It is unfortunate that there is a need to fight and continue fighting on the Bitcoin which is an obvious evil to the country, because there is such an overwhelming support to the system which is a wonderful tool of corruption.
But the fight needs to be carried on…One day God will hear…even if Mr Modi does not…
Check on my detailed views if you are interested.
Naavi
(Views expressed here are personal views of Naavi only released in the interest of the citizens of India)
To
Sri Narendra Modi
Prime Minister of India
New Delhi
Sub: Why we should eliminate the Digital Black Money called Bitcoins from the face of India
Dear Sir
I am one of the admirers of your leadership and believe that in the path of progress of India, substantial ground has to be covered under your regime before it is too late. Whether it is Anti-CAA or Anti-Farm Bills, we are aware that opposition parties will try to discredit you and discourage you so that you will stop taking any further reformist steps. Unfortunately the large part of media has also last its sense of duty to the public and hence they help build false narratives that sustain the anti reformist agenda of the opposition.
At this time of crisis some times people like us hesitate, thinking whether it is fair to raise one more contentious issue and seek your intervention. We are afraid that this would probably increase your stress and we don’t want you to break down.
But I am also constrained to think that there is one thing which is an unfinished agenda for you which is possible to be achieved only under your leadership and not otherwise. That is the elimination or at least an attempt at reduction of the Black Money.
Your first effort to demonetize large value currency was frustrated by the corrupt intermediaries and to some extent presence of a large quantity of fake currency in the country. The effort to prevent “benami” property holding through Aadhaar linking has been put on the back burner because of the power of the unaccounted assets which drive business and politics in our country.
Now I would like to say that behind this power of the “Black Wealth”, the continued recognition of “Bitcoins” and “Crypto Currencies” is the main reason. The crypto currencies and Bitcoin provide an excellent opportunity to the possibility of building black digital wealth and conducting the black money havala transactions. All intelligent black money holders have already converted their black money and wealth into Bitcoins and any further efforts in the physical world to curb benami properties etc will not have the required impact to reduce black money and black wealth in India.
Some time back RBI tried to ban bitcoins but the power of black money prevailed and bitcoins got a new lease of life from non other than the honourable Supreme Court itself.
I have therefore lost trust in the RBI or even the Supreme Court doing anything further to curb the menace of “Bitcoin”. I am sure that many of the bureaucrats and politicians also love Bitcoins because it is the best way to take bribes.
The current farm agitations are also perhaps funded out of Bitcoins because Canada is in the forefront of Bitcoin usage. I am sure that Bitcoins are used for funding terrorist transactions as well.
Despite the fact that recognition of Bitcoins would kill the economy, the Government of India has remained silent and this can only be interpreted as corruption showing its power at the highest level.
The last hope to get this Digital Black Money eliminated is you and hence I am constrained to write this letter once again.
Kindly take the bold step of banning crypto currencies, first by making a statement from your end or from the MOF end. Then kindly issue an ordinance to bring it to effect immediately.
By banning crypto currencies, you will be seriously choking the underworld economy in the digital world and there will be a reduction in cyber crimes, ransomware attacks.
I will not be surprised if even the farmer’s agitation would be weakened since all the funding agencies will have to run for cover to recover their own existence if crypto currency wealth is extinguished.
Just as the Canadian Prime Minister is trying to bring pressure on the farmer’s agitation, there would be many foreign countries who may have their opposition to a move for banning crypto currencies in India, but I wish you would be able to convince them that it is our internal decision.
Probably there would be many countries which will rally behind you in this measure and make you a global leader of a movement to eliminate Crypto Currencies from the world economy.
Do you have the courage to take this step? I only pray God that you will get the strength to take this step.
Bitcoin is a menace worse than Drugs, that can destroy the country. Let us wake up before it is too late.
Naavi
Earlier articles on this website on Bitcoins are available here:
Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi
(Continued from part-2)
In this concluding part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score methodology. The author is not inclined to propose a definitive scoring pattern as the bill in hand is still a legislation in the making and more changes are expected before it becomes the law of the land. Once the legislation gets the nod of both the houses, carrying out such an exercise will be more realistic and useful. Therefore in this part the discussions are limited to the components that should be part of the DTS system.
