In the Privacy domain, the “Employee Privacy” is one aspect of Privacy Management that often has a direct conflict with the Data Protection Compliance regime.
Under GDPR we have seen that Courts and Supervisory authorities have ruled that even an employee who uses “Customercare@company.com” email for personal communication is entitled to privacy rights.
Recently a case has also been reported from Illinois, the freight comapny BNSF Railway Co has been ordered to pay a compensation of $228 million in a class suit on behalf of its employees.
The decision handed Wednesday evening in Chicago federal court, came after the first trial under the Illinois Biometric Information Privacy Act (BIPA), a state law which restricts collection of biometric data like fingerprints or retinal scans.
The plaintiff, on behalf of himself and a class of other truck drivers, claimed he was fingerprinted when he entered BNSF’s railyards to make pickups and deliveries and that BNSF violated Section 15(b) of the BIPA by collecting his biometric data without first giving him written notice and obtaining his informed consent.
This decision could mean that the employees of an organization may enforce Privacy rights on par with the public.
A majority of Data Protection Professionals are themselves employees of an organization and hence they would welcome this development. So would be the Privacy Activists.
However, to be fair to all stake holders we need to question this decision of the Illinois Court (as reported in the media).
Employees are privileged persons within an organization. Law recognizes that any errors and omissions of an employee may create a vicarious liability on the organization. Employees work under a long term contract built on trust. They create the security systems within an organization and can collaborate with criminals to harm the organization and its third party customers.
Hence there is a need to enforce from security perspective of the company and its customers a strict regime of surveillance on the activities of the employees.
Hence having CCTVs inside an organization, monitoring the computer activity as well as collecting and using biometrics should be considered as “Legitimate Interest of an Organization” and should not be considered as “Privacy Violation”.
What may be required is an assurance based on a higher level of information security so that the employee information collected for a specific purpose of employment is not misused. Using the information to monitor employee behaviour from the perspective of security is however an exception.
Some Data Protection laws like the PDPB 2019 did provide “Exemptions” from Consent for employee monitoring activities required for performance assessment and fraud prevention.
The Illinois case could be one coming under such a requirement where the company wanted only authorized persons to enter the goods yard. Similarly the GDPR case in which an employee misusing the corporate email account for personal use had specifically violated the terms of contract. In such cases there should be no enforceable right to privacy.
It is for this reason that we advocate that “Employee Privacy” should not be equated to “Privacy of Non Employees”. Employees should be informed enough to provide their consent and understand the need for security to give up the special privileges that comes with the Privacy.
If this right of the employer is not recognized, then employees may tomorrow claim that they will work under pseudonymous ID or even anonymous ID and receive their salaries through Bitcoins and in principle they will have a case to justify.
We must therefore consider that “Employees of an organization are privileged persons and in respect of the personal data shared by them with the company in their capacity as employees should be exempt from provisions of prior Consent (except at the time of onboarding), Rights of Portability, Right to forget. They may continue to enjoy Right to access and Right to Correction.
Comments and views are welcome.
Naavi
Economic Times carries an interesting article on the “Shape of Things to Come” as the MeitY continues to work on the modified PDPB 2019, stating that “Reworked Personal Data Bill may relax rules on data localization”
The article quotes the MoS, IT, Mr Rajeev Chandrashekar as saying
“Cross-border flow of data will, … be permitted as long as the government is able to access the data legally and such data of citizens is safe even if it is stored in cloud architecture“
The interpretation of ET is that the Government may change the provision regarding the “Critical Information” being necessarily stored in India.
The PDPB 2019 had already diluted the PDPB 2018 provision of cross border data transfer and removed the need for keeping even a copy of the personal data transferred out of India as long as it is not “Sensitive”. Sensitive personal data was also freely transferable subject to a copy being retained in India and necessary consent from the data principal. No data has so far been declared as “Critical Data”.
Hence there is nothing to dilute the PDPB 2019 version in this regard as it is already diluted to the core.
As against this GDPR has been strengthening its Data Localization policy and recently even the US bent down to EU and agreed to change its Judicial System to accommodate the interest of EU GDPR. It has agreed to set up a Judicial authority that can be approached by the EU Citizens whose data is processed in USA. It can be expected that this special court will even recognize the supremacy of the EU jurisdiction over such data processed in USA.
Rajeev Chandrashekar has at present not made a statement that indicates such abject surrender of the country’s interest to foreign powers and allow a “Data Colonisation” by EU through GDPR.
If we restrict our interpretation to the words that have been quoted, it only means that the Cloud Operators need to satisfy that Indian Law Enforcement will not be denied access to data when required with the pretext that they are not subject to Indian Privacy laws. This point is also coming up directly for discussion in the Supreme Court in the Whats App Privacy Policy case and Government cannot take different stands in the draft law and the Court.
EDPB wants Indian Data importers to commit through their contractual agreement that they will not let Indian law enforcement to enforce their rights whether they are the Police or ED or CBI. Most Indian Companies have been quietly signing off contracts with their business vendors to ensure that their businesses are preserved.
In other words, most of the Indian companies are being forced to be more loyal to EU than India. Neither Press nor the Government is aware of this development.
I challenge the MeitY to conduct a survey of data processing contracts entered into by the Indian data processors in the last 3 months and check if they have agreed to revise their SLA s to meet the EDPB guidelines. This will reveal how Indian Companies are quietly ceding data territory to foreign powers for the business they are signing. Most companies are also signing off on indemnities for data breach liabilities far in excess of their own financial capabilities pushing India to “Potential Insolvency”.
If hackers target foreign companies having data processing contracts with India and huge data breaches happen, it would be many Indian companies who will have to foot the bill.
Has information security auditors factored in this incidence of “Foreign Data breach Risk” on Indian Companies?
In my opinion these are questions which every body is afraid to ask.
We therefore conclude that
“Given the security situation in the Country, there is no way India can give into the desires of the EU GDPR to convert India into a Data Colony of EU. This is a national security issue and MeitY has to work within this framework of National Security”.
In the last two months, we have written the following 23 articles indicating what should be the “Shape of Things to Come”.
In these articles we have tried to comment on what “right” has to be protected? how we should define “data”? how we should classify “critical personal data” and how we should approach the “Data Localization” issue.
One of the suggestions made is that Data Protection by law should protect the Right to Security of a citizen of India, retain the need for consent and maintenance of copy of all personal data, processing and storing of Critical Personal data only in India etc.
We have also suggested defining of Critical personal data as
Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.
I wish MeitY tries to take into account the views expressed in the series of articles presented at Naavi.org before finalizing its recommendations.
We are waiting for the draft to be released by the Government to make a section by section comment and take on record the areas where there could be need for changes.
Naavi
 |
 |
To
The Honourable Chief Minister of Karnataka
Bengaluru
Dear Sir,
One of your recent decisions make me wonder …”If a person is running a Mandi and allows farmers to display his wares and bring together buyers and sellers, does he become a farmer?”
Kindly clarify.
Why Do I think so?
The Karnataka Transport Department has issued an order stating that Uber, Ola Auto service has to be stopped because they are charging a minimum of Rs 100/- as against the Government fixed minimum of Rs 30/-
Mr Sriramulu the Minister has threatened that he has ordered his officials to seize autos plying in defiance of the order. This gives a free hand to the police to stop every auto and demand information from the auto driver and increase his collections.
I would like to categorically state that your move to block Uber/Ola auto is not in the interest of the public nor in the interest of Auto drivers. It will make only a marginal dent to the Cab aggregators unless you are arm twisting them for contributions to BJP for fighting the BBMP elections.
I am a staunch supporter of BJP and Mr Modi but is compelled to call out the decision of the transport department as not in the interest of the citizens of Bengaluru of which I am also a part.
I request you to kindly give a thought to the basic nature of business which the “Aggregators” are in. The” business of aggregation” cannot be equated to the business itself which it integrates. Karnataka Government has already made this mistake when they last made a law to treat Uber and Ola as “Taxi Operators”. I had pointe out at that time itself that this was a wrong decision. unfortunately, the companies instead of fighting it legally went for some compromised solution and accepted the classification.
Now is a time for correcting this bad decision if your Government can think in terms of understanding the business.
The business chain always consists of different layers of service from producers to consumers. There are farm brokers, transporters, Mandi Merchants, Wholesalers, Retailers etc all of whom have a role to play. As long as they collect remuneration commensurate with the value addition they bring to the business, each is entitled to their profits.
Cab aggregators fall into this category of “Intermediaries” whose job is to bring together the cab operators with the consumers on an online platform and make it easy for the service to be consumed.
