Pentagon Model of Personal Data Protection

We have been discussing the different aspects of the  Personal Data Protection Standard of India. (PDPSI).  During these several articles, we have discussed the philosophy behind the PDPSI and some of the controls which require a special mention.

In continuation of our exploration of PDPSI, I would like to present the “Pentagon Model of Personal Data Protection” which provides a quick overview of the PDPSI approach.

The model is presented in the picture above. Naavi has earlier adopted the Pyramid Model for Information Security Implementation  and a Pentagon model for Information Security Motivation 

The pyramid model was appropriate for prioritization but the closed polygon model was found more suitable to represent the Information Security Motivation. A similar model appears appropriate for representing the requirements of the Personal Data Protection also.

The difference between the hierarchial model of the pyramid and the closed model of the polygon is that the hierarchial model is meant to be built level by level while the polygon model would require all wings to be in place simultaneously to close the polygon.

Since “Pentagon” represents security in general, we have adopted the pentagon model and put all requirements identified under PDPSI into the five categories which form the five boundaries of the Personal Data Protection pentagon.

To understand the five elements of the pentagon, let us analyze each of them with reference to our earlier detailed articles.

Element 1: Classification

As we have discussed in detail,  (Article 1:Article 2) “Data Classification” is the starting point for the exercise and the foundation of a proper construction of Privacy by design. Data Classification also defines the scope of the compliance exercise since it maps the Data Protection law to which the compliance needs to be bench marked. 

Element 2: Responsibilities

The responsibilities under PDPSI does not start and end with the DPO. DPO will remain the pivot around whom the responsibility is shared across the organization starting from the Board and the Data Protection Committee at the top to “Internal Data Controllers” spread across the organizations handling different functional responsibilities. This system of diversified responsibility recognizes the practical problems that a DPO would face in an organization particularly if it is spread across different functions and different geographical locations. Once the functional management of data and its security are in proximity, the implementation of any policy becomes easier.

Element 3: Tech Controls

Technical controls of Information Security are well researched and there is a lot of knowledge and skill in organizations around the world. These controls in the form of different hardware and software devices/applications provide solutions for meeting the CIA aspects of Information security and the extended concepts of accountability which includes Authentication and Non Repudiation. The Firewalls, IDS, Anti Virus, Access Control, Encryption, Digital Signature, version control, Data Leak Prevention systems, Multi factor authentication systems, the DRP/BCP systems, Forensic devices, etc all form the control tools under this head. 

Element 4: Policies

The Policies part of the pentagon represent all the different policy and procedure documents that are required under the data protection laws including the Information Security policy, Privacy Policy, the Notification, Business Associate policy, Whistle Blower Policy , legitimate interest policy, Incident management policy, Data Disclosure cum Breach Notification policy, Business Agreement Control policy, HR recruitment, termination, sanction policies, the BYOD, Hardware/Software purchase policies, the web and email usage policies, documentation policies etc are all part of this segment of compliance.

Element 5: Culture

Apart from the Technical and Legal aspects of compliance addressed by the two earlier elements, the “people” aspect and in particular the “Behavioural Aspects of People” that affects the compliance is an important issue in itself. This may include the awareness building, motivation of people to be compliant, along with the incentives and disincentives to ensure that a proper “Data Protection Culture” is built in the organization. 

While Classification and Responsibility assignment are essentially a one time exercise (except for changes that need to be accommodated from time to time), the three other segments require continuous monitoring and may also require different skills and knowledge. In large organizations three different experts may be required to address these three issues differently or the DPO should have the multi dimensional expertise.

This model breaks down the PDPSI into 5 elements for easy management. I suppose that this Pentagon model of Personal data protection would provide some clarity to organizing  the Data Protection Compliance exercise in an organization. 

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Drawing Borders for the Borderless Cyber Space

“Internet was born free but is found everywhere in Chains” was a statement made by Naavi in 2002. Several articles   were showcased discussing the developments at that time which may make interesting reading even today. I hope for students of the philosophy of Cyber Space, these articles may be interesting. 

However during the last nearly 2 decades, things have changed in our society. Many of the apprehensions expressed at that time have become true today. The borderless state of Internet and the Anonymity inherent in its design has now given way to Cyber crimes of unlimited proportions across the globe forcing rethinking on the “Security issues in Internet”. 

While there is one segment of the law makers who still swear by Privacy and Freedom of Speech over Internet, there is an equally strong lobby who swear by the need for Security. At present laws are trying to balance these requirements though not with complete success.

China started a trend of creating a firewall to segregate Chinese Internet space from the rest through creation of its own search engine, its own social media etc making the Google and Facebook redundant.

Now Russia seems to have taken a further step by creating a specific law to build a “Cyber Border” for Russia.

The concept of each sovereign country defining its own Cyber Space and legal jurisdiction over it started long back when Cyber Crimes investigations cut across borders. So far attempts have been made to bridge this jurisdictional gap by creating MLATs for Cyber Crimes to address the issue of cross border jurisdiction.

However, it is now reported that Russia is adopting law to isolate “Runet” from Internet. Naavi has in recent times veered to the view that there is a need for setting up a “Digitally Identified Network” within “Internet” which we can call “Internet-S” where S stands for Secure. The idea is that every Netizen of Internet-S is identified by a system as good as a legally recognized digital signature system with the backing of a sovereign Government. In this world, every Netizen’s activity is mapped to an identified individual.

The Concept of “Regulated Anonymity” which we have discussed repeatedly in Naavi.org advocates that anonymity and privacy in transactions with others can be protected without sacrificing national security if we can create “Trusted Identity Intermediaries” who issue proxy identities but protect national interest under a proper regulated process.

This concept has now become a legal possibility in India with the proposed PDPA 2018 in the form of Data Fiduciaries, though I am personally not sure if this possibility would be recognized by other Privacy professionals in India and the law makers.

Data Localization requirements under the Indian laws also assert the concept of “Data Sovereignty” through PDPA 2018. (Proposed Personal Data Protection Act)

In the meantime, what has happened in Russia is to be recognized as a significant step of redefining the way Internet functions as a “Federation of Net Societies allied with sovereign Governments in the physical space”.

According to the new law reported to have been adopted by the State Duma, in order to protect the Country from external threats, Russia wants to create a “Sovereign Cyber Space” over which it has complete control. (See Report here)

Some of the key provisions in this law include the introduction of a system that will channel Russian internet traffic through government-controlled routing points as well as granting unlimited powers to Roskomnadzor, which will be able to cut off non-complying internet providers. The country’s telecom watchdog will set up a monitoring center that will detect threats and issue instructions. Roskomnadzor will also create and maintain a national domain name system (DNS).

The new legislation is designed to ensure that online data transfers between Russian citizens, businesses and organizations are executed within the country instead of being routed internationally.

The Runet law is scheduled to enter into force in November this year, with the rules governing Russian domains and cryptographic protection of information expected to be introduced on January 1, 2021.

As could be expected, there is an opposition to the proposal which is accused as a measure of censorship. The counter argument is very forceful but it is not clear if the opposition would be able to scuttle the law. Most probably Mr Putin would push through this legislation which will become a fore runner to other countries passing similar laws.

If such a law is brought in India particularly in the present regime of Mr Modi, there would be an immediate outcry from the opposition. Many of the IS professionals would also feel that this is an extreme step that would curtail the freedom of expression on the Internet and the Democracy. Probably they may be right and India would not go the extent of passing such laws.

But it is necessary for us to recognize that most of the Democratic countries are hypocritical when it comes to their stand on preservation of “Data Sovereignty”. Today “Data Localization” has become a norm and most countries try to retain data generated within the country confined to its borders. Where countries agree on Cross border data transfers, they impose severe restrictions. Whether they are called Safeharbour agreements or by any other name, they are like signing of “Data Transfer Treaties” at corporate level. Every country wants to have its own laws of data protection applied to personal data generated from within its borders which makes it necessary for data processors to classify personal data in accordance with the privacy protection laws to which it is subject to. (Refer PDPSI Classification and Scope Definition articles).

In a way we have already drawn borders in cyberspace by the data protection laws of each country defining norms for protection of data of their citizens and with data localization within their physical borders.  What Russia is set to do is a bolder and more transparent way of expressing that Cyber Space of a Country belongs to its sovereign jurisdiction and anybody entering in and out need to identify themselves and allow being monitored lime an Cyber Passport and Cyber VISA system

PDPA 2018 (Draft) provides a perfect legal ground to implement some of the provisions of this Russian Law without the need for modifications to ITA 2000/8.

