Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi
Now we shall examine each of the factors prescribed in Section 29 of the bill to explore the ways to compute the principles in the proposed a fair and justifiable Data Trust Score.
Issue of notice to principal
Every data fiduciary shall issue a notice to the data principal before the collection or processing of personal data and the contents contained in such form is one of the factors to be considered to evaluate the trust score. Some factors indicated in section 7(1) of the bill, among others, include the following which are relevant for the present discussions.
“(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and
(n) any other information as may be specified by the regulations”.
From the above it is to be noted that (i) having a grievance redressal as prescribed in section 32; (ii) principal’s right to file complaints to Authority and (iii) intimating the data trust score assigned under section 29(5) to the data principal, are the important factors to be considered by the auditor to evaluate the trust score of a fiduciary. To enable higher rating of DTS, it is important for the fiduciary to have a dynamic grievance redressal mechanism in place. At the same time it is the responsibility of the Authority to provide a tool to lodge complaints by the principal and to suitably redress them.
Redressal of grievances of principal
As mandated under section 32 of the bill, every data fiduciary should provide an effective mechanism for redressal of grievances of the data principals. The facility for lodging a complaint by the principal for any contravention of the provisions that has caused or is likely to cause harm to her/him is an essential responsibility of the fiduciary. Such a facility must be managed by the data protection officer or designated officer of the entity. Complaints received have to be resolved by the data fiduciary in an expeditious manner, within 30 days of receipt of the complaint. If such complaints are rejected or not resolved within the time frame, or if the principal is not satisfied with the manner of disposal, the data principal may file a complaint with the Authority. Therefore the Authority is expected to host a separate facility for receiving complaints from principal against such unattended grievances.
As the volumes of transactions are expected to be high, it is expected that these services to the principal could be built by the fiduciary and the Authority together in digital mode. For this development of a central digital facility by the Authority in association with the entities are preferred, as it eases the complaint filing mechanism to the principal, and further monitoring, disposal as well as recording of the entire process could be automated. The quantum of transactions and timelines followed in redressal process could be used as a realistic data source to measure the trust score in respect of each of the fiduciary at one place.
However it is interesting to note that there is no mechanism inbuilt in the bill to obtain feedbacks of the principal.
Privacy by design policy
The second factor to be considered for awarding the score by the auditor is the effectiveness of measures adopted under ‘Privacy by design’ policy as mandated under section 22 of the bill. The Bill mandates that a data fiduciary is required to formulate policy that (a) ensures Managerial, organizational, business practices and technical systems designed in a manner to anticipate, identify, and avoid harm to the data principal, (b) meets the listed obligations towards protection of personal data, (c) uses the technology in accordance with commercially accepted or certified standards, (d) protects the legitimate interests of businesses including any innovation is achieved without compromising privacy,(e) protection of privacy throughout the processing, from the point of collection to deletion of personal data, (f) processing of data in a transparent manner and (g) interest of the data principal at every stage of processing of personal data. The data fiduciaries should submit the policy so prepared to the Authority for certification within the prescribed period. The Authority after due verifications of the information and compliance having been provided as prescribed under Section 22(1), shall certify the same. The said information need to be published in the official websites of the Authority and of the fiduciary concerned. This entire process could be built on a digital platform and the emerging data could be used to gauge the trust score.
Transparency and security measures
Transparency in relation to processing activities under Section 23 is the third factor that needs to be considered in awarding the data score. The fiduciary should make available, in prescribed form and manner, the information namely, “(a) the manner and categories of personal data generally collected; (b) the purposes for processing the personal data; (c) any probable risk of significant harm in such processes; (d) the facilities available for the data principal to exercise rights regarding access, correction, erasure, portability and such other rights vested under law; (e) the right of data principal to file complaint against the data fiduciary to the Authority; (f) where applicable, any rating in the form of a data trust score accorded to the data fiduciary under section 29(5); (g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and (h) any other information as may be specified by regulations.”
The fourth factor that needs to be considered is the security safeguards adopted by such entity pursuant to section 24 of the bill. Every data fiduciary and the data processor shall implement and review periodically the necessary security safeguards, such as, “(a) the use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. These could be verified by the auditor who can list out the gaps to arrive at the data score relating to the fiduciary. Similarly the instances of personal data breach and timely response of the data fiduciary, including the promptness of notice to the Authority under section 25, timely implementation of processes and effective adherence to obligations under section 28(3), being the fifth and sixth factors, that could be verified by the auditor to draw fair conclusions.
In the coming part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score method.
(To be continued as part-3)
- M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)