Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India. We had earlier mentioned the first version of PDPSI as PDPSI-0219. It is time now to report a small progress with the second version of the document PDPSI-0319, which is also a work in progress.
The objective of this Document is to codify the set of standards that are aimed at providing compliance of data protection regulations in India.
The scope of this document encompasses the requirements of ITA 2000/8, the proposed PDPA 2018, BS10012 principles of GDPR.
We the people of India have adopted our own regulatory standard for personal data protection and protection of Information Privacy of Indian Citizens as guaranteed by our constitution. We first notified Information Technology Act 2000 (ITA 2000) with effect from 17th October 2000 incorporating the responsibilities of citizens including corporate entities for protecting data both personal and otherwise. With the amendments in 2008 effective from 27th October 2009, the new version of ITA 2000 namely the Information Technology Act 2000/8 (ITA2008) further codified the responsibilities of Body Corporates and others in protecting Personal Data and Sensitive Personal Data. ITA 2008 and the rules that followed on 11th April 2011 also had provisions for “Reasonable Security Practice” and “Due Diligence” which were the grounds for the first set of “Personal Data Protection Standards” in India.
After the Supreme Court of India came out with its judgement on Privacy which inter-alia recognized the need for “Information Privacy Protection”, a strong emphasis was laid on Personal Data Protection in India. The operating guidelines for meeting the expectations of the Supreme Court expanding the scope of ITA 2008 and its rules came in the draft form through the Draft Bill titled “Personal Data Protection Act 2018” (PDPA 2018). Though PDPA 2018 is today only a work in progress to be re-introduced as a new Bill after the next elections, the broad contours of Personal Data Protection in India has been firmly laid by this proposed bill drafted by a former Justice of Supreme Court namely Justice Bellur Narayanaswamy Srikrishna.
Though PDPA 2018 has adopted several principles of Privacy Protection from global documents including the GDPR (General Data Protection Regulation of the European Union), the compliance requirements in India regarding Information Privacy Protection is distinct and includes compliance of ITA 2000/8 as well as parts of Aadhaar Act as well as the proposed PDPA 2018 etc.
In view of this wider and distinctive scope of Indian regulations on Information Privacy Protection, it is considered that global standards of data protection contained in ISO 27001 or BS 10012 are considered inadequate to meet the requirements in India.
The long term objective of this document is to ensure that “Standards” are not to remain “Proprietary” and must be made known to the stake holders who are expected to implement them. Hence Naavi intends to make this standard open source once a formal sufficiently refined version of the standard emerges. Until then, only some high level concepts may be publicly released.
In the new version, an attempt has been made to expand the portion of “Classification of Data” because it is the key to further implementation. The required classification is depicted in the following diagram.
This system of data classification will first recognize the data that may be flowing in the organization and classify them in the first level to “Individually Identifiable Data” and “Corporate Data”.
Personal data will consist of such data that identifies an individual. Corporate data includes business related data which does not contain personal data. Protection of Corporate data is part of the DPSI while PDPSI focuses on protection of Personal data.
Individually Identifiable Data is further tagged with the following attributes
- Employees and Non Employees
- Subject to Indian Laws only and Subject to Indian and Foreign Laws
- Personal and Sensitive Personal
- Adult and Minor
Individually identifiable data of Employees is considered as “Corporate Data” but may be subject to additional compliance requirements depending on the applicable laws whether Indian or foreign.
Classification of Personal and Sensitive Personal, adult and minor may also be different based on the applicable laws.
The above attribute tagging will be applied to a set of data elements which is considered as a “Package”. Each such “Individually identifiable Data package” shall carry a distinct identity as “Package ID”. Every element of the Package ID shall be tagged in further usage with the “Package ID”.
Every package will be identified with a “lead element”, which could be the name or another identity parameter.
(I welcome comments)