[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
The essence of any Information Privacy Regulation such as GDPR or PDPA is to ensure that the “Privacy Rights” guaranteed by the Constitution of the country for its citizens are not infringed while the personal information is processed in electronic form. All processors of such data are “Intermediaries” under the present law in India (ITA 2000/8) and responsibilities are hoisted on them for appropriately securing such data failing which there could be liabilities.
One of the security provisions that ITA 2000/8 has prescribed is that there has to be accountability of the intermediary by designating a “Grievance Redressal Officer” whose contact details are to be provided on the websites.
The PDPA/GDPR speaks of the same accountability in the form of a need to appoint a DPO who is expected to be both a proactive compliance manager as well as the first contact point for an aggrieved data subject.
The role of a Grievance Redressal Officer is slightly different from a “Compliance Officer” in the sense that his responsibility kicks in after a grievance is reported. If he is the same person who is also the compliance officer, then there would be a conflict of interest as he turns defensive if any grievance points to a flaw in the system.
Hence it may be necessary from the PDPSI point of view that the roles of the Compliance officer and the Grievance Redressal Officer are suitably segregated. There is nothing wrong if the compliance officer is the first reference point for a grievance since he has the knowledge of what has gone wrong. But the dispute resolution should be escalated at the earliest to another level where there is no conflict of interest.
Having an effective Grievance Redressal Mechanism is therefore a critical element of PDPSI.
PDPA 2018 does make a specific mention of Grievance Redressal under section 39 of the draft Bill. A 30 day time is provided for the grievance to be addressed after which the data principal may invoke the adjudication process of the DPA, followed by the appeal to the designated Tribunal and thereafter to the Court of appropriate jurisdiction. (Could be the Supreme Court).
GDPR makes only a vague mention of Grievance Redressal under Article 40 as a part of the code of conduct.
Under PDPSI, it is recognized that the ultimate benefit that a Data Subject expects is a proper grievance redressal and hence it is an essential control that an organization should institute and manage.
Naavi has been advocating that the grievance redressal mencahism should go through the following three stages namely
a) Service level attention by the DPO
b) Ombudsman who is an independent person of repute to whom the complaint can be referred
c) Mediation which could be an extended responsibility handled by the Ombudsman or separately.
It would be ideal if this is followed by an “Arbitration” so that before the statutory process of adjudication is invoked, all remedies available as alternative dispute resolution mechanisms are exhausted.
Since time is the essence of such resolution, an “ODR mechanism” of the type referred to under www.odrglobal.in is recommended.
The service level resolution can be provided within 48 hours and Ombudsman views can be provided within 7 days so that in the first 10 to 15 days, the matter could be ready for “Mediation” for which another 15 days could be provided. Thus within one month, the mediation option would be exhausted and the parties may decide if they have to straightaway go to the adjudicator or exhaust the arbitration.
At present, it appears that 30 days is just sufficient to complete the mediation efforts and also that “Adjudication” being a statutory remedy provided, even if the parties go through the process of “Arbitration”, it would be subordinate to the Adjudication process.
But making a provision for arbitration if necessary with a report to the Adjudicator would be a good idea for an organization to think off.
Naavi has in commenting on the “Intermediary Guidelines” suggested that just as in the case of Domain Name disputes where we use UDRP/INDRP as a self regulatory mechanism, we can consider an “Intermediary Dispute Resolution Policy” and an associated arbitration process to resolve the disputes arising between the user of an internet service and the intermediary.
A similar mechanism could work even in the PDPA scenario if the Grievance Redressal Mechansim is properly structured and implemented.
In view of the above the DTS system encourages the Data Auditors to consider the presence of an effective Grievance Redressal mechanism as part of the scoring evaluation.
It is therefore considered that under PDPSI, the presence of a Grievance Redressal mechanism and its evaluation is considered critical from the point of view of Data protection by a Data Fiduciary/Data Controller/Data Processor.
(To Be continued)
Other Reference Articles
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Principles of PDPSI
- Pentagon Model of TISM…An implementation approach to PDPSI implementation
- Personal Data Gate Keepers and Internal Data Controllers in Organizations
- Legitimate Interest Policy
- Implement “My Bhi Chowkidar” policy for Personal Data Protection.
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages