Recently, the Ministry of Communications and Information Technology (MeitY) has come out with a notification under Section 79 A of ITA 2008 indicating the norms for notification of a Government agency as an “Electronic Evidence Examiner” who can be called upon by a Court for certification of authenticity of an electronic document which is available to the Court as an “Evidence”.
The eligible organizations are required to make an application with some information about their credentials. All the agencies who may apply now will be other Government agencies only.
One of the requirements specified in the “Scheme” for notification is that the applicant organization has to be compliant with two international standards ISO/IEC 17025 and ISO/IEC 27037.
The notification essentially means that if an organization wants its forensic practices to be in tune with what the ministry expects for notification, they need to first understand what are the specifications under these two standards and then implement the standards and also call one of the accredited ISO certification agencies to review their processes and give a certificate that they are in compliance with the requirements of these standards.
The specifications are “Proprietary documents” protected under copyright and cost in Swiss Francs, CHF 138 and CHF 158 respectively. (1 CHF=Rs 66.98). Therefore, the documents cost around Rs 20,000/- which is the minimum investment that any organization has to incur in foreign exchange just to know what MeitY wants. It is a normal practice in ISO documents where by one standard refers to another and so on so that many times the user needs to buy several ISO documents just to understand one standard. Then even if the organization is compliant, it needs to get certified from an accredited ISO organization for which one has to incur an expense of say around Rs 3 lakhs. A part of this goes to the Indian consultant and a part may be royalty that goes to ISO.
In 2011, the then ministry had notified rules under Section 43A which required “Reasonable Security Practices” to be followed by all Companies who collect personal and sensitive personal information from the public. This will include all companies today who use Aadhaar information which means perhaps lakhs and lakhs of corporate entities. The Ministry in its notification almost made it mandatory that all these companies will use ISO 27001 standards as the requirement of compliance.
As a result of this notification which was also placed in the Parliament and was part of the national regulation, a huge benefit running to thousands of crores was potentially passed on to the ISO organization in foreign exchange. When this was pointed out the ministry officials (refer here) the officials privately agreed that there was no mandate that ISO 27001 compliance could be considered as “Deemed Compliance under Section 43A” but did not make any change in the notification.
Similarly, recently the Union Health Ministry came out with a notification on EHR standards which needs to be complied with all IT companies handling health information as well as all hospitals, pharmacies etc in which reference was made to around 35 ISO standards. Compliance therefore required first acquisition of all these standard specifications at a cost in foreign exchange.
It is considered absolutely criminal to suggest Indian citizens that if they want to follow the laws of the country, they need to buy documents from a foreign agency just to know what the law means. By bringing in such references into notifications that are placed and passed in the Indian Parliament, the ministries are actually making the legislators also part of this siphoning away of our money.
This practice should stop not withstanding the efforts required. In the US, the national agency called NIST (National Institute of Standards and Technology ) has developed and placed all standards required by the IT industry in the website and allow free download to any person. While the standards are mandatory for the US Government agencies, others can use it as the Best Practice. The standard documents are so well written that they are good enough to be followed as a guideline by other countries also.
It is therefore perfectly possible for the Indian Government to completely indigenize the standard specifications by developing our own Information and Information Security standards. It is only in the case of data that needs global mobility that we need to adopt international standards. Some of these may be required in industries such as the health Care processing industry where the health data generated in India may have to be processed abroad. Otherwise none of the “Best Practice Standards” need to be imported. Though there is an attempt to adopt some of these standards under local standard organizations and by nodal agencies, the effort is only half hearted and not fully adopted.
I therefore urge the Government and particularly the Ministry of Information Technology to set up a Committee on IT standards and develop the equivalent of the entire ISO series of standards and the Privacy Standards of various US and EU nations for local use and publish it as a freely available Indian Standard. In order to avoid Copyright Infringement charges, it will be necessary to individually re-write each of the standards in our own words just as what NIST has done and we need to do this immediately when we are moving towards the Digital India concept faster than what we earlier envisaged.
The objective should be that all regulatory requirements are codified as “Open Source” and this should be considered as a “Make in India” project for regulatory standards.
If this is not done, then the payment which we make to buy the standard documents will be considered as a “Tax” levied on Indian citizens to meet compliance of Indian law which is mandatory.
This is unlikely to be permitted within our Constitution and if challenged in the Supreme Court is bound to elicit heated opposition to several of the initiatives of the Government.
Further complications can be avoided if the Ministry of IT moves quickly and adopts a policy of writing all standards of Information Security and Quality under the ISO family as new standards in India and provide it as open source. Otherwise Government should pay some compensation to ISO and provide mandatory compulsory publication of all Standards for free public use.
A decision like this can be taken only by a person of the stature of Mr Modi just as he took the decision on the demonetization. Now Mr Ravishankar Prasad has an opportunity to do what Mr Modi did in the demonetization issue. Will he raise to the occasion?