They work for their service charges and the benefit for the produce (In this case the transport service by a car or an auto given to the consumer) goes to the producer (Driver/auto or car owner). The aggregator also acts as the collector of money on behalf of the driver and passes it onto the driver. (Ideally, the receipt of money can be split straight away on and credited to the driver’s account if required).
If the Cab aggregator is cheating on the driver and exploiting him with excessive commission, it has to be checked. But a reasonable commission should be allowed. (I consider 15% as reasonable and not 30% which the Uber/Ola are now charging).
The system brings transparency to the collection system and all cab/auto owners would be happy that the drivers cannot cheat them on the total collection of the day.
At the same time the consumer is happy that he need not bargain with the driver which is the biggest headache which all Bengaluru Consumers are aware and were relived of with the introduction of Uber/Ola services.
The auto drivers who were demanding their own price in excess of the meter may be unhappy that they now have to ply according to the fixed rates . But many honourable auto drivers would be happy with the system which gives them a fair return without the botheration of waiting for a customer and demanding double the meter, refuse plying to a stated destination, get abuses constantly. They can operate intermittently from their home, respond only to calls on the App, switch off the App when they want to spend time with their family and have a good work-life balance.
The most important aspect of this service is that consumers need not go out into the street to look for the auto, wait and keep waving at the moving autos. In case there is any luggage to carry, there is to send an errand boy to go and fetch an auto to take them to the railway station.
I am sure that you and your family must have experienced these difficulties when you were younger and before you became the Chief Minister.
The current decision will now put Bangalore consumers of auto service back to the 70’s and 80’s and make it extremely difficult to commute. Senior citizens living alone are the most affected since they cannot get the autos to their doors.
You are therefore snatching away this door step auto service.
Now coming to the allegation of collection of Rs 100 instead of Rs 30. If only Rs 30 is charged, then do you expect the aggregator to charge no fees?
If you think the commission of Rs 70 is unreasonable and it ought to be not more than Rs 20, I may agree with you just as the 30% commission charged by Uber/Ola is considered double the reasonable figure of 15%.
You have the right to regulate this and through the transparent system of money flow that occurs ensure that the aggregators follow the rule of 15% commission with a minimum of Rs 20/-. You can also either disallow the “Surge charges” or more appropriately allow it with a higher rate of commission of say 25% at level 1 and 30% at level 2 depending on a criteria to determine the level 1 and level 2 situations. If the available supply is too low and below a critical level, surge commission can be made even higher.
Instead of regulating the pricing in such a manner that the driver gets a reasonable return on his efforts and the consumer gets a reasonable price, you are denying them of the service itself.
This will be creating a backlash on your Government and the first signs should be in the BBMP elections when BJP is going to lose heavily.
I therefore urge you to immediately suspend the decision of the Transport ministry and form a “Pricing Committee” for aggregators to fix a more appropriate price structure as indicated above.
The Government now have access to the Open Network for Digital Commerce (ONDC) as an available platform where all the auto drivers can register themselves and ONDC can fix a fair commission for itself and give an outlet for the autos. This will also bring down the competitors Uber and Ola to a more reasonable price structure. If required I thinks you can also use MYn which otherwise would be a disastrous failure. You can also request philanthropic organizations like Tata Neu to start cab aggregation platform (If you donot insist that they will be considered Taxi operators but only Intermediaries under ITA 2000), they and many more technology companies may oblige. Even Amazon would be happy to start a channel for autos.
If you take a decision in this direction, it will bring revolution to the Bengaluru transport system.
I think Mr Tejasvi Surya brought a problem to your attention but your solution was worse than the problem. Even Mr Tejasvi Surya should accept the proposal made above and you can show your statesmanship in retracting the 2014 order of equating the Aggregation business to Taxi business which was bad in law.
If the order is properly challenged by the operators in a Court of law they have a fair chance of winning in their argument as it is discriminatory on the city transport system and spares all other types of intermediary service providers being taxed like the end producer.
Please think over and act wisely to preserve the BJP electoral chances in the coming elections.
Naavi
Karnataka Government has repeatedly taken wrong decisions related to the Uber/Ola service. In 2014, I had written about this in the following article.
Government Fails to understand Uber Business Model
Time has come again to point out once again that Karnataka Government is taking another bad decision in trying to declare Uber-Ola aggregation service illegal.
We the senior citizens of Bangalore are aware of how the Autos in Bangalore have operated from times immemorial with hard bargaining. No auto trip ever ended without a serious argument at the end of the journey with the driver demanding more and we refusing to pay more than the meter. Those were the days when Taxis were never in contention for the middle class.
The advent of Uber/Ola as app aggregators brought relief to this BP raising arguments with the auto drivers and many switched to travelling by taxis which were cheaper than the “Pay Double” demand of the auto drivers.
Karnataka Government then interfered and declared Uber/Ola as “Taxi Operators” and made the technology service more complicated and expensive. The JDS as a political party also contributed to this move besides the greed for more tax collection.
In the recent days, the “Surge Pricing” by Uber/Ola had made the taxi service once again unaffordable. Our trips from South Bangalore to Airport which used to cost Rs 700/- now have reached Rs 1200/-. The discredit for this inflation has to go to the ill-advised move of the Government.
Now as people started to switch from Uber cars to Uber autos as an alternative to non availability and higher cost of cars, the Government has again poked its nose to ban Uber/Ola autos.
The ostensible reason is that there are complaints about a minimum charge of Rs 100/- as against Rs 30/- fixed by the Government. The solution to this is not banning the Uber/Ola autos but to understand and rectify the issue.
For Consumers if they want to travel a short distance, they need to stand by the road and run behind autos …and beg them to come to their destination. Even if they agree no auto comes for a short distance on meter. Will the Karnataka Government control this?
On the other hand what happened in the aggregation was depending on the destination, the willing auto would respond and come to the door step. This avoided the need to wait at road ends, send an errand boy to fetch the auto to the door step and the endless argument on how much above the meter one has to pay.
Many times the lack of argument itself is a premium for the service.
The Uber/Ola is an add on service which is optional. A consumer still has the right to stand at the street corner, locate an auto for short distance at a minimum rate of R 30/-.
If he choses the Uber/Ola, he is exercising his choice for a higher grade of service and transparently making a payment.
What needs to be regulated is that Uber/Ola does not appropriate the premium entirely and ensure that the auto driver is equally benefitted.
If more consumers chose the app aggregator, more autos opt for registration, and many respectable persons who run autos can operate independently out of the control of the Autoriksha associations which have the potential to become political groups as we have seen in Chennai.
Think of a house which is 100 meters from the main road and old people or people with luggage to catch autos. Will they prefer bargaining for Rs 30/- or be prepared to pay Rs 100?
Technically also, we should reverse the Government decision to consider App aggregators as Taxi Service and consider them only a “Technology Service”. Treat them fairly , let them make money out of their service, let them not exploit the drivers and leave the discretion to use or not use the service to the consumers.
I wish the Government order is either withdrawn or a stay is brought on its operation.
We can discuss the regulation where by the practice of the aggregator charging 30% or more of the trip money is reduced to a maximum of 15%. This will increase the revenue of the taxi and auto operators. In the initial days, the charges for Autos was actual meter charges plus Rs 10/- as service fee. If Rs 10/- is too low, it can be raised to Rs 20/-.
If surge pricing is allowed, 75% of the surge should be payable to the driver.
Over and above these regulations, it can be also mandated that charge beyond a limit should be credited as “Cash back coupons” that can be encashed like loyalty coupons within the next 3 months. Some of these may lapse but otherwise it may guarantee further business to the aggregator and hence the scheme should be acceptable.
At present therefore, I urge the Karnataka Government to withdraw the order on banning Uber/Ola auto, which is anti-consumer and will not be liked by the citizens of Bangalore who have to vote for BJP in the upcoming BBMP election when there is no Modi factor influencing the voting decision.
For the medium and long term we can discuss what kind of monitoring can be brought in to reduce the exploitation of the drivers by the app aggregators
Government should encourage competing app like Myn or encourage Tata Neu to start a new vertical or use the ONDC platform and recommend drivers to register with them. If these apps donot turn rogue like Uber/Ola and agree to follow the regulations such as
then there will be a win-win situation for the citizens and the drivers.
I request honourable MP Mr Tejasvi Surya to consider these suggestions.
Naavi
Abraham Harold Maslow is a great thinker of our generation who in 1942 gave a theory of motivation based on a hierarchy of needs.
His work has been of great assistance to Corporate Managers to understand human behaviour and improve their managerial capabilities.
He continued to work in this field and updated this thoughts (Refer here) and expanded the original 5 step hierarchy to eight steps. He also agreed that the different aspects of motivation may follow flexible hierarchy in some individuals and often worked as a mix.
Maslow’s theory suggested that humans are motivated by the fulfilment of their desires in five levels from physiological needs, to safety needs, to love and belonging needs, esteem needs and self-actualization needs.
Typically what this translates to is that employees are initially motivated by salary and remuneration but once satisfied, they cease to be motivators. Security of job, Love and belonging follow as next level of needs that motivate them. Then they look for designations and rewards to satisfy their “Esteem” until they reach a level of “Self-Actualization” where they get motivated by their own pursuit of excellence.
In our eternal search for motivation, Naavi propounded his own “Theory of Information Security Motivation” (TISM) where it was suggested that the elements of motivation are better organized in a close loop than a hierarchical pyramid.
In this model, Naavi suggested that for motivating the employees for adopting a security culture, a “Pentagon Model” with five needs namely Awareness, Acceptance, Availability, Mandate and Inspiration could be considered as a better fit but not as a pyramid of hierarchical levels but as a closed loop.
The principle of closed loop was that all the requirements formed a boundary and it should be closed so that their is no leakage.
Now Maslow has expanded the levels of motivation from 5 to eight by adding “Cognitive” “Aesthetic” and “Transcendence” levels 
as indicated below. We shall not go into the detailed analysis of this theory, we can note an important grouping of “Deficiency Needs” and “Growth Needs”. The “Deficiency Needs” are those where after fulfilment, the motivation decreases. In “Growth Needs”, motivation increases as the needs are met.
In a way this bridges the gap between Maslow’s theory and Herzberg’s theory of “Hygiene factors” and “Motivational factors” which also holds some value.
Service oriented organizations like FDPPI have been looking for a CEO of late and in this context taking a re-look at Maslow’s Theory to understand what kind of a person would suit to be a CEO of FDPPI appeared interesting. (These discussions may also help Start Up ventures to select a CEO)
Obviously, a Start-up like FDPPI cannot afford to pay a salary which an individual deserves to make by comparison. If the world consists of only persons who can be motivated by salary, and the person with the right credentials of experience and skill is still at this level, it would be difficult to find a motivated person for the position. Fortunately the world also consists of many others who work for “Self Actualization” and are motivated by other aspects of performance.
According to experts, the characteristics of self-actualized people consist of the following:
1. They perceive reality efficiently and can tolerate uncertainty;
2. Accept themselves and others for what they are;
3. Spontaneous in thought and action;
4. Problem-centered (not self-centered);
5. Unusual sense of humor;
6. Able to look at life objectively;
7. Highly creative;
8. Resistant to enculturation, but not purposely unconventional;
9. Concerned for the welfare of humanity;
10. Capable of deep appreciation of basic life-experience;
11. Establish deep satisfying interpersonal relationships with a few people;
12. Peak experiences;
13. Need for privacy;
14. Democratic attitudes;
15. Strong moral/ethical standards.
The behaviour that leads to self-actualization is identified as follows:
(a) Experiencing life like a child, with full absorption and concentration;
(b) Trying new things instead of sticking to safe paths;
(c) Listening to your own feelings in evaluating experiences instead of the voice of tradition, authority or the majority;
(d) Avoiding pretense (‘game playing’) and being honest;
(e) Being prepared to be unpopular if your views do not coincide with those of the majority;
(f) Taking responsibility and working hard;
(g) Trying to identify your defenses and having the courage to give them up.
We may add here that self-actualization is considered a matter of degree, ‘There are no perfect human beings’. It is not necessary to display all 15 characteristics to become self-actualized, and not only self-actualized people will display them.
Maslow did not equate self-actualization with perfection. Self-actualization merely involves achieving one’s potential. Thus, someone can be silly, wasteful, vain and impolite, and still self-actualize. Less than two percent of the population achieve self-actualization.
FDPPI is looking for some body in this 2% who can take over the role of a “CEO of FDPPI” not necessarily as a philanthropic assignment but on a predominantly “Variable remuneration ” basis.
The first thought that may cross many minds is that this is a utopian thought and how can some body work full time without a fixed salary?. But a person with the confidence of building an organization generate revenue and share in the prosperity can consider the challenge at least as a one year contract.
Naavi looks forward to proposals from interested persons with experience, skill and attitude to lead the next phase of development of FDPPI.
Naavi
