keeping the data secure

Challenges in implementation of the DSP

  1. Technical infrastructure – The adoption of standards and implementation of this Policy would require substantial amount of investment which can be a constraint especially for small organisations
  2. Data Protection – Though the policy states that the data be anonymized, however, it does not prescribe any standards for data sharing and anonymization and is rather based on the broad principles adopted from the DPDP Act, the implementation of which will broadly depend on DPDP Act and the rules thereunder.
  3. Regular updates – The framework will require a regular revisit to check controls in place.
  4. Compliance and ethics – Ethical data sharing while protecting the sanctity of the data and privacy of individuals and/or entity would come with robust compliance mechanisms.

[1]Section 11 of the Securities and Exchange Board of India Act, 1992 – (1) Subject to the provisions of this Act, it shall be the duty of the Board to protect the interests of investors in securities and to promote the development of, and to regulate the securities market, by such measures as it thinks fit.

[2]https://www.sebi.gov.in/reports-and-statistics/reports/oct-2024/consultation-paper-on-draft-circular-for-policy-for-sharing-data-for-the-purpose-of-research-analysis-_87414.html

[3]https://www.sebi.gov.in/Guidelines_for_Data_Sharing.html

[4] Section 3 (c) (ii) of the Digital Personal Data Protection Act, 2023

[5] Section 17 of the Digital Personal Data Protection Act, 2023

[6]https://www.financial-data-access.com/

[7]https://www.ftc.gov/legal-library/browse/rules/financial-privacy-rule

For more information please contact us at : info@ssrana.com