Naavi.org

In corporate governance, Independent Directors play an important role in protecting shareholder interests. One of their core responsibilities is to oversee risks that may adversely affect the financial position and sustainability of the company.

Traditionally, this responsibility has been interpreted in the context of financial reporting, internal controls, statutory compliance, and operational risks. However, in today’s data-driven economy, such an interpretation is no longer sufficient.

Now, Data has emerged as one of the most valuable assets of modern enterprises. In many organizations, data is accumulated, processed, analyzed, and monetized long before its value is reflected in the financial statements. Consequently, Independent Directors can no longer limit their oversight to the integrity of financial reports. They must also understand the value, ownership, control, and governance of the organization’s data assets.

An unscrupulous management may undervalue, transfer, misuse, or otherwise compromise data assets in a manner that may not immediately appear as a financial irregularity. Yet the impact on shareholder value can be as significant as fraud, asset stripping, or money laundering. Unfortunately, many boards and Independent Directors are yet to recognize this dimension of governance.

The history of CIBIL provides an example worthy of study. The transfer of control over a valuable national data asset through changes in shareholding raised questions regarding the valuation and stewardship of data that had been contributed by Indian financial institutions. At the time, concerns were raised regarding the long-term implications for the banking sector and the country. However, the governance implications of transferring control over a strategic data asset did not receive the attention that a comparable transfer of tangible assets or financial resources might have attracted.

This raises a broader question: Are Independent Directors adequately equipped to oversee data governance risks?

The question assumes greater significance after the enactment of the Digital Personal Data Protection Act, 2023. Non-compliance with DPDPA can result in substantial financial penalties, reputational damage, regulatory action, and loss of stakeholder trust. DPDPA risk is therefore not merely a compliance issue; it is a board-level governance risk.

Schedule IV of the Companies Act, 2013 prescribes a Code for Independent Directors and specifies their roles, functions, and duties. These include safeguarding stakeholder interests, scrutinizing management performance, satisfying themselves regarding the integrity of financial information and risk management systems, and bringing an independent judgment to board deliberations.

Viewed in this context, oversight of DPDPA compliance naturally falls within the governance responsibilities of Independent Directors. They should be asking questions such as:

• Has the organization identified and classified its personal data assets?
• Has a DPDPA risk assessment been undertaken?
• What is the potential financial exposure arising from non-compliance?
• Are adequate governance mechanisms in place for consent management, data principal rights, breach response, and vendor oversight?
• Is the Board receiving periodic reports on privacy and data protection risks?

These questions are now as important as questions relating to financial controls or statutory audits.

Having recently renewed my registration in the Independent Directors’ databank, I found myself reflecting on whether the objectives behind the institution of Independent Directors are being fully realized in the emerging data economy. It is also pertinent to ask whether sufficient emphasis is being placed on DPDPA governance in the training and continuing education programmes conducted for Independent Directors.

Over the last few years, we at FDPPI  have attempted to engage with board members and governance professionals through conferences, symposiums, and awareness programmes. We have consistently emphasized that DPDPA compliance should be viewed as a board responsibility and that Independent Directors should play a leadership role in assessing and monitoring DPDPA-related risks.

If the Independent Directors’ framework administered by the Indian Institute of Corporate Affairs is to remain relevant in the coming decade, it must incorporate data governance, privacy governance, AI governance, and DPDPA risk management as core elements of board oversight.

The institution of Independent Directorship was created to provide objective and independent supervision of management. In the digital economy, independence must extend beyond financial scrutiny to include stewardship of data assets and protection of stakeholder rights.

As someone associated with the Independent Directors’ databank, I consider it my duty to raise these concerns. I hope that the Indian Institute of Corporate Affairs will confirm that adequate steps have been taken to sensitise Independent Directors to DPDPA-related risks and to equip them with the knowledge necessary to discharge their responsibilities effectively in their respective organizations.

Naavi

We have earlier discussed the need to recognize the Governance structure of DPDPA Compliance team including the PSO or the Patient Safety officer as one of the co-owners of the compliance requirements since every data breach is also a Patient Safety event. We therefore suggested that the team of CISO-DPO-PSO will be responsible for DPDPA compliance, NABH compliance and ITA 2000 compliance as an integrated compliance plan.

Another area of complexity that the hospitals find is in establishing the status of the consulting doctors, Subordinate hospitals and diagnostic  centres. Diagnostic centers operate independently and determine the clinical decisions and therefore the Patient Safety  actions.

Many hospitals provide support to subordinate hospitals in terms of telemedicine consultancy and some times remote surgery. In such cases the two entities need to settle their inter-se status as Joint Data Fiduciaries with  a recognized boundary for data responsibilities.

Hospitals also work with consulting doctors who are independent professionals and take independent decisions on how the patient data is processed and disclosed. Some doctors may have “Employment” status while most may not. In such cases the status of who is a data fiduciary and who is a joint data fiduciary is a matter to be taken into account.

Additionally most hospitals work under a brand sharing  program where there could be an umbrella brand that attracts the patients while the service is rendered independently by the franchisee hospitals. In such cases the  possibility of “Super Data Fiduciary” status for the  umbrella brand has to be also considered.

The DGPSI-Hospital framework therefore needs to cover these special situations.

Please send your views on these issues.

Watch out for more discussion.

Naavi

Attention is drawn to the notice issued by MeitY on 21st  April 2026 related to the draft amendments to Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 in relation to strengthening intermediary compliance with clarifications, advisories and directions issued by the Ministry. (Refer here)

The last date for public comments  was 7th May 2026 which is well behind us.

So far no confirmation of the final rules has come from MeitY. 

The copy of the proposed draft rules are here. This should be read with the earlier consolidated rules published on 10th April 2026

An article which appeared in Indian Express today  flagging some of the key issues of  the rules is available here

While we await the release of the final rules, a brief review of the article of Indian express flag the following observations.

The proposed amendments represent a substantial expansion of governmental oversight over digital intermediaries. They move beyond traditional publisher regulation and seek to create a unified compliance framework covering:

1. Social media intermediaries,
2. AI-generated content,
3. User-generated news and current affairs content, and
4. Digital grievance redressal processes.

Although these amendments are not directly issued under the Digital Personal Data Protection Act, 2023 (DPDPA), they have important intersections with data governance:

• Data retention obligations may interact with DPDPA provisions relating to storage limitation and legal exemptions.
• AI-content labeling complements transparency principles relevant to responsible AI governance.
• Expanded intermediary obligations strengthen accountability mechanisms within India’s broader digital governance framework.

Key Proposed Amendments

1. Mandatory Compliance with MeitY Directives

Social media intermediaries, including platforms such as X and Meta-operated services, will be required to comply with:

• • Clarifications
  • Advisories
  • Orders
  • Directions
  • Standard Operating Procedures (SOPs)
  • Codes of Practice
  • Guidelines

issued by MeitY.

Compliance with such directions will form part of the statutory “due diligence” obligations of intermediaries. Failure to comply could potentially affect the safe-harbour protections available under the Information Technology Act, 2000.

2. Enhanced AI-Generated Content Labeling Requirements

The amendment to Rule 3(3)(a)(ii) strengthens obligations relating to synthetic or AI-generated content.

Previous Requirement:

• AI-generated content labels needed to be “prominently visible.”

Proposed Requirement:

• Labels must be displayed continuously and clearly throughout the entire duration of the visual content.

Implication:

• Platforms will need robust technical mechanisms to ensure persistent disclosure of AI-generated videos, images, and similar synthetic media.
• The amendment reflects growing concerns regarding misinformation, deepfakes, and manipulated media.

3. Reinforcement of Data Retention Obligations

The amendments clarify that intermediaries must continue to comply with all legal requirements concerning:

• • Preservation of information
  • Retention of records
  • Maintenance of evidence

even when responding to user requests or regulatory actions.

Implication:

• Data deletion requests cannot be used as a basis to circumvent statutory retention requirements.
• This provision aligns with law-enforcement, regulatory, and evidentiary needs.

4. Expansion to User-Generated News and Current Affairs Content

A major policy shift is the inclusion of news and current affairs content uploaded by ordinary users.

Previously, regulatory obligations primarily targeted recognized digital publishers.

Under the proposed amendments:

• User-generated news content may also fall within the regulatory framework.
• Social media platforms hosting such content become subject to additional compliance responsibilities.

5. Strengthening of Grievance Redressal Mechanism

Rule 14 has been revised to strengthen the role of the Inter-Departmental Committee (IDC).

The IDC may:

• Periodically hear complaints concerning violations of the Code of Ethics.
• Consider cases where prescribed timelines have not been met.
• Examine matters directly referred by MeitY.

6. Broader Applicability of Rules 14, 15 and 16

The amendment to Rule 8 extends the applicability of Rules 14, 15, and 16 beyond publishers.

These provisions will now apply to:

• Publishers
• Intermediaries
• User-generated news and current affairs content hosted on intermediary platforms

Implication:

• Regulatory accountability extends deeper into the social media ecosystem.
• Platforms may bear greater responsibility for content generated by users.

The entire impact of the modified rule hinges on the definition of the “Synthetically generated information” which is defined as follows.

Rule 2 (wa) ‘synthetically generated information’ means audio, visual or audio-visual information which is artificially or algorithmically created, generated, modified or altered using a computer resource, in a manner that such information appears to be real, authentic or true and depicts or portrays any individual or event in a manner that is, or is likely to be perceived as indistinguishable from a natural person or real-world event;

Provided that the purposes of this clause, an audio, visual or audio-visual information shall not be deemed to be ‘synthetically generated information’, where such audio, visual or audio-visual information arises from—

(a) routine or good-faith editing, formatting, enhancement, technical correction, colour adjustment, noise reduction, transcription, or compression that does not materially alter, distort, or misrepresent the substance, context, or meaning of the underlying audio, visual or audio-visual information; or

(b) the routine or good-faith creation, preparation, formatting, presentation or design of documents, presentations, portable document format (PDF) files, educational or training materials, research outputs, including the use of illustrative, hypothetical, draft, template-based or conceptual content, where such creation or presentation does not result in the creation or generation of any false document or false electronic record; or

(c) the use of computer resources solely for improving accessibility, clarity, quality, translation, description, searchability, or discoverability, without generating, altering, or manipulating any material part of the underlying audio, visual or audio-visual information

Though the rule applies to all bloggers as indicated in the Indian Express Report,  there are sufficient safeguards to exclude routine bloggers who may use AI to create documents for educational or training materials without “depicting events as true events” which is normally done in You Tube videos covering events of news value.

Naavi

FDPPI has been a pioneer in designing a framework exclusively for compliance of DPDPA. The initial version of DGPSI incorporated the ITA 2000 and BIS draft guidelines on Data Governance and was born as a unified framework. With such a unification approach, DGPSI had become the  only framework suitable for the Indian data protection environment.

Subsequently with DGPSI-AI as an extension, the framework adopted the AI development in technology and today DGPSI-Full with DGPSI-AI stands tall amongst any such frameworks. It is suitable for implementation of DPDPA Compliance by default and is also certifiable by third party audit and also possesses ability to measure maturity of implementation through Data Trust Score (DTS).

Further DGPSI evolved with sector wise versions including DGPSI-HR, DGPSI-Data Processor and DGPSI-GDPR to meet specific requirements of HR, Data Processors and GDPR stake holders.

Time has come now to announce that a separate framework for the Hospital environment where there is a need for unification of “Patient Safety” requirements which  are presently handled under NABH  accreditation as a “Quality” criteria.

We started working on DGPSI-Health care as a framework. But it appears that there has to be a different framework for Hospitals under NABH guidelines from a framework for laboratories under NABL guidelines. We have  therefore decided to work presently on DGPSI-Hospital integrating the NABH quality requirements within the DGPSI framework.

Watch  out for more details …

Naavi

Listen here: The new  symbol of Trust

Traditionally,  the foundation of cyber security has rested on the well-known CIA Triad, Confidentiality, Integrity, and Availability. Every security professional, auditor, and regulator has used these three principles as the benchmark for evaluating the adequacy of information security controls.

The CIA model has served the digital world well. However,  Data is no longer merely an information asset stored in computers. It directly influences human decisions, determines access to services, impacts financial outcomes, and in sectors such as healthcare, can literally affect life and death.

Consequently, cyber security can no longer remain confined to protecting information systems. It must evolve into a discipline that protects the human beings whose lives are influenced by the information.

It is therefore time to rethink the traditional security architecture and move from the CIA Information Triad to what may be called the CDP Human Triad particularly in the context of the hospital systems.

What is  CDP Human Triad?

The CDP human triad represents the CISO who protects the Information, DPO who protects the Privacy and the PSO who protects the Patient.

The traditional CIA model focuses on protecting information.

• Confidentiality ensures that information is not disclosed to unauthorized persons.
• Integrity ensures that information is not altered without authorization.
• Availability ensures that information is accessible when required.

This approach was adequate when information systems were viewed primarily as repositories of data. However, modern cyber incidents demonstrate that the ultimate impact of a breach is often not on information but on people.

A ransomware attack on a hospital may compromise availability, but its real consequence may be delayed treatment.

An AI system that generates an incorrect recommendation may preserve confidentiality and availability, yet still expose an individual to harm.

A privacy violation may not damage the data itself, but may undermine the autonomy and choice of the individual to whom the data relates.

The focus of security therefore needs to shift from merely protecting information assets to protecting human interests.

The proposed CDP Human Triad consists of three human controllers with their own respective responsibilities.

C: CISO the person responsible to ensure the Confidentiality, Integrity and Availability of personal data of data principals. (Patients in the Hospital context).

D: DPO the person responsible to ensure that the Privacy rights of the Patients are protected as per the laws such as DPDPA.

P: Represents the person responsible to protect the Patient Safety during the Health  Cre operations.

We must appreciate that a system may be perfectly secure from CIA triad concept but still it may not be compliant with DPDPA requirements.  A system may be DPDPA compliant but may result in adverse patient safety considerations.

Hence when we address an issue such as a “Data Breach”, we need to recognize that the consequence cannot be considered fully reversed with a restoration of lost data or correcting a consent shortage since the damage on human life remains irreversible. Hence a “Data Breach”  in a hospital context is not the same as a data breach in a Bank or any other system.

Hence the remedies need to be also different. The CDP approach is recommended to meet this requirement.

The transformation from CIA to CDP naturally requires a corresponding evolution in organizational governance.

The CISO continues to focus on:

• • Information security
  • Network security
  • Cyber defence
  • Incident response
  • Business continuity
  • Technology resilience

The CISO asks:

“How do we protect the information and systems?”

The DPO: Protecting the Data Principal’s Choice

The DPO focuses on:

• • Consent governance
  • Privacy compliance
  • Data Principal rights
  • Purpose limitation
  • Data minimization
  • Breach notification obligations

The DPO asks:

“How do we protect the individual’s choices and rights?”

The PSO: Protecting Patient Safety

The PSO focuses on:

• • Clinical safety
  • Human impact assessment
  • Digital risk to patient care
  • AI safety oversight
  • Safety incident management
  • Harm mitigation

The PSO asks:

“How do we protect the patient, irrespective of the cause of harm?”

This is an key distinction.

The PSO is not concerned only with cyber attacks. The concern extends to any digital or operational event that may compromise patient safety, whether arising from technology failure, human error, AI malfunction, privacy violations, or malicious activity.

A Shift in Security Thinking

The significance of this transition lies in recognizing that the purpose of security is not security itself.

The ultimate purpose of security is to protect human interests.

Historically, security professionals protected servers, networks, databases, and applications.

Today they must also protect:

• Human autonomy,
• Human dignity,
• Human rights,
• Human safety.

The transition from the CIA Information Triad to the CDP Human Triad represents this broader vision.

It acknowledges that:

• Information must remain confidential.
• Individuals must retain control over their personal data.
• Patients and other affected individuals must remain safe irrespective of how a digital failure occurs.

As organizations adopt AI, digital health platforms, connected devices, and data-driven decision-making systems, cyber security architecture must evolve beyond its traditional boundaries.

The future governance framework cannot rely solely on the CIA Triad.

A more human-centric model is required—one that integrates technical security, privacy governance, and safety assurance.

How do we  integrate the CISO-DPO-PSO triad in our current system?

The CISO–DPO–PSO triad provides the organizational mechanism for achieving this objective, while the CDP Human Triad provides the corresponding security philosophy.

The challenge before regulators, industry leaders, healthcare institutions, and security professionals is to ensure that this transition in the very objective of security is recognized, embedded, and protected.

The attempt to find a solution falls on the DGPSI-Hospital framework which is being developed as an extension of DGPSI.

In the military structure we have identified the post of  “Chief of Defense Staff” (CDS) to have a joint command on Army, Navy, Airforce and Cyber  commands. Similarly, should we consider a Patient Safety Officer as a central command  over DPO  and CISO or should we identify a new designation is the question which we need to answer in DGPSI.

Await the release of the DGPSI-Hospital for the final suggestion.

Naavi