We need to watch how things develop in India in the next decade and whether the Russian approach would be replicated in India also either with a separate law (which is difficult) or with a suitable interpretation of the Data Localization requirements under the current laws.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Business Agreement Control-An essential ingredient of PDPSI

This article posted on April 16, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

PDPSI-Business Agreement Control

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

PDPSI is a standard for a “Techno Legal Compliance”. Hence the controls under PDPSI go beyond the usual technical controls such as the Firewalls, IDS systems, Access Control, Encryption etc.

The Legal controls include the policy documents such as the Privacy Policy, the Sanction policies in the HR arena etc.

Additionally it is important for us to recognize that most organizations use outsourcing for many of their activities and are also themselves the sub contractors for certain data processing activities.

The regulatory framework envisages that the entire eco-system of personal data processing needs to be accountable for meeting the regulatory compliance requirements. As a result of this, every organization has a liability to its upstream data provider and imposes liabilities to the down stream data processors. These transfer of responsibilities occur through the business contracts. 

Most of the time the business contracts stop at defining the service requirements and the financial commitments. But in the current regime of data protection, the “Information Security” obligations also need to be defined as a part of such contracts. Thus a Data Collector (First Data Controller) collects personal information under a consent contract, hand over the information to a secondary data controller who in turn hands it over to the data processor etc.. all through business contracts.

Hence every organization processing data will have several business contracts which may have prescriptions of its data processing liabilities. It is therefore necessary for the DPO to understand such obligations and factor it into his activities.

Most of the time these business contracts  are executed by business executives without adequate consideration of the information security requirements. Hence the DPO needs to ensure that his requirements are well understood by the business executives so that every contract is “Compliance Ready”.

Assuming that the business executives do execute such contracts, it is the responsibility of the DPO to keep track of the inventory of “Data Protection Liabilities” arising out of these contracts and monitor changes that may occur from time to time. 

Some times there would be difficulties in implementing these requirements and notices of compromise may have to be exchanged. All such requirements need to be documented for the purpose of compliance.

PDPSI therefore expects that the subject company has a robust policy where every contract signed in the name of the company is brought on record, serially numbered and the obligations undertaken are duly taken note of for compliance throughout the life cycle of the contract.

(To Be continued)

Naavi

 

Other Reference Articles

  1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
  2. Data Protection Standard of India- (DPSI)
  3. Data Classification is the first and most important element of PDPSI
  4. Why 16 types of Data are indicated in PDPSI?
  5. Implementation Responsibility under Personal Data Protection Standard of India
  6. India to be the hub of International Personal Data Processing…. objective of PDPSI
  7. Principles of PDPSI
  8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
  9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
  10. Legitimate Interest Policy
  11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
  12. Criticality of the Grievance Redressal Mechanism in PDPSI
  13. Data Breach Notification-What PDPSI expects
  14. Naavi’s Data Trust Score model unleashed in the new year
  15. Naavi’s 5X5 Data Trust Score System…. Some clarifications
  16. Naavi’s Data Trust Score Audit System…allocation of weightages
Print Friendly, PDF & Email
Posted in Cyber Law | 2 Comments

PDPSI Controls-Data Breach Notification and Data Disclosure Policies

This article posted on April 15, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

Data Breach Notification.. What PDPSI expects

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

Data Breach Notification is an important responsibility cast on any data processor under every Data Protection regulation. 

Whenever a Data breach occurs, the Data Controller/Processor/Data Fiduciary need to report it to the regulatory authority within a certain time limit and with a certain amount of details. A failure in reporting itself is a serious non compliance issue. Even when the data breach victims may not have any compensation to claim, the regulatory authority may impose a heavy fine on the organization for the data breach and with an exalted penalty if the breach notification is delayed. 

Under GDPR (Article 33) a data controller should report a breach within 72 hours to the supervisory authority. A Data Processor should report the breach to the data controller “without undue delay” after becoming aware of a personal data breach. 

Under PDPA 2018, (Section 32) the time limit specification is left to the DPA to notify when the DPA comes into existence. 

In the meantime, ITA 2000/8 under Section 79 prescribes “Due Diligence”, time for initiating a grievance redressal mechanism has been prescribed as 36 hours and time for taking down of disputed information upon receipt of an order from a competent authority would be considered as “Immediate”.  Under rule 3(9) of the Intermediary guidelines of 2011, it was mentioned that the intermediary shall report the cyber security incidents to the CERT-IN. But no specific time was specified.

The CERT In separately gave out a notification in which details of what to be reported has been indicated. The time for reporting has to be within a “Reasonable Period”. Apart from this, sectoral regualtors like RBI expect Banks to report incidents to them for which they may prescribe different time limits.

All the regulations normally provide that a provisional report can be made immediately and progress reports can be filed later. GDPR provides  that report should be made to the Data Subjects also. Some regulations like HIPAA require reporting through news paper advertisements and websites. 

While we await the DPA of India to provide the time limits for data breach notification, it is necessary for us to recognize that it is not the time and content which are important for a Data Breach report. This is easy to define in a “Data Breach Notification Policy” which every organization should develop as a part of the control. This is also required under PDPSI.

However, since PDPSI attempts to provide a Data Trust Score (DTS), it is essential for the auditor to assess the quality of the data beach notification policy. If it contains only what is to be reported, to whom and when, it would not be considered an adequate policy.

We must understand that a “Wrong Data Breach Notification” would be disastrous for a company from the point of view of reputation loss and hence before classifying an event as a “Breach” some discretion has to be applied. This is the most difficult part of a DPO’s responsibility since some regulations like GDPR expects the DPO to be directly responsible to the supervisory authority and non-reporting could be a “Breach of Trust” for the DPO. 

Security professionals however know that after a breach occurs, it takes time for it to be detected. First it would be a suspicion and then after a preliminary investigation, suspicion becomes confirmed as a “Breach incident”. Within this time there may be a need for an internal investigation if necessary with forensic intervention. The DPO may not be fully in control of this time frame and the delay could expose him to non compliance charge from the supervisory authority. 

In order to ensure that the DPO is not exposed to unintended consequences during such internal deliberation, the “Data Breach Notification Policy” should clearly establish how a breach will be recognized, evaluated and classified. If the company has a “Whistle Blower Policy”, the data breach recognition commences with the initial whistle blower’s report. The” Incident Management Policy” should also be integrated with the Data Breach notification policy since the reported incident after being resolved, needs to be evaluated as to its classification as a “Breach”.

Additionally, all regulations provide that certain law enforcement agencies have the power to demand information and not providing information when law requires it to be provided has its own penal consequences.

Hence every organization should develop a “Data Disclosure Policy” which addresses the issues of how to respond to a “Data Disclosure Requirement”. Such request can come from a data subject or a police officer or a supervisory authority or a DPA etc. While the law may be clear on who  has the right to ask for the information and it is easy to incorporate in the policy, the difficult part is to establish the identity of the person who is requesting the information.

Any disclosure to a wrong person would become a “Data Breach” and hence the “Data Disclosure Policy” has to be aligned to the “Data Breach Notification policy”, which should also be aligned with the whistle blower policy and incident management policy. To the extent that the first report of a data breach goes to the call center employee, the awareness of how to escalate a complaint to a potential incident report should be available to all the call center employees and the perimeter level personnel who interact with customers.

PDPSI requires the quality of a data breach notification policy to be assessed so that a proper DTS can be assigned.

(To Be continued)

Naavi

 

Other Reference Articles

  1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
  2. Data Protection Standard of India- (DPSI)
  3. Data Classification is the first and most important element of PDPSI
  4. Why 16 types of Data are indicated in PDPSI?
  5. Implementation Responsibility under Personal Data Protection Standard of India
  6. India to be the hub of International Personal Data Processing…. objective of PDPSI
  7. Principles of PDPSI
  8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
  9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
  10. Legitimate Interest Policy
  11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
  12. Criticality of the Grievance Redressal Mechanism in PDPSI
  13. Naavi’s Data Trust Score model unleashed in the new year
  14. Naavi’s 5X5 Data Trust Score System…. Some clarifications
  15. Naavi’s Data Trust Score Audit System…allocation of weightages
Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment