[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
PDPSI implementation expects the top management involvement through some key foundation policies. We have discussed the “Legitimate Interest Policy” as one such policy control measure, in the drafting of which the top management needs to personally get involved.
Another such fundamental policy that needs to be developed at the top management level is the “Whistle Blower Policy”.
“Whistle Blower Policy” (WBP) essentially means that the organization creates an eco system of confidence where every employee is encouraged to be vigilant, skilled enough to identify suspicious incidents and behaviour in any of the activities surrounding the organization and a mechanism to report it for further investigation and corrective action.
The problem with implementing a good and effective Whistle Blower Policy is that
a) It has to accommodate the possibility of nuisance and malicious reports
b) It has to provide an assurance to the person reporting that his identity would be kept confidential so that the reporting does not hurt his future career.
c) It has to also give the confidence that action will be taken quickly and effectively to investigate further and correct the situation if required.
The “Data Breach Notification Policy” which is part of every Information Security Policy does envisage that a “Data Breach” should be reported to the DPA. But before the DPO reports a Data Breach to an outside agency, he has to first come to know of a potential data breach within the organization. Hence the DPO needs to have a mechanism to collect intelligence on the data breach possibilities and have the early warning of any breaches.
Additionally, the “Privacy By Design” concept needs the DPO to be able to take “Preventive Steps” to ensure that a likely data breach is nipped in the bud.
The “Whistle Blower Policy” is the means by which early warnings are gathered.
In the earlier articles we have discussed the need for “Personal Data Gate Keepers” to be identified in an organization so that the responsibility for Personal Data Protection is decentralized.
As a corollary, it is essential to have a system where a watch is kept on the activities around the organization and early warnings about the possible data breach or possible non compliance events are captured and reported to the DPO.
While the enterprise level awareness creation helps in every organizational member including the employees of the business associates who interact with Personal Data being managed by the organization, it is necessary to motivate the employees to be bold enough to bring to the notice of the appropriate persons that there could be a non-compliance issue.
When a person points out such a potential non compliance issue, it is likely that he would ruffle some feathers and that could be the feathers of a powerful employee of the organization even at levels higher than that of the person who observes the anomaly. In such instances the person is likely to keep quiet and look the other way.
The non-reporting of a potential data breach situation may actually be considered as a “Passive Assistance” for the non compliance to continue which may explode into a data breach incident on a later day. When an investigation is undertaken at that time, all those who were aware of the risk and did not take proper care to mitigate it could be considered as “Accomplices”.
The Whistlebolwer policy should therefore provide that any legitimate observation that indicates that some thing wrong may be going on, should be reported for examination and review by escalating it to the appropriate level.
In order to provide confidence to the Whistle Blower that there would be no witch hunting, it is necessary to maintain confidentiality of such reports even if some rewards are associated with useful reporting.
“Anonymous Reporting” could be one option for the organization but such anonymous reporting often encourages malicious untruthful reporting just to damage the reputation of some employees. There could also be “Nuisance Reporting” just to harass the management. Hence “Anonymous Reporting” is not recommended though it is an option that a management may consider for meeting PDPSI.
A more mature approach to Whistleblower policy is to create an “External Ombudsman” who receives all complaints with identification of the reporter who anonymizes the complaint, identifies the level at which it should be escalated for review and manage the information that needs to be shared for the purpose of the review. If necessary, the Ombudsman can also have a dialogue with the complainant to understand the problem better before escalating it.
Designing a robust Whistle Blower policy which encourages reporting, providing the confidence that such reporting would be rewarded, kept confidential and acted upon promptly is considered as a part of the “Control” that PDPSI expects organizations to set up.
Since this requires policy decisions such as the appointment of an external ombudsman etc., this decision can be initiated only by the highest level of management which accommodates complaints even against the members of the Board itself.
The integrity of the appointed ombudsman must also be ensured so that he protects the interests of the “Personal Data Protection Regulatory Expectation” and effectively manage the inherent conflicts.
It is interesting to note that Prime Minister Modi’s “My Bhi Chowkidar” campaign for the nation is actually a reflection of the “Whistle Blower Policy for the nation”. The CVC has also in the past tried to initiate a system for the purpose and introduce an app to enable citizens to report incidents. The experience with these schemes indicate the difficulties and the opposition that it may generate because there is always one set of the ecosystem which will strongly oppose such measures to protect their own vested interests, real or imaginary.
A successful designing and implementation of the system therefore requires a very high level of statesmanship by the top management.
It is to be accepted that it is a huge challenge to design an effective Whistle Blower Policy but it is for the Data Auditor to evaluate how good and robust is the policy (if available) while arriving at the Data Trust Score under the heading of “Commitment”.
[To Be Continued… Comments welcome]
Other Reference Articles
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Principles of PDPSI
- Pentagon Model of TISM…An implementation approach to PDPSI implementation
- Personal Data Gate Keepers and Internal Data Controllers in Organizations
- Legitimate Interest Policy
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages