FDPPI is your Privacy Companion

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

Continued from the previous part-1

Now we shall examine each of the factors prescribed in Section 29 of the bill to explore the ways to compute the principles in the proposed a fair and justifiable Data Trust Score.

Issue of notice to principal

Every data fiduciary shall issue a notice to the data principal before the collection or processing of personal data and the contents contained in such form is one of the factors to be considered to evaluate the trust score.  Some factors indicated in section 7(1) of the bill, among others, include the following which are relevant for the present discussions.

“(k) the procedure for grievance redressal under section 32;

(l) the existence of a right to file complaints to the Authority;

(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and

(n) any other information as may be specified by the regulations”.

From the above it is to be noted that (i) having a grievance redressal as prescribed in section 32; (ii) principal’s right to file complaints to Authority and (iii) intimating the data trust score assigned under section 29(5) to the data principal, are the important factors to be considered by the auditor to evaluate the trust score of a fiduciary. To enable higher rating of DTS, it is important for the fiduciary to have a dynamic grievance redressal mechanism in place. At the same time it is the responsibility of the Authority to provide a tool to lodge complaints by the principal and to suitably redress them.

Redressal of grievances of principal

As mandated under section 32 of the bill, every data fiduciary should provide an effective mechanism for redressal of grievances of the data principals. The facility for lodging a complaint by the principal for any contravention of the provisions that has caused or is likely to cause harm to her/him is an essential responsibility of the fiduciary. Such a facility must be managed by the data protection officer or designated officer of the entity. Complaints received have to be resolved by the data fiduciary in an expeditious manner, within 30 days of receipt of the complaint. If such complaints are rejected or not resolved within the time frame, or if the principal is not satisfied with the manner of disposal, the data principal may file a complaint with the Authority. Therefore the Authority is expected to host a separate facility for receiving complaints from principal against such unattended grievances.

As the volumes of transactions are expected to be high, it is expected that these services to the principal could be built by the fiduciary and the Authority together in digital mode. For this development of a central digital facility by the Authority in association with the entities are preferred, as it eases the complaint filing mechanism to the principal, and further monitoring, disposal as well as recording of the entire process could be automated. The quantum of transactions and timelines followed in redressal process could be used as a realistic data source to measure the trust score in respect of each of the fiduciary at one place.

However it is interesting to note that there is no mechanism inbuilt in the bill to obtain feedbacks of the principal.

Privacy by design policy

The second factor to be considered for awarding the score by the auditor is the effectiveness of measures adopted under ‘Privacy by design’ policy as mandated under section 22 of the bill.  The Bill mandates that a data fiduciary is required to formulate policy that (a) ensures Managerial, organizational, business practices and technical systems designed in a manner to anticipate, identify, and avoid harm to the data principal, (b) meets the listed obligations towards protection  of personal data, (c) uses the technology in accordance with commercially accepted or certified standards, (d)  protects the legitimate interests of businesses including any innovation is achieved without compromising privacy,(e) protection of privacy throughout the processing, from the point of collection to deletion of personal data, (f) processing of data in a transparent manner and (g) interest of the data principal at every stage of processing of personal data. The data fiduciaries should submit the policy so prepared to the Authority for certification within the prescribed period. The Authority after due verifications of the information and compliance having been provided as prescribed under Section 22(1), shall certify the same. The said information need to be published in the official websites of the Authority and of the fiduciary concerned. This entire process could be built on a digital platform and the emerging data could be used to gauge the trust score.

Transparency and security measures

Transparency in relation to processing activities under Section 23 is the third factor that needs to be considered in awarding the data score.  The fiduciary should  make available, in prescribed form and manner, the information  namely, “(a) the manner and categories of personal data generally collected; (b) the purposes for processing the personal data; (c) any probable risk of significant harm in such processes; (d) the facilities available for the data principal to exercise rights regarding access, correction, erasure, portability and such other rights vested under law; (e) the right of data principal to file complaint against the data fiduciary to the Authority; (f) where applicable, any rating in the form of a data trust score accorded to the data fiduciary under section 29(5); (g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and (h) any other information as may be specified by regulations.”

The fourth factor that needs to be considered is the security safeguards adopted by such entity pursuant to section 24 of the bill.  Every data fiduciary and the data processor shall implement and review periodically the necessary security safeguards, such as, “(a) the use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. These could be verified by the auditor who can list out the gaps to arrive at the data score relating to the fiduciary. Similarly the instances of personal data breach and timely response of the data fiduciary, including the promptness of notice to the Authority under section 25,  timely implementation of processes and effective adherence to obligations under section 28(3), being the fifth and sixth factors, that could be verified by the auditor to draw fair conclusions.

In the coming part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score method.

 (To be continued as part-3)

• M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

Consequences of Data Trust Score

The much awaited Personal Data Protection Bill, 2019 (‘bill’ hereinafter for brevity) is awaiting the scrutiny of the joint parliamentary committee, who are in final leg of their consultation and finalization process. The sub-section (5) of Section 29 of the bill relating to Audit of policies and conduct of processing as a measure of transparency and accountability to be adopted by a data fiduciary specifically mandates, “A data auditor may assign a rating in the form of a data trust score (hereinafter ‘DTS’) to the data fiduciary pursuant to a data audit conducted under this section”. The bill authorises the auditor, conducting the compliance verification of a fiduciary, to measure the trust worthiness of such an entity by awarding a score to be prescribed through regulations by the Authority, as an indicator[i]. The scores so awarded should be published by the fiduciary in the notice issued to the principal[ii] and in the web maintained by the entity in the manner prescribed by the Authority[iii]. These scores should also be announced by the Authority[iv] in their public domains. This stipulation makes the DTS process, a more sensitive proposition as such scores will have huge ramification on the goodwill, investment and the service decisions in respect of such fiduciaries in the competing market place. Therefore it is of utmost importance to devise a justifiable scoring comprehensive pattern and configuration so that there is a fair approach in place for assigning the trust score.

As we are aware that the privacy of an individual is a very subjective issue and for this purpose, the levels of protection in place at the disposal of a fiduciary are not easily measurable in arithmetical terms. It is a well known principle that only those that are measurable could be gauged and monitored. Therefore one should explore for a system which could indirectly assist in assigning such a score with least scope for ambiguity or bias on the part of the compliance auditor. There is no availability of similar tool employed for this purpose elsewhere as no such prescriptions exist in other privacy laws in force around the globe. This is a unique positive approach by the Indian authors of law to stipulate such a mechanism for the first time. In view of the above facts, the quest for a fair and justifiable method for computation of the DTS becomes all the more challenging. An attempt is made here to suggest the ways that could be adopted for this purpose.

The best way to initiate the search for a fair solution, the author feels, is to examine the related provisions in the bill to find out the intentions, objectives and methods embedded in the proposed statute. The solutions should be within the substantial law and should not to transgress the stated perimeters. If any essential factors are missing, the same should be recommended to be part of the law in the making. With these thoughts in the background, the essential legal framework applicable to DTS, as available in the proposed law, or required to be incorporated in the law, if in case of such need arises, are deliberated in the further part of this article.

Impact of proposed law on stake holders

The proposed bill is going to impact every individual’s privacy in the present cyber society as all the services and activities, by the Government or by business and non-business entities, are being built around the digital technology as an essential component. In all walks of life, every citizen (you may call them as ‘netizen’) encounters the privacy issues in all types of communication with others. Therefore one can assume that the entire population residing in the country may have  to be treated as ‘Principals’ of some fiduciary or processors at one stage or time. It could be a visit to a commercial centre or consultations with a doctor or an academy for education or any activity of assorted instances which cannot be narrated at length, where the Principal’s personal data are being collected and processed. Almost all the entities involved in dealing with individual’s personal matters, automatically qualify themselves as data fiduciary, unless they are either kept outside the applicability of the provisions or specifically exempted under the provisions. Now it is left to the guesstimate of the readers to assess the volumes of data and impact on managing such data. The bill places full responsibility on the data fiduciary to protect the privacy rights of the principal and any breach of this assurance make them liable for penal actions. Punitive measures for breaches and violations by the fiduciary could be initiated by the principal or the Authority, and adjudicated by the Authority and courts.  In view of the above legal position, one can conclude that implementation of privacy laws is going to be a change of a massive scale and proportion. Therefore all the stake holders need to prepare sufficiently in advance, both in terms of technology and legal procedures, to absorb and follow the changes.

Legal provisions relating to DTS

Section 29(6) of the bill declares that, ‘the Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2)’. The subsection (2) specifies the criteria for assigning a data trust score which are discussed in the later part. From the stated stipulations the conclusions that could be drawn are, (i) evaluating the score is the responsibility of the privacy data auditor appointed by the Authority; (ii) such compliance audit in respect of a data fiduciary should cover the examinations and observation of the auditor under Sections 7,22,23,24 and 25 of the bill; (iii) the process for scoring are not left to the wisdom of the auditors, but are to be regulated by the Authority. Therefore there is legal necessity to notify the DTS regulations before going for implementation of the DTS provision.

The various powers of the Authority to make regulations are listed in section 94 of the bill. The Authority may, by notification[v], make regulations consistent with this Act and the rules made thereunder to carry out the provisions of this Act. The section 94 (2) lists out the matters that could be regulated, and among them the following are relevant for our discussions. “(l) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); the manner of registration of auditors under sub-section (4); criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;

(g) the manner for submission of privacy by design policy under sub-section (2) of section 22.”

It must be noted that it is regulations to be made and not the rules, meaning that such matters (auditors, privacy by design and DTS) should be directly controlled and monitored by the Authority. The Authority may, by notification, make regulations consistent with this Act and rules to implement the DTS provisions.

Evaluation of fiduciary by Data Auditor

As per Section 29 of the bill, a significant data fiduciary shall get its policies and the conduct of its processing of personal data, audited annually by an independent data auditor. Further the Authority[vi]  have powers vested with them to direct any  data fiduciary to get an audit carried out by an appointed data auditor, if they are of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal. Therefore we can deduce that it is mandatory for all significant fiduciary to get audited annually and for others, it is the on the performance of fiduciary as observed by the Authority. However such proposals should normally be through written directions that could be part of the regulation.

The parameters to be used by a data auditor to evaluate the compliance of a data fiduciary includes, “(a) clarity and effectiveness of notices under section 7; (b) effectiveness of measures adopted under section 22; (c) transparency in relation to processing activities under section 23; (d) security safeguards adopted pursuant to section 24; (e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25; (f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and (g) any other matter as may be specified by regulations.” As this is an inclusive provision similar parameters could be added in the form of regulations, within the principal framework of the bill. It is the responsibility of the Authority to, not only notify the forms and procedures for conducting audits but also appoint persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under the Act. This provision leads to formation of a new stream of auditors specialised in privacy law and appropriate technology, after due entrance examination and personality tests that could be formulated under the regulations. This is one of the most critical aspects in effective implementation of privacy laws as such auditors are to exercise the responsibilities of compliance audit, followed by assigning DT score of the registered fiduciaries. Now we shall examine each of the above prescribed factors to explore the ways to compute the principles in the proposed DTS in the coming part.

(To be continued as part 2)

[i] sec. 22(5), PDP bill, [ii] sec. 7(1) (m), ibid, [iii] sec. 23(1) (f), ibid, [iv] sec. 49(2) (c), ibid, [v]Sec. 29 (7), ibid, [vi] Sec. 29(7), ibid

• M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)

Bengaluru Tech Summit 2020 (BTS 2020), was successfully conducted by the Karnataka Government on November 19, 20 and 21st. The summit was inaugurated by the honourable Prime Minister Mr Narendra Modi and several dignitaries from India and abroad were part of the proceedings.

The BTS 2020 had multiple tracks covering both IT and BT segments such as One Health, Innovation Corner and Knowledge Hub. The technical discussions covered Drones, Robotics , Cyber Security, Digital Learning, etc. Unfortunately despite Data Protection being an important area which affects both the IT and BT segments and India is in the verge of passing a data protection law, there were no specific coverage of data security in the program. Both the PM and the IT minister during their speeches made reference to Data Security and the forthcoming law underscoring the importance of the topic.

Recognizing this void and not let the Bengaluru Tech Summit go without a discussion on Data Protection, FDPPI stepped in with its own summit Indian Data Protection Summit 2020. holding two high powered panel discussions on each day covering different topics on the Data Protection such as the law in the pipeline, (PDPB 2019), the global laws such as GDPR, the professional opportunities emerging because of the new law , the challenges posed by the Schrems II judgement of he EUCJ, the innovative Data Trust Score system in the Indian law and FDPPI’s own innovation of the Personal Data Protection Standard of India.

Never in the history of India such an elaborate public webinar had been held on the subject available free for the participants.

IDPS was covered through Six panel discussions involving more than 25 professionals participating in panel discussions structured in the following sequence.

1. Recent Data Breach Incidents and PDPA of India
2. PDPA of India is not a clone of GDPR
3. The Challenge of being a DPO
4. The enigma of cross border data transfer
5. Data Trust Score the Indian innovation
6. A Unified Framework for Data Protection Implementation

It was interesting to note that the  battery of experienced Data Protection Professionals who participated in the program were all members of FDPPI.

Na.Vijayashankar, anchored the entire program and added his enlightening thoughts to the discussion.

The program was highly appreciated by the participants.

During the program, FDPPI also announced their programs which included

1. 1. Certification pf Data Protection Professionals
   2. Unified framework for multiple data protection law compliance-PDPSI (Personal Data Protection Standard of India)
   3. Launching of the Data Disputes Mediation and Arbitration Center on an Online platform
   4. Launching of an annual award for “Champion Data Protection Professional” along with “Champion Data Protection Team” and “Champion Data Protection Organization”.
   5. Launching of the Data Protection Journal of India as a quarterly journal from the next quarter

The IDPS will be repeated each year and is likely to become a flagship event in the field of Data Protection in India in the coming years.

Naavi

The second day of IDPS 2020 was successfully concluded with two panel discussions namely one on Data Protection Officers and another on Cross Border Transfer of Data.

The  summit will conclude tomorrow with a discussion on Data Trust Score and PDPSI.

Naavi

IDPS 2020, the three day Indian Data Protection Summit 2020 was successfully launched yesterday the 19th November 2020.

The IDPS 2020 is being held concurrently with BTS 2020 (Bengaluru Tech Summit) as a virtual summit on Zoom platform.

The program started at 2.oo pm with Naavi introducing the event along with the objectives of FDPPI .During his brief introduction Naavi highlighted the following projects of FDPPI.

1. 1. Certification Programs for “Certified Data Protection Professional-Module I,”, “Certified Data Protection Professional-Module G,”,  and the forthcoming modules of Technology, Audit and Behavioural Skills.
   2. Introduction of an Implementation Framework “PDPSI” or “Personal Data Protection Standard of India” as a unified framework for implementation of multiple data protection laws in an organization.
   3. Introduction of  “Online Data Disputes Mediation and Arbitration Center” (Online DDMAC) as a platform for resolving disputes related to the data disputes between individuals and organizations as well as one organization and the other.
   4. Institution of an Integrated award on an annual basis firstly for an individual as “Champion Data Protection Professional”  in India  along with a recognition for the “Champion Team” supporting the individual and the “Champion Organization” supporting the team.
   5. Introduction of a Quarterly journal “Data Protection Journal of India” to be a helping hand for knowledge dissemination within his organization.

Naavi’s talk was followed by two panel discussions.

The First Panel discussion  was on ” Recent Data Breach Incidents and PDPA of India” where experts Mr Sudarshan Mandyam, Ritesh Bhatia and Dr Mahendra Limaye discussed some of the recent data breach incidents in India and introduced the proposed Indian Personal Data Protection Act of India.

The Second panel discussion followed on the theme of “PDPA of India is not a Clone of GDPR” and further explored the proposed Indian Act in comparison with the GDPR.

The program was well received.

The IDPS will continue today with two more sessions first session starting at 11.00 am (90 minutes) and the second a 4.00 pm (90 minutes). These sessions will discuss “The Challenges of being a DPO” and “The Enigma of Cross Border Data Transfer).

Experts, Ms Bhimesh Karadi, Anil Chiplunkar, Satish Kumar Dwibhashi and Sameer Mathur will constitute the first panel and Rajesh Vishwanathan, Nagendra Javagal and S. P. Arya would  constitute the second panel.

We look forward to professionals attending today’s sessions in good number.

The session is free to attend and the link information is available here:

Naavi

P.S: In case you are attending the Bengaluru Tech Summit 2000, donot forget to visit our stall.

Indian Data Protection Summit 2020: Day 1 of 3

Participation is free. Join on the above meeting room on Zoom platform or watch on You Tube channel.

The complete program is as follows:

The speakers conducting panel discussions are as follows:

P.S: In case you are attending the Bengaluru Tech Summit 2000, donot forget to visit our stall.

Naavi

Karnataka Government is conducting its flagship annual IT BT conference as a Virtual Conference this year. The conference is titled Bengaluru Summit 2020 (BTS 2020) and will be  held between 19th and 21 November. The theme of the summit is “Next Now”.

Honourable Prime Minister of India, Mr Narendra Modi would be inaugurating the Bengaluru Tech Summit 2020 set to open tomorrow.

FDPPI has taken a stall and interacting with the participants

The stall will display the activities of FDPPI and distribute material relevant to the activities.

Concurrently with the BTS 2020, FDPPI is also conducting Indian Data Protection Summit (IDPS 2020). This summit will also be virtual and will be available both on Zoom platform and on Youtube webcasting.

There will be six panel discussions covering different topics of interest.

Participation in the IDPS 2020 is free. Registrants on the FDPPI website has been sent the Zoom link. The sessions will be webcast on YouTube simultaneously.

The Link to Zoom sessions have already been distributed through the social media contacts of the members of FDPPI.

The webcast would be available in the Youtube Channel here:

https: www.youtube.com/naavi9 

The six sessions will be managed by experienced professionals and members of FDPPI.

Naavi would anchor the sessions.

The event is sponsored by Ujvala Consultants and Co-Sponsored by Redwood Learning and Sysman Computers.

CIO association of India is also supporting the event.

We wish public in large numbers attend the IDPS 2020 and make this event a success.

Naavi

FDPPI has embarked on a major project of conducting a virtual Data Protection Summit on November 19th, 20th and 21st of 2020.

The Summit will consist of six sessions, two on each of the three days, each of 90 minutes each.

Time would be 11.00 am to 12.30 pm and 4.00 pm to 5.30 pm.

Meeting will be on Zoom and will be free.

The Summit will discuss different topics relevant to Indian Data Protection Domain.

The tentative program is as follows:

Session 1: Recent Data Breach Incidents and PDPA of India (Nov 19th 11.00 am)

Session 2: PDPA of India is not a clone of GDPR (Nov 19th 4.00 pm)

Session 3: The Challenge of being a DPO(Nov 20th 11.00 am)

Session 4: The enigma of cross border data transfer(Nov 20th 4.00 pm)

Session 5: Data Trust Score the Indian innovation (Nov 20th 11.00 am)

Session 6: A Unified Framework for Data Protection Implementation (Nov 20th 4.00                            pm)

The sessions will be conducted as Panel discussions with experts in the industry and will be anchored by Naavi.

Watch out for more information here.

(Please register here for receiving the invitation)

Naavi

Disputes are the inevitable part of every business and organizations need to find a way to resolve them and move forward.

Disputes could be between the organization and its employees, organization and the customers or organization with its business associates.

Normally contracts provide for dispute resolution by stating that the dispute resolution is subject to the “Jurisdiction of Courts in ….”. Most of the times the dominant party specifies the jurisdiction of his country. This may not be convenient to the customers and hence most of the time dispute resolution through Courts is a non existent remedy in a contract.

The better option therefore is to add in the contract that disputes will be resolved by ADR (Alternate Dispute Resolution) process such as Mediation and Arbitration.

ADR is handled by domain experts and if agreed to by the parties can be binding.

FDPPI being a domain expert in ADR, intends to set up a “Data Disputes Mediation and Arbitration Center” (DDMAC).

DDMAC proposes to use the ODR platform as offered as a service by www.odrglobal.in which provides a turnkey service including the digital platform and back end support services along with the registrar service. Where required, it will provide the support of recording of the proceedings with Section 65B certificate from Cyber Evidence Archival Center (www.ceac.in).

In the upcoming Indian PDPA, Data Fiduciaries are required to set up a “Grievance Redressal Mechanism” and FDPPI endeavors to provide this support.

Initially FDPPI will accept “Mediation” requests. In due course, “With Recourse Arbitration” would be provided as an extended service of the DDMAC. Under this service, arbitration service will be provided without prejudice to the remedies available under the PDPA in the form of “Adjudication”.

The FDPPI’s DDMAC will be an ODR platform running over the odrglobal.in infrastructure. The Arbitrators will be some of the supporting members who are having the necessary expertise and declare themselves to be the Arbitrators.

Cyber Law College will be conducting a training program on Indian Arbitration Act 1996 for which a schedule will be announced shortly. Those professionals who are already trained mediators or arbitrators from other organizations conducting such programs are welcome to register as supporting members of FDPPI and offer their services as Arbitrators.

Watch out for more details.

Naavi

Data Breaches are happening every day exposing companies to major data disasters. When the Indian Personal Data Protection Act becomes a law in early 2021, Are we ready to meet the consequences?

FDPPI presents you an opportunity to share your thoughts on how your company is preparing for  PDPA compliance in India

P.S: Participation in this survey is voluntary. Provision of the contact information is also voluntary. The information submitted will be used for the purpose of understanding the requirements of the industry.