What is Data Governance Framework ?

(This is a continuation of the earlier article)

The Government of India has constituted a committee to deliberate on “Data Governance Framework”.

The notification of the committee has defined the “Terms of Reference” as

  1. To Study various issues relating to Non-Personal Data
  2. To Make specific suggestions for consideration of the Central Government on regulation of Non Personal Data

Accordingly, what the Government is looking at is a suggestion on “Regulation of Non Personal Data”.

The next question that arises is what is “Non Personal Data” and what are the “Issues relating to Non Personal Data”?

If we look at the preamble to the formation of the committee, there is a reference to SriKrishna Committee recommendations and its reference to ” Aggregation of Personal Data” and the “Generation of Community data through aggregation of individual data”.

The Title of the notification, the preamble and the terms of reference does not seem to converge on the same thought and hence the committee will have to start by first clarifying what it proposes to do.

A general meaning of “Data Governance Framework” (DGF) would be a standard methodology by which data can be managed in an organization from its generation to disposal.

The elements of such a DGF would cover the process of collection, processing, storage, transmission, security, exploitation etc.

Today we are managing data by  Classifying it either as Corporate Data or Personal Data. Before the advent of Data Protection regulations, the emphasis was mainly on “Protection of all Data” that an enterprise controls.

The treatment of data was basically like an “Asset” for which the enterprise has spent resources to collect and therefore it needs to be kept confidential and protected from it being stolen.

Since Data is used as a tool for business decision making, it was essential for data to be made “Reliable” for decision making and hence the Availability and Integrity was important and they became part of the CIA triad of Information Security. As the legal perspective developed, Authentication and Non Repudiation got added to the objectives.

This approach covered all data and included the “Personal Data” which was also protected.

The emergence of stringent laws such as GDPR changed the focus of Information Security and today, protecting “Personal Information” gets more attention than protecting “Information” in general. The DPO therefore is gaining more prominence than the CISO in an organization, since his role extends beyond the organization and also that under GDPR he enjoys certain immunity against management action to remove him unfairly.

As a result of the data protection regulations, the “Data Governance Framework” has to address these regulations and follow the prescriptions provided there in.

The data protection regulations like GDPR is completely devoid of a realization that “Data” is a “Raw Material” for businesses and the attempt to ignore this aspect makes the regulations impractical to be appreciated by the business managers. Though PDPA (Personal data protection act of India) is a little more considerate on the business, the window of business exploitation of “Personal Data” for business is very narrow under GDPR. The Californian Consumer Protection Law recognizes that Personal Data is a “Property” and the data subject can provide his consent for sale.

For an organization, accommodating the different personal data protection laws along with its own “legitimate interests”, is a big challenge which the “Data Governance Framework” needs to address.

It is not clear if the Kris Gopalakrishna Committee is likely to address the Data Governance in this context.

Readers of this site are familiar with the proposition of PDPSI, or Personal Data Protection Standard of India, which tries to provide a “Framework” for Personal data protection which inter-alia is a “Personal Data Governance Framework”.

Now what is required is to add the “Corporate Data Protection Standard” to PDPSI to arrive at the “Integrated Data Protection Standard which will also be the Data Governance Model for the enterprise” which has both personal data and corporate data.

The terms of reference of the committee refers to “Non Personal data” which is obviously part of the total data but is not personal data governed by the personal data protection regulations.

Can this “Non Personal Data” be considered simply as “Corporate Data” and the Data Governance model be built as a combination of “Personal Data Governance” plus “Corporate Data Governance”?… is one option which the committee can consider.

Obviously this “Corporate Data Governance” will have to focus on the CIA triad since it is the Data property of the enterprise.

However, the Srikrishna Committee which is the basis for this Kris Gopalakrishna committee as per the preamble, flagged a different aspect of Data to be brought under regulatory provisions.

The concept which the Srikrishna Committee flagged  was “Community Privacy” which was the need to protect aggregated personal data. Such aggregated personal data might have been   collected individually under a “Consent” regime and hence may be covered under the Personal Data Governance model which complies with the GDPR/PDPA etc.

What the Srikrishna committee was referring to was the recognition of the concept of “Dynamic Data” which we highlighted earlier and explained in the following two articles.

  1. Data Processors may be able to create a Diamond out of Charcoal…
  2. The theory of Dynamic Data

I request readers to spend some time trying to assimilate the thoughts that may be buried in these articles which are relevant for our discussion on what the Kris Gopalakrishna Committee is expected to do.

The basic idea I have tried to explain in these articles is that the concept of Personal Data as we now try to apply may need a re look. Personal Data is not like a PDF document that exists containing the name, address etc of an individual to be able to be classified as either “Personal data” or “Sensitive personal data” and subjected to the controls of Governance.

Within an organization, “Data is Dynamic”. It starts with a few elements of the data which soon like a rolling snowball acquires other data around it and  becomes significant.

This change of the nature and value of personal data into something else by aggregation or derivation is what the Srikrishna committee recognized as “Community Data” and suggested a legislative framework to be explored beyond PDPA.

Ideally this exploration should have been entrusted to Justice Srikrishna himself since he could have then created a legislation which was seamlessly integrated to the PDPA. Instead we now have a corporate committee sitting to develop a new legislation which is a complicated legal challenge.

The industry is interested in protecting its “Right to Process Data” and make money out of it. This includes the “Right to Sell Personal Data of its customers” either in the raw form in which it is supplied by the data subjects or in a modified value added form which the enterprise develops through its own investment.

The GDPR was clearly ambiguous in its approach because it could lead to an interpretation that when the data subject requires portability or erasure of his data, it extends not only to the data supplied by the data subject but also the data derived by the organization in the form of a “Profile”.

It is in this context that we had raised the issue of if the data subject has given charcoal and the data processor has created diamond out of it, when a portability request is received, how fair it would be to demand that the diamond be returned.

The Kris Gopalakrishna Committee has to find an answer to this dilemma.

In our theory of Dynamic Data, we have also raised the issue of “Data being a stream of binary expressions” and all other forms of data are “Interpretations of the software and hardware”. We are receiving the “Consent” for the data to be used for a purpose but more often the data processor discovers new uses of the data for which no consent has been obtained earlier. GDPR simply disposes of this challenge saying that let the data processor/controller obtain new additional consent without understanding the practical difficulties in building a business with such a rigid control of purpose.

Many times, the controller/processor need not do any specific processing routine for the raw data to acquire value over time like the value of wine that increases with age. One example of this is the CEAC Drop Box concept of Naavi or even the Webarchive.org service.

Recognizing that data changes it status by efflux of time as well as by aggregation, application of data analytics etc and providing room for their usage is part of the Data Governance legislation that this committee needs to address.

Whether “Anonymization” addresses all requirements of a Big Data Company or there are specific instances under which identifiable personal data also needs to be aggregated are issues to be debated and provided for in the Data Governance Framework.

The Data Governance Framework also needs to address the “Data Laundering” that happens through mergers and acquisitions as we recently highlighted in the TransUnion CIBIL case

The Data Governance Framework also needs to address the need for “Data Sovereignty” which will have an impact on Data Localization.

Thus it appears that the Terms of Reference is too sketchy and needs to be expanded further

. At the same time, for all the issues mentioned here, the constitution of the Committee will be ill equipped to debate and arrive at the right decisions.

Now that the committee has already been announced with a former CEO of an IT Company as its head, it is impossible to bring a heavy weight Judicial person like Justice Srikrishna. But none of the present committee members represent the  Techno legal experience required to interpret the status of different kinds of data and how data changes status etc.

We need to wait whether like in the case of Srikrishna Committee, it holds consultations with the public, presents a draft report for further discussion etc. On the other hand, if it just meets a couple of times and releases a NASSCOM draft as its report, then there could be conflicts with the PDPA.

Let’s wait and Watch.

Naavi

Reference

Data Governance Framework

Infosys Data Goverance

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

A2H … Is this a new Insurance Fraud?

Today, I have received a new proposal on phone from a person representing A2H health services stating that he is speaking on behalf of Citi Bank and extending the service I am presently using with them.

The details of the proposal were as follows: (E mail received from venkata2hindia@gmail.com

Quote:

image.png

Dear Sir,

This plan is a combined package of Preventive Health Check-ups and Medical discount card packages. Preventive Health Check-up with 60 tests are most essential tests designed by medical experts which includes tests related to your heart, Kidney, Liver and other vital organs of human body . Any malfunction in the health status will be clearly highlighted in the report which helps in taking precautionary measures to maintain good health status.Card Benefits

  • Covers four members in the family
  • Members will be provided with health check packages and four med cards
  • 4 packages will be provided for your family members only.
  • Being proactive in taking care of health is the best way to reduce all unforeseen medical expenses.
  •  Access your full body health check report @ Home.
  • Avail doctor tele-consultations
  • Clinics & Hospitals- Consultations & Treatments
    Access the best Clinics, Hospitals, Super specialty hospitals & Multi Specialty hospitals with discounts on
    Hospitals, Multi Specialty Hospitals, Clinics & Nursing Homes
    • Consultation   – 50%
    • Treatment       – 30%
    • Labs & Pharmacies

      Access the best chain of labs & Pharmacies to avail up to 20% – 30% discounts

    • Dental treatments 30% discount
    • Age limit (90 days to 100 years)
    • Pregnancy & Maternity coverage
    • All existing diseases will be covered under this plan immediately
    • No waiting period for Pre existing disease like sugar , Heart problem , childhood disabled , cancer , etc
    • Unlimited sum assured
    • 24hrs admission not mandatory
    • Personal accident coverage for the premium payer with 2 lakhs sum assured
    • Motor insurance renewal discount 60% for two wheeler & 4 wheeler on OD value  (4 optional vehicles)

PREMIUM 9980 FOR FAMILY 4 MEMBERS

ALL TREATMENTS  FOR DENTAL CONSULTATION ABSOLUTELY FREE

Meanwhile, we have furnished the detailed benefits of the membership for your reference below.

5 Key Benefits for a family of 4 Members

Benefits       Details

 Unlimited Telephone Consultations with the  doctors through toll free numbers without  hospitalization,avoid all your travel  expenses for going to hospital.Get unlimited tele-consultation with A2H tele-medicine center for any health problems / decision in your family. Be it your normal fever, cold or High BP, Diabetes, Heart problem, etc our doctors will be able to provide the appropriate advice, prescription, motivations / guidance to manage your health better. Our doctors are trained & certified for tele-medicine as per Swiss quality standards and follow a protocol built with an expertise over 15 years to provide effective diagnosis on phone.

5 FREE Hospital Appointments&  consultation for any sort disease and treatments For any further intervention, you can choose to visit a specialists/doctors @ top hospitals like Apollo, Fortis, Max, etc or get a GP consultation at home. This facility is absolutely FREE for 5 times in a year for you and your family.

4 Absolute Free Master Health Checkup for 61 organs
FOUR  FREE comprehensive blood check package with home sample collection facility, each test includes 61 vital tests like Liver, Thyroid, Lipid, Iron deficiency and Diabetic screening.

2  Absolute Free Dental Cleaning, Scaling & Screening packages across A2H Dental partner centers like Apollo White,etc.

Avail TAX benefits under 80D to detect the tax amount for this year.

A2H Discount Cards for both  IPD &OPD

TERMS AND CONDITIONS

  1. SERVICES OFFERED BY Access 2 health care ARE NOT HEALTH INSURANCE POLICIES. The Services provides its Members with discounted services through Medical Service Providers
  2. Coupons / voucher /offers / services issued to you as part of the Services SHALL UNDER NO CIRCUMSTANCES BE REDEEMED ABLE FOR CASH AT ANY TIME.
  3. Access to health care is entitled, without any liability whatsoever, to refuse, limit, suspend, vary or discontinue the provision of any of the Services at any time for any reasonable cause as ACCESS 2 HEALTH CARE may deem fit.
  4. MEMBERSHIP TERM: Once the initial membership fee and any enrollment, processing or other fee is paid by you and received by ACCESS 2 HEALTH CARE , you will become an ACCESS 2 HEALTH CARE Member and will be entitled to the Services during from such date until the date of expiry stated on the ACCESS 2 HEALTH CARE membership card which will be sent to you.
  5. RENEWAL OF MEMBERSHIP: Members may be informed by ACCESS 2 HEALTH CARE about expiry of membership at least one month in advance of their membership card expiry date. It is the responsibility of the member to ensure that ACCESS 2 HEALTH CARE receives the payment for renewal of membership at least two weeks prior to the membership card expiry date. ACCESS 2 HEALTH CARE is not responsible and assumes no liability for any suspension or cancellation of your access to the Services in the event your renewal payment is delayed or if ACCESS 2 HEALTH CARE is unable to process or cash-in your payment cheque. In case of dishonored cheques, a penalty may be charged. Your access to the Services will be suspended from the expiry date on your current membership card until ACCESS 2 HEALTH CARE receives full payment for your membership for the next year.
  6. LOST CARD: In case of loss of membership card, ACCESS 2 HEALTH CARE will issue you with a duplicate membership card at a charge of Rs. 200 /- per card (plus the applicable taxes). The tenure of the membership will remain as specified in the initial membership card, and will also be stated on the replacement card. You will be solely responsible for any activity that is undertaken through your membership until you report your lost card to ACCESS 2 HEALTH CARE help desk.
  7. Refund policy : Within 15 days from the time of receiving the membership kit , For any clarifications you can reach up to our customer care or write to us seeking clarity , if found not satisfied you will be entitled for 100% refund of the amount paid by you . Please note Post utilization of any of the services refund won’t be entertained . Incas of full refund with in 15 days we will reverse the amount holding a basic processing or service fees which will be communicated at the time of processing the refund .
  8. Medical card : Discounts in consultations / treatments across clinics / hospitals / nursing homes will vary from hospital to hospital and access 2 health care provides you an assistance only with discount card access .
  9. Consultation voucher :To utilize the voucher with in validity time period. If validity time period is exceeded then access 2 health care reserves its right to extend the validity upon customer request by charging a basic fee extra,., Hospital registration charges ( varies from hospital to hospital) if any needs to be borne by the member itself .this package is valid only for OPD consultation and depends upon the availability of the doctor . Hospital reserves its right to put forth the consultation to any available duty doctor or specialist whosoever available during the time of appointment .This package is valid across only Access 2 health care network hospitals. Appointments are subject to availability of doctors and time slots
  10. Dental voucher :To utilize the voucher with in validity time period. If validity time period is exceeded then access 2 health care reserves its right to extend the validity upon customer request by charging a basic fee extra,., Treatment quality and results are sole responsibility of the dentist partner and access to health care is only a facilitator in organizing appointment and is not responsible for the tests results obtained from the dental clinic. If customer’s residence is in non-serviceable area then customer might have to visit the nearest dental clinic on our panel to avail services , details will be provided by the customer care medical officer upon seeking appointment .
  11. Master Health check voucher : To utilize the voucher with in validity time period. If validity time period is exceeded then access 2 health care reserves its right to extend the validity upon customer request by charging a basic fee extra ,.collection of sample , tests quality and reports delivery are sole responsibility of the lab partner and access to health care is only a facilitator in organizing tests and is not responsible for the reports or tests results obtained from the lab partner . If customer’s residence is in non-serviceable area then customer might have to visit the nearest lab partner , details will be provided by the customer care medical officer.

Thanks & Regards

VENKATESH.M

Sr.manager ( A2H)
8939390063
UNQUOTE:

I suspect that the offer is not genuine. The caller collects the name and e-mail addresses and suggests the payment of Rs 9980/- with or without EMI.

I have requested the caller to provide me further details.  Some people have already posted adverse information at mouthshut.com on this offer.

I want the public to be aware of this offer. In case the person gives me any evidence on why this offer is genuine, I will post it here.

In case the person does not provide convincing proof that the offer is genuine, it is to be treated as a possible fraud attempt.

I request the law enforcement in Bangalore or other places where such calls are received, to investigate further.

Police may check the number stated above or I may be able to provide more details if the Police wants to investigate.

If any body has further information on this offer, please let me know.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Committee on Data Governance…: Is it relating to Anoymized Personal Data or Non Personal Data?

On September 13, the Government of India constituted a committee of Experts on Data Governance Framework under the chairmanship of Kris Gopalakrishna, Co-Founder Infosys.

Copy of the notification

Constitution of the Committee

The members of the Committee are

  1. Shri Kris Gopalakrishna, Co-Founder of Infosys
  2. Additional Secretary/Joint Secretary, DPIIT (Department of Promotion of Industry and Trade)
  3. Ms Debjani Ghosh. President NASSCOM
  4. Dr Neeta Vema, DG, National Informatics Center
  5. Shri Lalitesh Katragadda, CTO, Avanti Finance
  6. Dr Ponnurangam Kumaraguru, IIIT, Hyderabad (Ed:is it Delhi?)
  7. Shri Parminder Jeet Dingh, IT for Change
  8. Shri Gopalakrishna S, Joint Secretary, MeitY

Terms of Reference

The terms of reference of the committee are

  1. To Study various issues relating to Non-Personal Data
  2. To Make specific suggestions for consideration of the Central Government on regulation of Non Personal Data

Concept of Privacy of Community Data

The initial paragraphs of the notification recalls the work of SriKrishna Committee and refers to the “Community Data”.

The SriKrishna Committee had commented

“Community data relates to a group dimension of privacy and is a suggested extension of our data protection framework. It is a body of data that has been sourced from multiple individuals, over which a juristic entity may exercise rights. Such data is akin to a common natural resource, where ownership is difficult to ascertain due to its diffused nature across several individual entities. It is relevant for understanding public behaviour, preferences and making decisions for the benefit of the community”

The Committee had gone  on to suggest that the Government may consider a law to recognize the phenomenon where personal data of individuals get aggregated (eg: Google Map data) and becomes useful to the community, but is beyond the control of the individuals for regulation under the PDPA.

It had flagged the possibility that Individuals may not be aware of what their data can disclose when aggregated with billions of other data points. This data is analysed by algorithms and produces reliable data which helps produce other indicators that are of help to the community.

However, the Committee noted that  an individual’s sharing of data in some of these cases automatically shares the data of his/her spouse,friends and family without their consent. It also flagged the possibilities that companies collecting such data can make use of it as “Big Data” and derive some pattern of behaviour of the community and hence the “community privacy” was at risk.

The Committee noted :

“A suitable law will facilitate collective protection of privacy by including a principled basis for according protection to an identifiable community that has contributed to community data. This will take the form of class action remedies for certain kinds of data breaches involving community data with diffused social and systemic harm. Tools like group communication and sanction may be envisaged. Such protection will take into account any intellectual property ownership of the juristic entity.”

It therefore appears that the Government has now taken a follow up action on the recommendations of the Sri Krishna Committee by constituting the Kris Goplakrishna Committee.

However, if we look at the “Terms of Reference”, it indicates that the notification refers to “Non Personal Data” and not “Personal Data”.

We understand that “Personal Data” becomes “Non Personal Data” through a process of “Anonymization”.  It is the aggregation of this anonymized data that creates the Big Data business of Google Maps et al.

What the SriKrishna Committee was concerned was the “Identifiable nature of the shared personal data which becomes the aggregated identifiable personal data of a group” and suggested that the “Privacy laws” should grow up from protection of “Individually identifiable personal information” to “Individual group identifiable activity information”.

It appeared that the intention of Justice Srikrishna was,  just like we identify the “Right of an Individual to Privacy”, we should identify the “Right of the Family Group” or the “Larger community” to be able to protect the “Community Privacy”.

This concept of “Community Privacy” is not what the current regulations of “Privacy” as a fundamental right of an individual can address. Hence a separate legislative framework was suggested.

It appears that the Terms of Reference does not capture this intention correctly.

Inadequacy of the Constitution of the Committee

It may be noted that the point raised by Justice SriKrishna is a complex legal issue which requires a careful accommodation of the Puttaswamy Judgement as well as the provisions of PDPA. It is not simply a “Technology or Business Promotion Issue” though the stake of business is involved.

Hence, the constitution of the committee as if the issue is one of the Big Data Industry by having only business interests represented there in is not considered correct.

It must be noted that PDPA had a serious opposition from NASSCOM as regards the “Data Localization” aspect and the objection was serious enough for its proxy member in the SriKrishna Committee (DSCI)  to record a dissenting note in the report itself.  NASSCOM will now have an influence on this committee’s report and will definitely reflect the business interests of MNCs.

The committee also includes of the secretary of DPIIT, another industry representative from Avanti Finance (the board of which consists of Ratan Tata and Nandan Nilekani), a representative from IT for Change which is an NGO, Mr Kumaraguru, an academician, besides the representative from NIC and MeitY.

The Constitution of the committee therefore appears to be inadequate/inapprpriate considering the legal issues on which this new committee may trample with. Considering the involvement of business interests, it would not be surprising that it would reflect the Big Data industry view and could ignore the conflicts with the Privacy and Data Protection requirements. There could therefore be conflicts with the PDPA.

Theory of Dynamic Personal Data

It should be pointed out that we at Naavi.org had flagged this issue in March 2018 when introducing the “Theory of Dynamic Personal Data”  There is a need for the industry observers to take a second look at the idea that was discussed here which was expanded in some of the later articles on GDPR. The theory as propounded may be raw but it has an idea that is relevant to the “Community Privacy” issue that was raised by Justice SriKrishna.

We will highlight some of the issues in our subsequent articles in this series. Watch out for more on this topic here.

(Continued)

Naavi

Reference Articles:

Data Processors may be able to create a Diamond out of Charcoal..if Indian Data Protection Act is innovatively drafted

 

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

PubG deserves to be shut down

The gory incident of a boy in Belgaum, Karnataka, beheading his father for not allowing him to play PubG Mobile has shocked all sane persons and brought the  focus back on the ill effects of Mobile Game Addiction on the youth of the country.

While participating in a TV discussion today, I was surprised at the number of calls received from different parts of Karnataka pleading the channel to do some thing to get PubG banned to save the youngsters who have become addicted to the game.

In the past, we have discussed the adverse effect of BlueWhale  and urged the Government to take suitable action including identification and removal of dangerous games like the Bluewhale. It appears that PubG (Player Unknown’s Battle Grounds) is far more dangerous than Blue Whale.

Blue Whale used a process of cyber hypnotizing the player and leading him to commit suicide. But it required a mentor to carry out its design and appears to have petered out after the arrest of the founder.

In the Belgaum incident, the boy has planned out the murder of his father in a gory manner and locked up his mother first before assaulting the father and chopping off his head and hands. The anger that he has displayed is surprising and indicates the profound impact the  Game has created on the boy.

Some of the other incidents reported include the following:

    1. A 20-year old boy from Jagitial, Telangana died after playing PUBG Mobile for 45 days. After suffering intense neck pain, she was taken to the hospital where the doctors found the nerves in the neck were damaged. The boy died while undergoing treatment.
    2. In a recent report, a boy from Chhindwara in Madhya Pradesh accidentally drank acid mistaking it for water while playing PUBG. He was rushed to the hospital and doctors have now said that his condition is now out of danger.
    3. Two persons who were busy playing PUBG on train tracks were knocked down by a train. The incident happened in Hingoli district in Maharashtra. They were run over by a Hyderabad-Ajmer train. An accidental death report was filed.
    4. A fitness trainer from Jammu allegedly started hitting himself after losing at PUBG. He was reportedly playing the battle royale game for 10 days. Doctors state that although he is recognising people, he is still not very conscious and still under the influence of the PUBG game.
    5. In another incident, a boy died of Cardiac Arrest after playing the game continuously for 6 hours.

There have been many more incidents reported where the adolescents have shown violent reactions when asked to stop playing the game. Many have dropped out of their colleges out of the addiction.

As the clamour for the game being banned grows, PUBG is preparing to release Mobile Season 9 on September 13. Before launching of this new version certain challenges have been thrown up to offer some freebies to the players and this may be the cause for a rush in completing the assignments leading to the violent behaviours we have seen.

The National Child Rights Commission has stated that the game should be banned because of its violent nature.

In some of the States, PUBG has already been banned. There have been as many as 10 arrests for people accused of playing an online game despite the ban being enforced.

However, the ban has not been effective partly because the game is a downloadable game and once downloaded, it stays in the mobile even if further downloads are prevented.

Time has come for the MeiTy to recognize that this game deserves to be banned completely to protect the youth.

Some may wonder, what is the use of banning a game when many more similar games may sprout up. Some want to blame the parents of these players (most of them are boys in the 17-19 years of age) for their failure to stop the addiction without understanding that parents are not expert psychological counsellors and if they attempt to correct the behaviour of these addicted kids, more violent backlashes will happen.

In the case of Bluewhale the affected kids were of lesser age and some corrective action could be taken by schools. But PubG addiction appears to be more on young adults who are out of school and therefore it is difficult to counsel them in the schools or colleges through an effort can be made.

One of the features of the game reported by a person was that the game gives an option to name the enemies with real world persons before killing them in the battles. This feature of the game makes it possible for the gamer to name the characters after people around him like their parents or friends or teachers and go about to kill them in the virtual game to derive a satisfaction. The problem however is that this may incite them as in the case of the Belgaum incident to commit the killing in the real world instead of the Cyber world.

This feature of the game may therefore be considered as “Inciting Violence against living persons” and could be a valid reason to ban the game.

It is reported that the Jordan Government has already banned the game in their country.

We urge the ministry to immediately issue an order under Section 79 of ITA 2000 to declare this game as harmful to the society and bring it down from the playstore. Simultaneously, all  MSPs should be ordered to kill the game in any of the mobiles where they have been already downloaded. This of course needs to be through an order of the Government in the interest of the community.

We therefore appeal to Mr Ravi Shankar Prasad, the honourable minister of IT in the Central Government to take immediate action in this regard to get the game banned.

To prevent sprouting of similar games, the Government should set up a “Controller of Online Games” and monitor such dangerous games and take immediate action to get them removed.

We also urge the responsible people in the community like the parents , teachers, and child right activists to approach their respective MPs to take up the request with Mr R S Prasad and push for action.

We also urge the media to take up a sustained campaign on an all India level to ensure that the issue gets the attention of the Government of India immediately.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

PDPSI Vs ISO 27701 Vs BS 10012

PIMS (Personal Information Management System) is the next buzzword in the Information Security domain that will be discussed by the Data Protection professionals.

Presently, two international frameworks namely the BS 10012 and ISO27701 are available for us to follow. The undersigned has however developed a separate framework titled the Personal Data Protection Standard of India (PDPSI) which has been developed with the exclusive idea of assisting Indian Organizations and more particularly the SMEs and MSMEs.

It is our belief that Information Security Framework is developed by experts in order to guide the community for adopting it as a business practice that benefits the organization. When multiple organizations adopt a food framework of information security, the community would benefit.

Such a framework should be “Open Source” and not looked upon as a Cash Cow by charging exorbitant fees for the community members to know what is the best practice to follow.

Whether it is BS 10012 or ISO 27701, it costs around Rs 13000/- each to acquire and read. ISO 27701 makes normative reference to four other standards namely ISO 27000,ISO 27001,ISO 27002,ISO 29100. To understand ISO 27701 we therefore need to acquire and study all these collateral documents. Fortunately BS10012 does not have any normative references.

Those organizations which are considering the PIMS now and donot have earlier ISO implementations, need to therefore spend a significant money just to acquire a document that lists out the suggested practices. The interpretation and implementation through a consultant is the additional expenses.

Basically these frameworks list out the broad outlines of compliance requirements as follows:

1.Leadership
2.Planning
3. Support
4.Operation
5.Performance evaluation
6.Improvement.

ISO 27001 continues with specific guidance related to ISO27001 and ISO 27002 as also guidance directed to Controllers and Processors.

The PDPSI incorporates all these principles though the document is under development. In principle, PDPSI focuses on five foundation principles represented by the following diagram.

This model compresses the normal technical controls into one segment and all policy controls into a second segment. The need to manage the human elements is packed into the third segment. The Leadership, commitment etc is clubbed under Responsibilities. The classification of data is considered a separate foundation requirement which defines also the scope of the implementation. 

PDPSI recommends a “Distributed Implementation Leadership with a Top level policy leadership along with a designated person for accountability”.

For those who are accustomed to a specific format of the ISO/BS, PDPSI appears as a raw document. Salient features of PDPSI is explained under www.pdpsi.in

The normative references (to keep to the familiar term) are made to IISF 309 (Indian Information Security Framework), Theory of Information Security Motivation, Naavi’s pyramid model of Prioritization of Information security objectives.

The Classification model is depicted in the following diagram.

The classification of the data incorporates the “Subject Laws” so that PI-GDPR is classified differently from PI-PDPA.

The measurability aspect will point to a “Data Trust Score” for which one of the recommended approaches is the Naavi’s 5X5 DTS system indicated below.

The distributed model of responsibility sharing is reflected in the Governance model indicated below. (Explained in greater detail on www.pdpsi.in) 

Overall, PDPSI attempts to cover the principles inherent in both ISO27701 and BS10012 and provides a greater focus for an Indian organization with a few innovations thrown in between.

Once PDPSI is fully developed with the assistance of other professionals who are well versed in ISO/BS but are free mentally to pursue a more “Made in India” framework, it could be adopted widely.

In the meantime, some of the principles enunciated in PDPSI is expected to become part of the ISO/BS in their revised versions. Also the Data Protection Authority of India which is likely to come up in 2020 may adopt most of the principles under PDPSI as suggested framework under PDPA.

In the meantime, Naavi.org will continue to develop this concept which is already being applied by Naavi where ever it is relevant.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

We need Insurance against Traffic Fines…Mr Gadkari, are you listening?

Mr Nitin Gadkari is set to lose all his popularity he had gained in the last few years for his work as a minister over his quixotic decision of raising traffic fines to astronomical levels.

While creating deterrence against drunken driving, rash driving etc are necessary, across the board increase of fines such as for not wearing helmet or not wearing seat belts etc was unwarranted.

The traffic offences have to be ideally classified into two important categories. Offences that endanger third parties and offences which affect only the individual vehicle user for his safety.  Helmet and seat belts fall in this category. Penalties  have to be less for the second  category since  it is only to promote  own safety and has no impact on others.

The non maintenance of roads leading to potholes and consequential accidents should be held as traffic offences by the civic bodies and they should be fined at a larger level because their negligence affects the community as a whole. Similarly, invisible signs of no parking, non working traffic lights etc also cause problems to those who are essentially followers of law.

In the last two days there are reports of one fine of Rs 87500/- on a Truck driver and Rs 47500/- on an Auto driver. Not withstanding the crime, these fines are insane. Mr Gadkari should bear the direct responsibility for such a situation and be answerable to the voters in Maharashtra. Shivasena should have a cakewalk in the elections if they make this MV act as an election issue.

I have always held that such crazy levels of fine will only increase the corruption level in the Police. It is early days and Police may be now accounting the fines and the department is increasing its revenue by a few lakhs each day in major towns. Soon the fine collection will start stagnating and getting converted into bribes to the Police. Police will pass on a part of their loot to the politicians also and therefore the corrupt system will grow with political patronage.

Instead of targeting the consumers by increasing the fines, I want Mr Nitin Gadkari to do some thing that is beneficial to the road users. One such requirement is to check the Toll booth contracts many of which should have ended over time but are continuing without any maintenance of the roads. Recently, I had an occasion to travel in the Nice Road in Bangalore towards Magadi and found the road full of pot holes just like the City roads. One wonders why we need to pay any fees for such roads. Is not the Transport ministry responsible for these?

Some time back some ill informed politicians in Karnataka went against Uber and Ola and taxed them as Taxi operators, which resulted in increase of the rentals for the consumer. Similarly these fines will also increase the Uber/Ola rates since the companies have to factor this fine as part of the regular expense. The truck operators would also factor some fines in their cost and the cost of goods transport will also go up.

Mr Nitin Gadkari will be solely responsible for this increase in transport related costs.

Vehicle Insurance should include Traffic Fines

While these criticisms are well known and understood by all except the egoistic politicians who donot want to correct their mistakes, the main purpose of writing this article is to bring it to the notice of Mr Gadkari and others including Mr Modi that there is an urgent need to introduce a component of “Insurance against Traffic fines” as part of vehicle insurance.

Since the new fines have the effect of “Deterrence”, accidents will come down (Should come down). This should reduce vehicle insurance claims. Insurance companies should be therefore persuaded to reduce the insurance premium on all  existing policies.

Additionally the Traffic Fine endorsement should be provided at an extra premium.

Insurance companies today provide such covers for administrative fines under say GDPR or even the Extortion under ransomware. If these are acceptable as insurable risks, why not traffic fines?

I would like IRDAI to engage in discussions with the Insurance companies to quickly introduce the coverage on such fines.

If Mr Gadkari is still walking on the ground, he should push the insurance companies into providing such insurance coverage besides reducing the fines on “Non Third Party Risk Creating offences” to a reasonable level.

I wish a petition is raised in this regard by some public interested person.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , | Leave a comment