Objectives of the bill
The Preamble part of the bill declares the purpose of the legislation as, “to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data”. It further vouches (i) to protect the rights of individuals whose personal data are processed, (ii) to create a framework for organisational and technical measures in processing of data, (iii) laying down norms for accountability of entities processing personal data,(iv) remedies for unauthorised and harmful processing, and (v) to establish a Data Protection Authority of India for the said purposes. The honourable Supreme Court in the case of Justice K.S. Puttaswamy[i] v/s Union of India has held that right to privacy is a fundamental right and therefore it is necessary to protect the personal data as an essential facet of informational privacy. At the same time it is necessary to create a collective culture that fosters a free and fair digital economy, ensuring empowerment, progress and innovation through digital governance. No doubt that the data is the lifeblood of any digital business, but on its abuse, the ultimate losers are the consumers, who may receive an irreversible shock on their private life.
Obligations of the fiduciary
The privacy rights of an individual has to be accomplished for which the data fiduciaries are expected to follow certain obligations stipulated under section 4 to section 11 of the bill. The Bill allows the processing of data by Fiduciaries only after the due consent is obtained from the individual / Principal. For obtaining the consent of a Principal for collection or processing of personal data there is need of issue of a notice by the fiduciary to such person, stating the reasons in clear, concise and easily comprehensible terms. The procedure for issue of notice to the principal, at the time of collection of data[ii], for obtaining the consent is elaborate and due care to be taken to devise digital tools for meeting the requirements. In the notice the Principal should be informed about the purpose, nature and categories data being collected. The identity and contact details of the data Fiduciary and the contact details of the data protection officer are also to be informed to the Principal. Such Principal should be informed of the procedure to withdraw his consent in the mandated way. Further a personal data can be processed only for specific, clear and lawful purposes. The Data Fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets necessary consent from the Data Principal. During the compliance audit, it is for the data auditor to comment on each one of these parameters followed by the fiduciary, before proceeding for the quantification of DTS score. The measure so made should indicate the trust factor of the fiduciary in handling the personal data of the principals.
It is pertinent to mention here that the relationship between the principal and fiduciary enshrined in the bill are of special and unique nature. Here the fiduciary should extend a breach-proof mechanism to the personal data owner / principal which are equivalent to safeguarding the fundamental rights of the principal. Therefore the measure applied to score the ‘trust-worthiness’ needs to be rational and realistic. Efforts should be made to measure directly or indirectly all the stipulated obligations, compliances and functions of the fiduciary, and by using digital tools, wherever possible to meet the meet the requirement of law.
Voice of principal needs recognition
From the above deliberations we find that there are compliances mechanisms and complaint mechanism in place but the crucial element of feedback mechanism is missing in the entire framework under consideration. As stated in the earlier part, the major stake holder or the beneficiary in this entire bill is the principal, but her/his observations about the services rendered by the fiduciary are not provided due place in scoring the credentials of the fiduciary. Further any personal data breach that takes place at the fiduciary’s location, through the dark nets may land in the hands of the cyber criminals, who could exploit the data to cause injury to the principal. The safeguards taken by the fiduciary to eliminate personal data breaches protects the principal from being a victim of cyber crime. The satisfaction of the principal about the protection layer provided by the service providing fiduciary is an important element in measurement of trust score. The DTS is supposed to express the trust of the principal as to the level of protection the fiduciary has extended. Therefore the principal’s feedback about the satisfaction in the services provided by the fiduciary will be one of the best indicators of mutual trust, the author feels.
Finding fault or gap in services should not be based on the mere observations of the auditor or on sheer outcomes of the complaint mechanism in place. The principal’s voice should be heard which deserves a place in formulating the score for the fiduciary. Therefore a feedback system should be legislated wherein the fiduciary should be asked to obtain responses from their principal whenever they provide them with any service. This will also adds value to the review mechanism of the fiduciary.
As per the above deliberations it is clear that there is no provision made in the law for a principal to offer the feedback about the services extended by a fiduciary. This needs to be used as a positive aspect to draw the trust scores, the author observes. A suitable section could be inserted prescribing an effective feedback mechanism and using them to determine the scoring of the data trust.
Authority to be well equipped
Further in a Democratic society like Bharat, to take up the huge responsibility of implementation of this law and the disproportionate issues that could emerge, the Authority concerned should be well equipped in terms of skillful techno-legal manpower along with robust digital platform to be used as e-governance vehicle. As per section 49 of the bill, “It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection” which a huge responsibility to be discharged. Further the responsibilities Authority include, (i) taking prompt and appropriate action in response to personal data breach (ii) maintaining a database and the data trust score on the web, (iii) classification of data fiduciaries, (iv) monitoring technological developments and commercial practices that may affect protection of personal data,(v) receiving and inquiring complaints, (vi) selection of auditors,(vii) prescribing the design by policy and DTS measures, together with registration and regulations of various provisions relating to safeguard the interest of the principals are going to be matters of great concern.
As the task involved is around safeguarding the fundamental rights of a citizen, it becomes all the more important as the Supreme Court and high courts could be directly approached for reliefs. Added to this the technological advancements are on an accelerated mode, so also the information exchanges and communications as well as the cyber crimes. Unless the officials are proportionately equipped with techno-legal skills, the implementation of law may leave huge scar in governing of citizens. The Authority must select officials with requisite technical and legal qualifications only. Such executives are to be suitable trained which is going to be the most critical element for the successful implementation of this new regime.
The section 49(3) requires the Authority to be treated like any other fiduciary as far as the processing of the personal data is concerned. It expressly mandates that, “it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required under any law to do so, or where it is required to carry out its function under this section”. This is a crucial aspect of the bill that deserves special attention. Further all the central government departments are following the standards prescribed under Service Quality Management System as per IS 15700- SEVOTTAM, which should be made applicable the Authority.
Conclusions
The computation of DTS by the auditor to be fair and justifiable may consist of the following major components:
The suggested weightage to obtain the consolidated DTS score form the above four components could be, for first three components, 30% each and 10% for the last. The author welcomes any additional suggestions and ways to measure the trust score so that it becomes the forerunner in the cyber society and the best practices to ensure privacy of the individual.
(Concluded)
[i] (2015) 8 S.C.C. 735 (India)
[ii] Sec.7, PDP bill
Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi
Continued from the previous part-1
Now we shall examine each of the factors prescribed in Section 29 of the bill to explore the ways to compute the principles in the proposed a fair and justifiable Data Trust Score.
Issue of notice to principal
Every data fiduciary shall issue a notice to the data principal before the collection or processing of personal data and the contents contained in such form is one of the factors to be considered to evaluate the trust score. Some factors indicated in section 7(1) of the bill, among others, include the following which are relevant for the present discussions.
“(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and
(n) any other information as may be specified by the regulations”.
From the above it is to be noted that (i) having a grievance redressal as prescribed in section 32; (ii) principal’s right to file complaints to Authority and (iii) intimating the data trust score assigned under section 29(5) to the data principal, are the important factors to be considered by the auditor to evaluate the trust score of a fiduciary. To enable higher rating of DTS, it is important for the fiduciary to have a dynamic grievance redressal mechanism in place. At the same time it is the responsibility of the Authority to provide a tool to lodge complaints by the principal and to suitably redress them.
Redressal of grievances of principal
As mandated under section 32 of the bill, every data fiduciary should provide an effective mechanism for redressal of grievances of the data principals. The facility for lodging a complaint by the principal for any contravention of the provisions that has caused or is likely to cause harm to her/him is an essential responsibility of the fiduciary. Such a facility must be managed by the data protection officer or designated officer of the entity. Complaints received have to be resolved by the data fiduciary in an expeditious manner, within 30 days of receipt of the complaint. If such complaints are rejected or not resolved within the time frame, or if the principal is not satisfied with the manner of disposal, the data principal may file a complaint with the Authority. Therefore the Authority is expected to host a separate facility for receiving complaints from principal against such unattended grievances.
As the volumes of transactions are expected to be high, it is expected that these services to the principal could be built by the fiduciary and the Authority together in digital mode. For this development of a central digital facility by the Authority in association with the entities are preferred, as it eases the complaint filing mechanism to the principal, and further monitoring, disposal as well as recording of the entire process could be automated. The quantum of transactions and timelines followed in redressal process could be used as a realistic data source to measure the trust score in respect of each of the fiduciary at one place.
However it is interesting to note that there is no mechanism inbuilt in the bill to obtain feedbacks of the principal.
Privacy by design policy
The second factor to be considered for awarding the score by the auditor is the effectiveness of measures adopted under ‘Privacy by design’ policy as mandated under section 22 of the bill. The Bill mandates that a data fiduciary is required to formulate policy that (a) ensures Managerial, organizational, business practices and technical systems designed in a manner to anticipate, identify, and avoid harm to the data principal, (b) meets the listed obligations towards protection of personal data, (c) uses the technology in accordance with commercially accepted or certified standards, (d) protects the legitimate interests of businesses including any innovation is achieved without compromising privacy,(e) protection of privacy throughout the processing, from the point of collection to deletion of personal data, (f) processing of data in a transparent manner and (g) interest of the data principal at every stage of processing of personal data. The data fiduciaries should submit the policy so prepared to the Authority for certification within the prescribed period. The Authority after due verifications of the information and compliance having been provided as prescribed under Section 22(1), shall certify the same. The said information need to be published in the official websites of the Authority and of the fiduciary concerned. This entire process could be built on a digital platform and the emerging data could be used to gauge the trust score.
Transparency and security measures
Transparency in relation to processing activities under Section 23 is the third factor that needs to be considered in awarding the data score. The fiduciary should make available, in prescribed form and manner, the information namely, “(a) the manner and categories of personal data generally collected; (b) the purposes for processing the personal data; (c) any probable risk of significant harm in such processes; (d) the facilities available for the data principal to exercise rights regarding access, correction, erasure, portability and such other rights vested under law; (e) the right of data principal to file complaint against the data fiduciary to the Authority; (f) where applicable, any rating in the form of a data trust score accorded to the data fiduciary under section 29(5); (g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and (h) any other information as may be specified by regulations.”
The fourth factor that needs to be considered is the security safeguards adopted by such entity pursuant to section 24 of the bill. Every data fiduciary and the data processor shall implement and review periodically the necessary security safeguards, such as, “(a) the use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. These could be verified by the auditor who can list out the gaps to arrive at the data score relating to the fiduciary. Similarly the instances of personal data breach and timely response of the data fiduciary, including the promptness of notice to the Authority under section 25, timely implementation of processes and effective adherence to obligations under section 28(3), being the fifth and sixth factors, that could be verified by the auditor to draw fair conclusions.
In the coming part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score method.
(To be continued as part-3)
The Supreme Court of India in its order on Paramvir Singh Saini Vs Baljit Singh has brought about a very important provision on bringing accountability at Police Stations by directing the use of CCTVs.
The Order is dated December 2, 2020 and is by a bench consisting of Justices R.F. Nariman, K.M Joseph and Aniruddha Bose) and reiterates an earlier order dated 3/4/2018 in SLP (Crl) No. 2302 of 2017, reported as Shafhi Mohammad v. State of Himachal Pradesh (2018) 5 SCC 311.
The Court has given specific directions that CCTV cameras should be compulsorily installed in all Police Stations, CBI, ED NIA, NCB,DRI, SFIO offices.
It has also specified that the cameras should be installed at entry and exit points, main gate of the police station,, lockups, corridors, lobby/reception area, all verandas/outhouses, Inspector’s room, Sub Inspector’s room, outside the lock up room, station hall, in front of the police station compound, outside, outside washrooms/toilets, duty officer’s room, back part of the police station etc.
It is also directed that the CCTV systems should be equipped with night vision and include audio.
It is also directed that the footage should be retained for not less than 6 months which becomes the new data retention standard for CCTV footages. Companies which were erasing the data after 30 days or 90 days need to take note.
While the intention of the order is well appreciated, there is a need to work out the cost of such installation and the need for continuous maintenance. We often find that CCTVs in Bank ATMs donot function and in many instances the CCTV footage is claimed as non existent due to mal functioning when it is actually erased to suppress evidence.
This is a welcome move as far as preventing human rights violations are concerned and we need to see how it will be implemented.
The issue highlights how protection of one right threatens another right since there could be some privacy concerns arising out of the recommendations. There have been some GDPR decisions in which CCTV recording particularly those facing the public area have been considered a violation of privacy. However this order coming from the highest court of the land will be considered as a precedence in its own.
Similarly the keeping of the records for a minimum period of 6 months will be an adjunct to Sections 67C and 65 of ITA 2000.
It would be interesting to see how this order is implemented.
Naavi
Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi
Consequences of Data Trust Score
The much awaited Personal Data Protection Bill, 2019 (‘bill’ hereinafter for brevity) is awai
ting the scrutiny of the joint parliamentary committee, who are in final leg of their consultation and finalization process. The sub-section (5) of Section 29 of the bill relating to Audit of policies and conduct of processing as a measure of transparency and accountability to be adopted by a data fiduciary specifically mandates, “A data auditor may assign a rating in the form of a data trust score (hereinafter ‘DTS’) to the data fiduciary pursuant to a data audit conducted under this section”. The bill authorises the auditor, conducting the compliance verification of a fiduciary, to measure the trust worthiness of such an entity by awarding a score to be prescribed through regulations by the Authority, as an indicator[i]. The scores so awarded should be published by the fiduciary in the notice issued to the principal[ii] and in the web maintained by the entity in the manner prescribed by the Authority[iii]. These scores should also be announced by the Authority[iv] in their public domains. This stipulation makes the DTS process, a more sensitive proposition as such scores will have huge ramification on the goodwill, investment and the service decisions in respect of such fiduciaries in the competing market place. Therefore it is of utmost importance to devise a justifiable scoring comprehensive pattern and configuration so that there is a fair approach in place for assigning the trust score.
As we are aware that the privacy of an individual is a very subjective issue and for this purpose, the levels of protection in place at the disposal of a fiduciary are not easily measurable in arithmetical terms. It is a well known principle that only those that are measurable could be gauged and monitored. Therefore one should explore for a system which could indirectly assist in assigning such a score with least scope for ambiguity or bias on the part of the compliance auditor. There is no availability of similar tool employed for this purpose elsewhere as no such prescriptions exist in other privacy laws in force around the globe. This is a unique positive approach by the Indian authors of law to stipulate such a mechanism for the first time. In view of the above facts, the quest for a fair and justifiable method for computation of the DTS becomes all the more challenging. An attempt is made here to suggest the ways that could be adopted for this purpose.
The best way to initiate the search for a fair solution, the author feels, is to examine the related provisions in the bill to find out the intentions, objectives and methods embedded in the proposed statute. The solutions should be within the substantial law and should not to transgress the stated perimeters. If any essential factors are missing, the same should be recommended to be part of the law in the making. With these thoughts in the background, the essential legal framework applicable to DTS, as available in the proposed law, or required to be incorporated in the law, if in case of such need arises, are deliberated in the further part of this article.
Impact of proposed law on stake holders
The proposed bill is going to impact every individual’s privacy in the present cyber society as all the services and activities, by the Government or by business and non-business entities, are being built around the digital technology as an essential component. In all walks of life, every citizen (you may call them as ‘netizen’) encounters the privacy issues in all types of communication with others. Therefore one can assume that the entire population residing in the country may have to be treated as ‘Principals’ of some fiduciary or processors at one stage or time. It could be a visit to a commercial centre or consultations with a doctor or an academy for education or any activity of assorted instances which cannot be narrated at length, where the Principal’s personal data are being collected and processed. Almost all the entities involved in dealing with individual’s personal matters, automatically qualify themselves as data fiduciary, unless they are either kept outside the applicability of the provisions or specifically exempted under the provisions. Now it is left to the guesstimate of the readers to assess the volumes of data and impact on managing such data. The bill places full responsibility on the data fiduciary to protect the privacy rights of the principal and any breach of this assurance make them liable for penal actions. Punitive measures for breaches and violations by the fiduciary could be initiated by the principal or the Authority, and adjudicated by the Authority and courts. In view of the above legal position, one can conclude that implementation of privacy laws is going to be a change of a massive scale and proportion. Therefore all the stake holders need to prepare sufficiently in advance, both in terms of technology and legal procedures, to absorb and follow the changes.
Legal provisions relating to DTS
Section 29(6) of the bill declares that, ‘the Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2)’. The subsection (2) specifies the criteria for assigning a data trust score which are discussed in the later part. From the stated stipulations the conclusions that could be drawn are, (i) evaluating the score is the responsibility of the privacy data auditor appointed by the Authority; (ii) such compliance audit in respect of a data fiduciary should cover the examinations and observation of the auditor under Sections 7,22,23,24 and 25 of the bill; (iii) the process for scoring are not left to the wisdom of the auditors, but are to be regulated by the Authority. Therefore there is legal necessity to notify the DTS regulations before going for implementation of the DTS provision.
The various powers of the Authority to make regulations are listed in section 94 of the bill. The Authority may, by notification[v], make regulations consistent with this Act and the rules made thereunder to carry out the provisions of this Act. The section 94 (2) lists out the matters that could be regulated, and among them the following are relevant for our discussions. “(l) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); the manner of registration of auditors under sub-section (4); criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;
(g) the manner for submission of privacy by design policy under sub-section (2) of section 22.”
It must be noted that it is regulations to be made and not the rules, meaning that such matters (auditors, privacy by design and DTS) should be directly controlled and monitored by the Authority. The Authority may, by notification, make regulations consistent with this Act and rules to implement the DTS provisions.
Evaluation of fiduciary by Data Auditor
As per Section 29 of the bill, a significant data fiduciary shall get its policies and the conduct of its processing of personal data, audited annually by an independent data auditor. Further the Authority[vi] have powers vested with them to direct any data fiduciary to get an audit carried out by an appointed data auditor, if they are of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal. Therefore we can deduce that it is mandatory for all significant fiduciary to get audited annually and for others, it is the on the performance of fiduciary as observed by the Authority. However such proposals should normally be through written directions that could be part of the regulation.
The parameters to be used by a data auditor to evaluate the compliance of a data fiduciary includes, “(a) clarity and effectiveness of notices under section 7; (b) effectiveness of measures adopted under section 22; (c) transparency in relation to processing activities under section 23; (d) security safeguards adopted pursuant to section 24; (e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25; (f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and (g) any other matter as may be specified by regulations.” As this is an inclusive provision similar parameters could be added in the form of regulations, within the principal framework of the bill. It is the responsibility of the Authority to, not only notify the forms and procedures for conducting audits but also appoint persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under the Act. This provision leads to formation of a new stream of auditors specialised in privacy law and appropriate technology, after due entrance examination and personality tests that could be formulated under the regulations. This is one of the most critical aspects in effective implementation of privacy laws as such auditors are to exercise the responsibilities of compliance audit, followed by assigning DT score of the registered fiduciaries. Now we shall examine each of the above prescribed factors to explore the ways to compute the principles in the proposed DTS in the coming part.
(To be continued as part 2)
[i] sec. 22(5), PDP bill, [ii] sec. 7(1) (m), ibid, [iii] sec. 23(1) (f), ibid, [iv] sec. 49(2) (c), ibid, [v]Sec. 29 (7), ibid, [vi] Sec. 29(7), ibid
