FDPPI is your Privacy Companion

PDPSI is a unique framework for Personal Data Protection as per prevailing data protection laws.

Its 50 implementation specifications cover the data compliance requirements under multiple data protection laws and is more than what other best practice standards such as ISO 27701 tries to accomplish.

Some of the PDPSI model implementation specifications try to put certain best practices hither to not being part of such frameworks into the radar of the organization. Details of these are already available in the PDPSI handbook.

There are three other innovations that PDPSI has introduced and FDPPI has adopted in order to further improve the assurance of the PDPSI audits in the industry environment.

First is to register the audit with FDPPI along with the DTS computation worksheet so that FDPPI is aware of the PDPSI certifications that are in the market.

Second is getting a feedback on the auditee  including a permission if agreeable for disclosure of DTS.

Additionally, it is observed that after completion of an audit and its certification, the auditee often neglects to maintain the required data security discipline resulting in data breaches. At that time a question will be asked on whether the organization was audited, and if so whether the audit was deficient etc.

In order to make PDPSI audits more reliable, FDPPI will therefore introduce a system whereby the auditee will be required to send a quarterly report to FDPPI in which it will share any major incidents during the period and major changes in the business profile.

It is quite possible that the organizations may not send such reports in which case the responsibility of FDPPI would be reduced. If the organization considers it useful they may use this opportunity. In a way this will be like AMC service on the audit already completed.

FDPPI may charge a fee for such Audit AMC as it may deem fit.

Hopefully this would at least keep the need to be vigilant even after the audit certification will be ingrained in the auditee organization and this by itself be good for the auditee organization.

The details of the kind of reporting to be done etc are being finalized.

Naavi

Data Protection Officer (DPO) would be a key position to which many organizations will be recruiting senior professionals. We are already seeing some advertisements on the recruitment of DPOs with certain description of requirements.

However it is observed that many of these advertisements donot indicate that the recruiters are aware that India has a data protection law and any DPO who does not know the Indian laws would be a drag on the company irrespective of his expertise in GDPR.

FDPPI, as an organization in India which has trained the Data Protection Community on Indian data protection laws, International data protection laws and data protection audit skills etc., is in an ideal position to define the requirements of a good DPO.  Hopefully this would be helpful to the recruiters.

We will be shortly publishing through our Journal a template of a Data Protection Officer recruitment. We also run a “Mentoring Workshop” for Data Protection Professionals who would like to take a crash course in Indian Data Protection laws if required.

FDPPI recently conducted two free programs for HR Professionals to equip themselves with the knowledge of PDPB. But there are a lot more HR professionals and marketing officials of recruitment agencies like naukri.com who need to appraise themselves of the needs of a DPO.

FDPPI would be glad to do an on demand training for recruitment firms on the requirements of a DPO along with the fundamentals of the emerging Indian law.

Interested organizations may contact FDPPI.

Naavi

FDPPI is an organization which represents the effort of the Data Protection Community to create a “Privacy and Data Protection Culture in India”.

In this endeavor to create the Data Protection Culture in India, PDPSI works on the three dimensions namely

1. 1. The Data Protection Regulations
   2. The Data Protection Professionals
   3. The Data Processing organizations.

FDPPI is closely following the Privacy and Data Protection regulatory regime in the country and engaging itself with the Policy makers to contribute towards framing of a  balanced  legislation which achieves the objectives of protecting the Privacy of Indian Citizens as a fundamental right under our constitution without ignoring the requirements of the Government which has the duty to protect the Citizens of the country and the requirements of Data Processing business which cannot be killed in pursuance of Privacy.

FDPPI also is taking steps to empower the professionals who need to comply with the law in the Data Protection scenario and implement the vision of “Protecting the Privacy through Personal Data Protection” and providing a “right of self determination to the Data Principals on how the personal data about them can be collected, used and disclosed.” Towards this end, FDPPI has created and executed “Certification Programs” and created an army of “Certified Data Protection Professionals”  who have attended at least 12 hours of training on the current Indian Privacy Laws including the proposed law represented by PDPB 2019, followed by an evaluation through an online examination. Many of the professionals have been further empowered with at least another 16 hours of training on Global Privacy laws and a further 12 plus hours on Data Audit skills making them one of the best trained professionals globally. They are developing like the “Navy Seals” or NSG Commandos” as we have heard in the security scenario.

Additionally, FDPPI has adopted the “Personal Data Protection Standard of India” or PDPSI  as a “Unified” framework for compliance of multiple Personal Data Protection laws by an organization. The PDPSI consists of 12 standards and 50 implementation specifications that cover the entire gamut of PIMS as envisaged by other frameworks and goes further to address the needs of the need to be simultaneously in compliance of multiple global laws incorporating many futuristic thoughts on “Data Business”.

This PDPSI framework is not only a “Certifiable Audit Framework” like the ISO 27701 but also an Assessment framework for the Data Trust Score (DTS) system which is a representation of the Personal Data Protection maturity of an organization as assessed by an auditor using the 50 implementation specifications of the PDPSI framework.

PDPSI is also a framework which is available for organizations for self implementation as an instrument of internal audit.

FDPPI is also creating a set of professionals who are conversant with Indian Privacy Laws, Global Privacy Laws and a certain minimal Data Audit skills through 3 certification exams which over over 55 hours of online training, over 1000 pages of study material and 270 minutes of online examination.

We are humble enough to admit that FDPPI can only provide an opportunity for professionals to develop their knowledge and skills and ultimately it is the capacity of individual professionals to absorb the skills and apply it in the practical scenario.

However the symbol shown along side is emerging as the symbol of Personal Data Protection and is the goal of every Data Fiduciary and Data Processor.

This is a symbol of protection for the Data Principal in the context of protection of his Privacy.

It also represents a framework for enabling Privacy Protection through Data Protection.

The accompanying symbol in future will represent an organization which has undergone an assessment of its DTS by a PDPSI accredited auditor.

This could be disclosed by organizations as required under the Indian laws.

The auditors and consultants who have undergone the rigorous training and passed through the Certification exams have been certified by FDPPI and certificates like the following have been issued to them.

These are sample certificates that only the privileged professionals who have gone through the rigorous evaluation process have been issued.

The “Certified Global Privacy & Data Protection Consultant” is  a person with a reasonable knowledge of the Privacy laws and a reasonable skill to conduct data protection audits and provide consultancy to organizations in their Privacy Compliance program.

The “Certified Global Privacy & Data Protection Auditor” is a person with an accreditation for conducting Audits and DTS assessment which will be registered with FDPPI and issue necessary “Certificate of Privacy and Data Protection Compliance” under the PDPSI framework.

FDPPI  congratulates the 21 professionals who have achieved this recognition in the first batch and hope that in future, we will have many more such professionals.

Naavi

FDPPI has been conceived as an organization of the people, viz., the Data Protection Professionals. Hence its services such as providing “Certifications”, “Conducting Frequent Knowledge enhancement Webinars in the Jnaana Vardhini Series” etc are services oriented toward creating empowered Data Protection Professionals.

At the same time an organization is considered as an aggregation of people. FDPPI itself is an aggregation if its members and renders all its services through its supporting members. It has been recognized that organizations also need to be supported in our journey towards making India  a globally recognized Personal Data Protection leader.

We have therefore started a focussed approach towards Corporates members. FDPPI enrolls Corporate members at a one time fee of Rs 18000/- which enables designation of three subordinate individual members. Hopefully, the DPO, CISO and the CCO would be the first three persons in an organization who need to be equipped. Bigger organizations who want more of their executives to be equipped with the necessary empowerment of knowledge and skills may expand their subordinate membership by paying additional amount of Rs 6000 per person. The Company would be allowed to revise its subordinate member list once every year in case there are changes in the allocation of responsibilities of executives.

The Corporate services that FDPPI renders include

a) Conducting Privacy awareness training programs for the employees

b) Providing External DPO consultancy

c) Assessment of Data Trust Score as an internal evaluation or Certification through accredited auditors.

d) Providing consultancy for achieving compliance

e) Providing Data Disputes Mediation and Arbitration Center (DDMAC) as a platform for use by the Corproates.

These services are delivered by the supporting members of FDPPI whose profiles are available on the website.

These services are available for Companies even if they are not members of FDPPI. However, Corporate members will get all these services at a discounted rate.

Watch out for more information on these services through the FDPPI website.

(You can download a corporate services brochure here)

Naavi

Today the first batch of Data Protection Professionals in India who have been trained on Indian Data Protection Laws, Global Data Protection Laws and Data Audit skills with special training on the PDPSI framework are completing the certification examination. A few of them will be certified as “Certified Auditors for the FDPPI-PDPSI Data Protection Audit with DTS evaluation” after the entire evaluation process is over. A Few more would be certified as “Certified Consultants for the FDPPI-PDPSI Data Protection Implementation”

The Implementation Consultants and Certified Auditors would be professionals who have completed around 55 hours of class room training (Online) and 4.5 hours of online examination plus several hours of assignments. They have read through over 1000 pages of notes. This is one of the most elaborate training programs conducted in any such certification programs.

At the end of this rigorous program, FDPPI is confident that these professionals  will be able to stand out in the community as people with the necessary knowledge and skills to start guiding the Indian organizations towards Privacy and Data Protection Compliance.

We all know that skill cannot be entirely acquired through external training alone and hence these professionals will continue to improve their skills and some of the consultants after more experience may be upgraded to the level of auditors FDPPI will have a plan to implement this “Continuing Data Audit Skill Enhancement” program.

The industry already has several “Certified” professionals who have been certified from other organizations some of them recognized world over. However, in terms of the focus and intensity of training, the FDPPI Certified professionals will be a class apart though  this will need some time to be recognized by the industry.

These are the professionals who create path by walking…. not wait for others to show the path…

Naavi

To mark the international privacy day of 2021, FDPPI launched a journal titled “Data Protection Journal of India”.

The journal will be available at www.dpji.in

Naavi

The  training for “Certified Data Protection Professionals-Module A” covering data audits is set to start tomorrow.

The registrations have closed.

The tentative agenda covering 12 sessions of 90 minutes each totaling to around 18 hours in total is as given below.

This program along with the earlier two modules on Indian law (Module I) and Global Law (Module G) would prepare professionals for both providing Data Protection Compliance consultancy to companies as well as conduct  certifiable audits under the PDPSI (Personal Data Protection Standard of India” sponsored by FDPPI.

These audits will also make an assessment of the Data Trust Score of an organization which is envisaged in the Indian PDPB 2019.

These programs being delivered with the assistance of Cyber Law College, come with the assurance that after the PDPB 2019 is passed, the previous trainees would be provided a free additional training to cover the changes in the law and issue of any guidelines from the Data Protection Authority on the requirements of Data Auditors.

At present there are nearly 100 professionals who have been certified in Module I, or Module G or both. Persons who have completed all the three modules would be considered for accreditation as PDPSI auditors.

With the completion of this program, India will have for the first time, a compliance framework which could match or even excel the global standards.

Naavi

FDPPI in association with Cyber Law College has earlier launched two programs related to building legal awareness on Data Protection Laws connected with the “Certified Data Protection Professional ” (CDPP) course. These were part of the larger 5 Module course to build  360 degree skilled Data Protection Professionals in India. The remaining three modules were one on Technology, Audit and Behavioural skills.

The training for Module-I covered Indian Data Protection laws and training on Module G covered the global data protection laws.

Now FDPPI and Cyber Law College are launching the course on the Audit Module, namely Module-A.

During this program,  scheduled as a 12 hour online program, the Art and Science of Data Audit would be discussed. Since this is the first such program which is being conducted and introduces many new concepts including Valuation of Data in a Balance Sheet, Distributed Responsibility for implementation, etc., there is a possibility that the program may be extended beyond 12 hours if required.

The discussions will cover the conceptual difference between an “Assessment” and “Audit”, different types of audits that one encounters in the Data Protection profession , the objectives of each of these audits, the modalities of how a practitioner may conduct such audits etc.

The Data Protection Impact Assessment (DPIA), Harm Audit, Data Breach Audit and Data Protection compliance audits will be discussed separately.

The Data Trust Score (DTS) Assessment which is a part of the Indian data protection regulation will also be discussed in detail.

The Data Protection Compliance audit will be explored in detail using the PDPSI (Personal Data Protection Standard of India) framework .

PDPSI is a framework for implementation and is also a Certifiable Standard of compliance. PDPSI is also a DTS assessment framework during the Audit process.

Foundation of Data Protection Professionals in India (FDPPI) is sponsoring the Data Protection Compliance audit under the PDPSI framework and this training is considered part of the accreditation of PDPSI Consultants and PDPSI Auditors who can provide consultancy to organizations on designing and implementation of Data Protection compliance programs as also to conduct Audits of such programs.

Consultation for implementation and Audit of the implementation will be undertaken by two different individuals.

While this Data Audit training may be considered mandatory for the Audit, implementation may be guided by the consultants. Organizations are open to implement the guidelines on their own and directly approach an auditor for Certification or take the assistance of consultants before approaching the auditors.

FDPPI may have additional criteria for accrediting auditors under their approved audit process for certification.

This Module-A training would be followed by an “Online Examination” and “Submission of Assignments”. 50% of the marks would be allocated for each of these two evaluation segments.

There will be three grades namely  A, B And C.

Grade A: represents Ready for Audit

Grade B: represents Ready for Consultancy

Grade C: represents requirement of improvement

One Improvement re-examination will be permitted for upgradation of Grade C to Grade B.

According to the present scheme for accreditation of PDPSI Auditors,

FDPPI may accredit their members who pass out of this training with Grade A and have also passed out of the Module I and Module G program, as “Provisionally Accredited PDPSI Auditors”.

They may be upgraded into fully “Accredited PDPSI Auditors” after they complete the two other modules of the larger training program which includes the modules on Technology and Behavioural Skills.

FDPPI may  also upgrade Persons who pass out of the program in Grade B  “Provisionally Accredited PDPSI Auditors” based on their consultancy experience.

For registration for the program and  kindly proceed to CDPP-Module-Audit”

The Date and time Schedule for the program is yet to be finalized. Tentatively the course should commence towards the end of January 2021 after the registrations close on 18th January 2021.

P.S: Though the training program is driven by the needs of the  emerging Indian data protection law, the concepts discussed are universal and will apply even for compliance of GDPR and other Data Protection laws.

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

(Continued from part-2)

In this concluding part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score methodology. The author is not inclined to propose a definitive scoring pattern as the bill in hand is still a legislation in the making and more changes are expected before it becomes the law of the land. Once the legislation gets the nod of both the houses, carrying out such an exercise will be more realistic and useful. Therefore in this part the discussions are limited to the components that should be part of the DTS system.

Objectives of the bill

The Preamble part of the bill declares the purpose of the legislation as, “to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data”. It further vouches (i) to protect the rights of individuals whose personal data are processed, (ii) to create a framework for organisational and technical measures in processing of data, (iii) laying down norms for accountability of entities processing personal data,(iv) remedies for unauthorised and harmful processing, and (v) to establish a Data Protection Authority of India for the said purposes.  The honourable Supreme Court in the case of Justice K.S. Puttaswamy[i] v/s Union of India has held that right to privacy is a fundamental right and therefore it is necessary to protect the personal data as an essential facet of informational privacy. At the same time it is necessary to create a collective culture that fosters a free and fair digital economy, ensuring empowerment, progress and innovation through digital governance. No doubt that the data is the lifeblood of any digital business, but on its abuse, the ultimate losers are the consumers, who may receive an irreversible shock on their private life.

Obligations of the fiduciary

The privacy rights of an individual has to be accomplished for which the data fiduciaries are expected to follow certain obligations stipulated under section 4 to section 11 of the bill.  The Bill allows the processing of data by Fiduciaries only after the due consent is obtained from the individual / Principal. For obtaining the consent of a Principal for collection or processing of personal data there is need of issue of a notice by the fiduciary to such person, stating the reasons in clear, concise and easily comprehensible terms. The procedure for issue of notice to the principal, at the time of collection of data[ii], for obtaining the consent is elaborate and due care to be taken to devise digital tools for meeting the requirements. In the notice the Principal should be informed about the purpose, nature and categories data being collected. The identity and contact details of the data Fiduciary and the contact details of the data protection officer are also to be informed to the Principal. Such Principal should be informed of the procedure to withdraw his consent in the mandated way.  Further a personal data can be processed only for specific, clear and lawful purposes. The Data Fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets necessary consent from the Data Principal. During the compliance audit, it is for the data auditor to comment on each one of these parameters followed by the fiduciary, before proceeding for the quantification of DTS score. The measure so made should indicate the trust factor of the fiduciary in handling the personal data of the principals.

It is pertinent to mention here that the relationship between the principal and fiduciary enshrined in the bill are of special and unique nature.  Here the fiduciary should extend a breach-proof mechanism to the personal data owner / principal which are equivalent to safeguarding the fundamental rights of the principal. Therefore the measure applied to score the ‘trust-worthiness’ needs to be rational and realistic. Efforts should be made to measure directly or indirectly all the stipulated obligations, compliances and functions of the fiduciary, and by using digital tools, wherever possible to meet the meet the requirement of law.

Voice of principal needs recognition

From the above deliberations we find that there are compliances mechanisms and complaint mechanism in place but the crucial element of feedback mechanism is missing in the entire framework under consideration. As stated in the earlier part, the major stake holder or the beneficiary in this entire bill is the principal, but her/his observations about the services rendered by the fiduciary are not provided due place in scoring the credentials of the fiduciary. Further any personal data breach that takes place at the fiduciary’s location, through the dark nets may land in the hands of the cyber criminals, who could exploit the data to cause injury to the principal. The safeguards taken by the fiduciary to eliminate personal data breaches protects the principal from being a victim of cyber crime. The satisfaction of the principal about the protection layer provided by the service providing fiduciary is an important element in measurement of trust score. The DTS is supposed to express the trust of the principal as to the level of protection the fiduciary has extended. Therefore the principal’s feedback about the satisfaction in the services provided by the fiduciary will be one of the best indicators of mutual trust, the author feels.

Finding fault or gap in services should not be based on the mere observations of the auditor or on sheer outcomes of the complaint mechanism in place. The principal’s voice should be heard which deserves a place in formulating the score for the fiduciary. Therefore a feedback system should be legislated wherein the fiduciary should be asked to obtain responses from their principal whenever they provide them with any service.  This will also adds value to the review mechanism of the fiduciary.

 As per the above deliberations it is clear that there is no provision made in the law for a principal to offer the feedback about the services extended by a fiduciary. This needs to be used as a positive aspect to draw the trust scores, the author observes. A suitable section could be inserted prescribing an effective feedback mechanism and using them to determine the scoring of the data trust.

Authority to be well equipped

Further in a Democratic society like Bharat, to take up the huge responsibility of implementation of this law and the disproportionate issues that could emerge, the Authority concerned should be well equipped in terms of skillful techno-legal manpower along with robust digital platform to be used as e-governance vehicle. As per section 49 of the bill, “It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection” which a huge responsibility to be discharged. Further the responsibilities Authority include, (i) taking prompt and appropriate action in response to personal data breach (ii) maintaining a database and the data trust score on the web, (iii) classification of data fiduciaries, (iv) monitoring technological developments and commercial practices that may affect protection of personal data,(v) receiving and inquiring complaints, (vi) selection of auditors,(vii) prescribing the design by policy and DTS measures, together with registration and regulations of various provisions relating to safeguard the interest of the principals are going to be matters of great concern.

As the task involved is around safeguarding the fundamental rights of a citizen, it becomes all the more important as the Supreme Court and high courts could be directly approached for reliefs. Added to this the technological advancements are on an accelerated mode, so also the information exchanges and communications as well as the cyber crimes. Unless the officials are proportionately equipped with techno-legal skills, the implementation of law may leave huge scar in governing of citizens. The Authority must select officials with requisite technical and legal qualifications only. Such executives are to be suitable trained which is going to be the most critical element for the successful implementation of this new regime.

The section 49(3) requires the Authority to be treated like any other fiduciary as far as the processing of the personal data is concerned. It expressly mandates that, “it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required under any law to do so, or where it is required to carry out its function under this section”. This is a crucial aspect of the bill that deserves special attention. Further all the central government departments are following the standards prescribed under Service Quality Management System as per IS 15700- SEVOTTAM, which should be made applicable the Authority.

Conclusions

The computation of DTS by the auditor to be fair and justifiable may consist of the following major components:

• Outputs from the measurable components like
  • (a) dynamic grievance redressal mechanism;
  • (b) online periodical compliance by fiduciary;
  • (c) reported breaches and remedial action taken along with time frame. etc.,
• Outputs from the verification report drawn by the data auditor on subjective issues such as obligations met by the fiduciary, appreciations and deficiencies noticed during the audit etc.,. and
• Feedbacks from the principal about the quality of the services provided as against the mandated obligations and the trust she/he could recommend.
• The Observations by the executives who are implementing these provisions.

The suggested weightage to obtain the consolidated DTS score form the above four components could be, for first three components, 30% each and 10% for the last.   The author welcomes any additional suggestions and ways to measure the trust score so that it becomes the forerunner in the cyber society and the best practices to ensure privacy of the individual.

                                                                                                          (Concluded)

[i] (2015) 8 S.C.C. 735 (India)

[ii] Sec.7, PDP bill

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

Continued from the previous part-1

Now we shall examine each of the factors prescribed in Section 29 of the bill to explore the ways to compute the principles in the proposed a fair and justifiable Data Trust Score.

Issue of notice to principal

Every data fiduciary shall issue a notice to the data principal before the collection or processing of personal data and the contents contained in such form is one of the factors to be considered to evaluate the trust score.  Some factors indicated in section 7(1) of the bill, among others, include the following which are relevant for the present discussions.

“(k) the procedure for grievance redressal under section 32;

(l) the existence of a right to file complaints to the Authority;

(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and

(n) any other information as may be specified by the regulations”.

From the above it is to be noted that (i) having a grievance redressal as prescribed in section 32; (ii) principal’s right to file complaints to Authority and (iii) intimating the data trust score assigned under section 29(5) to the data principal, are the important factors to be considered by the auditor to evaluate the trust score of a fiduciary. To enable higher rating of DTS, it is important for the fiduciary to have a dynamic grievance redressal mechanism in place. At the same time it is the responsibility of the Authority to provide a tool to lodge complaints by the principal and to suitably redress them.

Redressal of grievances of principal

As mandated under section 32 of the bill, every data fiduciary should provide an effective mechanism for redressal of grievances of the data principals. The facility for lodging a complaint by the principal for any contravention of the provisions that has caused or is likely to cause harm to her/him is an essential responsibility of the fiduciary. Such a facility must be managed by the data protection officer or designated officer of the entity. Complaints received have to be resolved by the data fiduciary in an expeditious manner, within 30 days of receipt of the complaint. If such complaints are rejected or not resolved within the time frame, or if the principal is not satisfied with the manner of disposal, the data principal may file a complaint with the Authority. Therefore the Authority is expected to host a separate facility for receiving complaints from principal against such unattended grievances.

As the volumes of transactions are expected to be high, it is expected that these services to the principal could be built by the fiduciary and the Authority together in digital mode. For this development of a central digital facility by the Authority in association with the entities are preferred, as it eases the complaint filing mechanism to the principal, and further monitoring, disposal as well as recording of the entire process could be automated. The quantum of transactions and timelines followed in redressal process could be used as a realistic data source to measure the trust score in respect of each of the fiduciary at one place.

However it is interesting to note that there is no mechanism inbuilt in the bill to obtain feedbacks of the principal.

Privacy by design policy

The second factor to be considered for awarding the score by the auditor is the effectiveness of measures adopted under ‘Privacy by design’ policy as mandated under section 22 of the bill.  The Bill mandates that a data fiduciary is required to formulate policy that (a) ensures Managerial, organizational, business practices and technical systems designed in a manner to anticipate, identify, and avoid harm to the data principal, (b) meets the listed obligations towards protection  of personal data, (c) uses the technology in accordance with commercially accepted or certified standards, (d)  protects the legitimate interests of businesses including any innovation is achieved without compromising privacy,(e) protection of privacy throughout the processing, from the point of collection to deletion of personal data, (f) processing of data in a transparent manner and (g) interest of the data principal at every stage of processing of personal data. The data fiduciaries should submit the policy so prepared to the Authority for certification within the prescribed period. The Authority after due verifications of the information and compliance having been provided as prescribed under Section 22(1), shall certify the same. The said information need to be published in the official websites of the Authority and of the fiduciary concerned. This entire process could be built on a digital platform and the emerging data could be used to gauge the trust score.

Transparency and security measures

Transparency in relation to processing activities under Section 23 is the third factor that needs to be considered in awarding the data score.  The fiduciary should  make available, in prescribed form and manner, the information  namely, “(a) the manner and categories of personal data generally collected; (b) the purposes for processing the personal data; (c) any probable risk of significant harm in such processes; (d) the facilities available for the data principal to exercise rights regarding access, correction, erasure, portability and such other rights vested under law; (e) the right of data principal to file complaint against the data fiduciary to the Authority; (f) where applicable, any rating in the form of a data trust score accorded to the data fiduciary under section 29(5); (g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and (h) any other information as may be specified by regulations.”

The fourth factor that needs to be considered is the security safeguards adopted by such entity pursuant to section 24 of the bill.  Every data fiduciary and the data processor shall implement and review periodically the necessary security safeguards, such as, “(a) the use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. These could be verified by the auditor who can list out the gaps to arrive at the data score relating to the fiduciary. Similarly the instances of personal data breach and timely response of the data fiduciary, including the promptness of notice to the Authority under section 25,  timely implementation of processes and effective adherence to obligations under section 28(3), being the fifth and sixth factors, that could be verified by the auditor to draw fair conclusions.

In the coming part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score method.

 (To be continued as part-3)

• M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)