Naavi.org

After ISMS and PIMS, it is the time for PDP CMS or Personal Data Protection Compliance Management System to be implemented in organizations. PDP CMS is inclusive of PIMS  and ISMS but is more focused on either of them. ISMS focus rests on technical security across all information in an organization while PDP-CMS is focused on Personal Data. PIMS is focused on Privacy related to one specific data protection law leaving the security to a supporting ISMS system. On the other hand PDP-CMS is a unified system that takes into account all applicable data protection laws in an organization and incorporates Information Security along with Privacy controls as required for compliance.

After conducting three separate modules, Module I, Module G and Module A over the last 18 months, FDPPI is now launching an integrated module of training for professionals who could be consultants for data processing organizations or undertake audits for certification with a calculation of Data Trust Score as envisaged in the proposed Indian law.

The first such program is being inaugurated today at 10.30 AM and would be conducted online over 36 hours spread over six week ends.

FDPPI is happy to welcome DNV the globally renowned Certification agency which has joined hands with FDPPI as a Certification partner for this course.

Naavi

SPOT REGISTRATION

Pay Rs 40000/- through this link 

and Contact Ramesh Venkataraman for the session link

The E Book on Cyber Crimes which was available on the website, E- Book section has now been updated and released in print form.

This book is now available online at the publisher’s website   at Rs 450/-

The Book will also be available on Amazon and Flipkart.

First five purchasers who review the book and send their review by e-mail to naavi, would be eligible for a cash back of 50% of the price paid. This book has a limited objective of meeting the quick needs of the law enforcement.

Naavi

Ollie Robinson made an impressive Cricket Test debut at Lords last week against  New Zealand. He virtually saved England from losing the test by not only taking 7 wickets but also scoring 42 runs at a critical stage in the first innings.

However a lobby worked against him to point out tweets  that had been posted by him in 2012 which was allegedly “Rascist” and “Sexist”. The English Cricket Board (ECB) in a holier than thou reaction, immediately suspended Mr Robinson indefinitely and said that they will conduct the necessary enquiry.

They said

” Ollie Robinson has been suspended from all international cricket pending the outcome of a disciplinary investigation. He will not be available for selection for the second Test against New Zealand starting at Edgbaston on Thursday 10 June. Robinson will leave the England camp immediately and return to his county”

Subsequently the England Prime Minister Boris Johnson said that the punishment was harsh and he was promptly criticized.  It was unfortunate that even our own much loved cricketer Farooq Engineer was critical of Robinson as well as Boris Johnson for his remarks.

Ravichandran Ashwin however came up with a very mature response stating

“I can understand the negative sentiments towards what #OllieRobinson did years ago, but I do feel genuinely sorry for him being suspended after an impressive start to his test career. This suspension is a strong indication of what the future holds in this social media Gen”

Further, earlier  statements on Twitter from Jimmy Anderson, Eion Morgan, Jos Butler  have also been unearthed accusing them of passing intemperate remarks  may be called rascist. They are more recent than 2012.

Anderson was reported to have stated

“I saw Broady’s new haircut for the first time today. Not sure about it. Thought he looked like a 15 yr old lesbian!”

As against this, it is interesting to note what did the offending tweet from Robinson stated.

[Another publication quoted the following tweets:

“I wonder if Asian people put smileys like this ¦) #racist”; “My new muslim friend is the bomb. #wheeyyyyy”; “Real n—– don’t let the microwave hit 0:00”; and “Wash your fingers for the mingers #cuban”.]

Conservative party leader’s came up with statements suggesting that the statement of Mr Robinson should be seen in the context of a ten year old view of a teen ager and his current apology. However, the labour party which is a known supporter of Muslim interests in England and passed many remarks against Indian interests in the past jumped into the political debate to oppose the views of the conservative party leaders making the issue political.

We know that many times Cricket boards provide suspended sentences so that the career of an individual is not affected by an immediate ban. We have also seen that in civil suits we have a period of limitation and in criminal law, we have the principle of a convict being “reformed” and released into the world. Many rapists and murders come out of jail and lead normal life after a sentence of 5 to 7 years.

In such a situation, it is clear that the immediate suspension from all international cricket and throwing the person out of the team environment immediately and banishing him to his house in utter humiliations appears a very biased decision from ECB. Prima facie this decision itself appears an “Appeasement action” taken by ECB in support of the Muslims and Cubans who were referred to in Mr Robinson’s tweet.

Though the use of “Muslim” and associating it with “Bomb” must have irritated many, we should also observe that he has added the word “Friend” to his description. Hence there was a neutralization of the terror association within the statement itself.

The proposed punishment is definitely “Disproportional” to the gravity of the offence and appears to has been taken for political reasons.

From the Privacy  perspective, we do get a thought that probably Mr Robinson could have exercised his “Right to Forget” some time back so that this controversy could have been avoided. This would not however prevented the possibility  that some archived  version of the tweet could have still surfaced.

Psychologists say that during adolescence, harmonal changes in human beings bring about some changes in a person’s behaviour and could make him/her do things which he/she may correct in later years as maturity dawns in. Many College boys and College girls might have been eve-teasers or adam-teasers but later turned into perfect gentlemen or women.

In fact we recently had controversies surrounding Hardik Pandya’s remarks in a TV show for which some limited punishment was given by the Indian Cricket Board. We know that even Gandhi whom we revere as Mahatma did admit of teen age indiscretions and we all admired him for his honesty.

Many of our celebrities may have had chequered careers during their younger days and if one digs deep, the past of many respected individuals may be tainted with such tweets or articles in print or recorded voice messages.

The action of ECB  therefore appears to be more a case of reverse rascism than a move born out of a genuine reason of discipline. There is a need for investigation of how the tweets surfaced, who brought in a complaint to ECB and why such a severe action was contemplated. There could be political lobbies which were trying to create a political storm and gain sympathy of Muslims and Cubans for political gain.

It is high time that such incidents are evaluated based on the context and not literally on the basis of the words used.

An AI algorithm may commit such a mistake but human beings endowed with  the power to think should  not commit such mistakes.

The action of ECB will have a chilling effect on free speech and needs to be condemned.

Naavi

Reference articles

Republicworld.com

Indianexpress.com

Foundation of Data Protection Professionals in India (FDPPI) is an organization of the Data professionals dedicated to the empowerment of the Data Protection eco system in India.

Towards this end, FDPPI has developed Certification programs for skill development of professionals. At the same time, FDPPI has also developed a Certification standard for “Personal Data Protection Compliance Management System” to enable organizations to implement appropriate compliance programs which are certifiable by experts.

In a bid to extend the awareness of Privacy and Data Protection regulations in India, FDPPI engages itself in many outreach activities. One such activity is its weekly webinars from experts on various topics surrounding Data Protection.

In a bid to further extend the reach of these awareness programs to the younger generation in Colleges, FDPPI has set up a separate division to promote student participation in Privacy and Data Protection activities. The “Privacy and Youth” is a movement that has been set up for this purpose to engage the educational institutions and provide an opportunity for the students of Law, Engineering and Management students to participate in the activities of FDPPI.

FDPPI has therefore embarked on setting up “Student Chapters” and “Affiliate Colleges” so that the interaction between the academia and the industry can proceed on a continuing basis.

The program is coordinated by Dr Mahendra Limaye, Advocate, Nagpur. For more information Dr Limaye may be contacted at mahendralimaye yahoo.com or fdppi@ fdppi.in.

Naavi

Anonymization is an important aspect of  Data Protection in India. It segregates Data into two categories namely Personal Data for which the proposed PDPA-India will be applicable as per PDPB 2019 and Non Personal Data which is outside this regulation. According to PDPB 2019 the DPA (Data Protection Authority) when formed will issue the guideline for a standard of anonymization that would be acceptable under law.

It is understood that no technology is perfect and even the strongest of anonymization can be broken by hackers just as Encryption can be broken. Hacking of such nature can be made punishable but as long as hackers exist, it cannot be prevented.

Some hackers would not like themselves to be called hackers and they call themselves as “Security Researchers”. As long as their intention is to find out security vulnerabilities and they  work for an organization under authority to find bugs in its processes they deserve to be called security researchers or white hackers. But the moment they turnover their findings to the dark web or use it for extortion, they become black hackers.

The standard prescribed by law can only introduce a reasonable limit for an organization to render an identified personal data to anonymized personal data. If the standard is set too high, it will be disproportional to the business needs. If it is set too low, it would not suffice.

Hence the DPA will have a task to ensure that a right level of difficulty is set for hackers to determine what level of technology is sufficient to call a personal data as anonymized.

ICO-UK has now come up with a guidance note on this topic which is a good starting point to understand how anonymization is interpreted in UK and how it is distinguished from De-Identification and Pseudnymization.

A copy of the guidance note is available here

Some key points in the guideline are as follows:

Anonymisation is the process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.

Data protection law does not apply to truly anonymous information.

Pseudonymisation is a type of processing designed to reduce data protection risk, but not eliminate it. You should think of it as a security and risk mitigation measure, not as an anonymisation technique by itself.

It must be noted that

Anonymisation is the process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.

Data protection law does not apply to truly anonymous information.

Pseudonymisation is a type of processing designed to reduce data protection risk, but not eliminate it. You should think of it as a security and risk mitigation measure, not as an anonymisation technique by itself.

It must be noted that  Pseudonymization is similar to De-Identification in effect. In de identification, all identifiers are removed as a set and substituted with one proxy ID. In Pseudonymization, each identifier is replaced with a pseudo identifier.

Both de-identified and pseudonymized personal data may be re-identified by some body who has the mapping information. In anonymization, the mapping information is irretrievably destroyed so that even the person who anonymized it in the first place is not capable of identifying it without resorting to efforts which are not considered normal.

Unauthorized re-identification of de-identified/pseudonymized information as well as anonymized information is a punishable office under UK-GDPR as much as it is so in Indian PDPA.(proposed).

It is recognized that in some instances effective anonymization may not be possible due to the nature or context of the data, or the purpose(s) for which it is collected or used.

More guidelines are expected to be announced by ICO in due course as additional chapters to this guideline and may be a good document to keep track.

Naavi

In a commendable move, Karnataka Police has set up a special help desk to attend to Cyber Crimes involving financial crimes.

See Report here

The  Cybercrime Incident Report system, with a call center responding to calls at 112, will  be  an information-based Business Process Outsourcing (BPO) mechanism.

The system will alert banks and internet services within around two hours, the golden period, to block a transaction or a social media account reported to be linked to a cyber offence.

According to the Bangalore Commissioner, Mr Kamal Pant, the system will alert banks and internet services within around two hours, the golden period, to block a transaction or a social media account reported to be linked to a cyber offence.

The control room officials will soon alert the nodal officers of concerned banks and service providers. The basic purpose would be to stop further transactions because we have a two hour period to block and reverse transactions with banks. This is the basic objective.

Mr Pant has stated that this is like filing an FIR and “What we are proposing is that wherever a person is located and gets an intimation of an illegal financial transaction, then he can intimate us in real-time,.”.

This was a long felt need since Banks were not addressing the reported frauds properly and were driving away the customers who were made to shunt between multiple Police Stations. Banks have not been alert in immediately stopping the payment at the other end of the fraudulent fund transfer and this system will now bring pressure on them to act.

Most Cyber Crimes can be frustrated if the criminal is not allowed to withdraw the money at the receiving end.

Though Police is talking of a “Golden Hour”, with 24 hour ATM network, criminals can withdraw cash transferred in a fraud within a very short time. Often such frauds occur in the middle of the night and hopefully this call center will work round the clock.

RBI also has to ensure that night withdrawals  (Say 10.00 pm to 6.00 am) are made subject to additional verification such as a second factor authentication. RBI should also classify ATMs based on their location and identify priority ATMs such as those within Airports which may be given some exemptions for night operation. Since entry to airports is subject to some verification, the risks are less.

What is not clear but could have been already introduced is that the incident report may be converted into an FIR with least formalities so that the complainant does not encounter any harassment.

Recently cyber crimes are on the increase in E Commerce platforms like OLX. Both Banks and such platforms need to ensure that there are security controls to verify buyers and sellers so that frauds can be traced efficiently.

Naavi

P.S: Outside Bangalore, the MHA has set up a call center number 155260 for a similar purpose.