New Updated book on Section 65B in Print

Naavi has updated the E Book on Section 65B, titled “Section 65B of Indian Evidence Act Clarified” with an additional chapter on ‘Section 65B for Data Protection Professionals”.

A print copy of the above book is scheduled to be released in Chennai on March 16, along with the launching of the Chennai Chapter of FDPPI and a day long workshop on Section 65B organized jointly by Cyber Society of India (CySi) and FDPPI.

Naavi was the founder secretary CySi and a continuing life member, as also the Founder Chairman of FDPPI. Mr S.Balu the current president of CySi is also a member of FDPPI.

The E Book is currently priced at Rs 150/-. The Printed version of which limited copies would be available is priced at Rs 200/-. (Will be available at the conference at a concessional price of Rs 100/-).



Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Ordinance on Aadhaar

The Justice Srikrishna Committee on Data Protection under Appendix had provided a comprehensive recommendation for amendment of the Aadhaar Act (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016. These recommendations were not included in the draft Bill for PDPA 2018 which the Committee submitted. Subsequently the Aadhaar judgement of the Supreme Court (Refer the series of articles) gave certain recommendations which prevented the use of Aadhaar services by private sector including the Banks.

After taking into consideration the recommendations of the Srikrishna Committee and the Judgement of the Supreme Court, the Government came up with a draft Bill However the Bill could not be passed through Rajyasabha and would lapse soon.

In order to therefore alleviate the problems created by the Supreme Court Judgement on the industry, Government has come up with an ordinance to implement some of the recommendations of the Srikrishna Committee by promulgating an “Ordinance” on 28th February 2019.

The ordinance provides for “Offline Verification of Aadhaar number” after obtaining the consent of the individual and using only the demographic information with safe guards for the information to be used only for the purpose for which it is sought.

Section 57 of the Aadhaar Act has been omitted in deference to the wishes of the Supreme Court.

The ordinance will provide the option of the use of offline Verification without authentication to verify the demographic information about an individual who provides consent to an agency to use the Aadhaar number .

Hopefully this will mitigate some of the immediate problems of the industry. However, some murmurs are being heard about challenging the ordinance in the Supreme Court and we need to wait and see how things develop.


Reference Articles:

10:Aadhar Judgement-10: Let us debate the changes required in PDPA 2018 
9: Aadhaar Judgement-9: Definition of Personal Information revised?
8: Aadhaar Judgement-8: Limited use
7: Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?
6. Aadhaar Judgement-6.. Joint Secretary is too junior?:
5:Aadhaar Judgement-5…Collection of Metadata
4:Aadhaar Judgement…4… Making the life of law enforcement difficult…
3:Aadhaar Judgement..3.. Data retention limit of 6 months.. 
2:Aadhaar Judgement….2.. The Answers and Conclusions of the majority 
1.Aadhaar Judgement…1… Debate the areas where clarity is required.

Other References

Aadhaar Act : Srikrishna Committee Suggestions in Appendix : Aadhaar Amendment Bill :Aadhaar Amendment Ordinance

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Naavi’s Data Trust Score Audit System..allocation of weightages

Naavi is in the process of developing the Data Trust Score System  which will enable Data Auditors to evaluate the level of compliance of an organization to the required PDPA standards.

Naavi is also in the process of developing a “Personal Data Protection Standard of India” (PDPSI-0219) which will incorporate the data protection requirements of a typical organization working in India. This standard is expected to be an “Open Source Standard” and should encompass BS 10012 or such other proprietary standards in terms of what is required to be achieved.

It is left to the auditors to offer audits and for their clients to accept such audits adopting of BS or IS standards and piggy back on the perceived reputation of these standards or adopt the PDPSI-0219 standard which is dove tailed to the Indian requirements and take the responsibility for meeting the “Data Protection objectives” rather than “Certification Objectives”.

When we introduced the Naavi’s 5X5 DTS system  we had indicated that we would adopt a 5 by 5 matrix to evaluate the compliance of an organization and the five parameters to be used would include “Commitment”, “Knowledge”, “Controls”,”Review” and “Redressal”.

We had indicated that the observations would be recorded on a scale of 0-100 in five buckets of 20 each.

In arriving at the final DTS value for an organization, we had indicated that each of the five parameters may be given different weightages. If equal, each parameter would bet a weightage of 0.2.

Now we would suggest the next step of a method to assign the weightage.

For the purpose of such weightage allocation, organziations would first be classified into three categories namely, “Infant”, “Adult” and “Mature”. An infant organization is one where the data protection exercise is in the beginning and hence more focus is required on awareness building and management commitment etc. As the organization grows in maturity, the management commitment and conducting awareness training would become routine basic requirement. [P.S: These may even be considered as a “Hygiene factor” which is something which if present it is considered as necessary and if not present it would be considered as a serious lapse. The score allocation under the parameter could be a binary proposition unlike other parameters].

Considering this aspect, we have drawn a table of weightage allocation as follows.

The PDPSI 0219 will indicate  management requirements which will encompass all the above 5 parameters and will also adopt the Three Dimensional Model of Information Assurance which Naavi follows which includes Technical, Legal and Behavioural Science approaches.

Comments are welcome.



Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

Cyber Security Framework for Brokers..from SEBI

Just as RBI has issued a cyber security framework for Banks, NBFCs, PPI issuers etc., SEBI has also formulated a Cyber Security Framework applicable for Brokers and Depositories. The guideline issued on December 3, 2018 has suddenly gained some traction and attracting discussions.

E Trading is similar to E Commerce or E banking in terms of risks and the need for security. However, the stakes are extremely high in the stock transactions because the value of transactions and the speed with which they take place in real time add their own risks.

E Trading which SEBI oversees includes Futures and Options as well as commodities including Gold and Metals. Only currency trading operations fall under the supervision of RBI.

In the pasts we have seen frauds some of which are pure financial cheating instances. But there have been a hint that there have been more sophisticated frauds involving technology where “Pump and Dump Frauds”, “Broker or Broker Employee related frauds” where piggy back trades are booked over customer’s genuine transactions etc. Most of the large brokers today directly allow apps and computer based trading software to be used by customers to place orders with a variety of conditionalities built in in terms of stop loss, triggers, margin trades etc and hence the scope for frauds of different kinds are high.

In the past there have also been reports of the Stock Exchange servers being manipulated for deriving time advantage in receiving price data disseminated by the trading platform so that some milli seconds advantage is obtained by one broker over the other which enable them to make unfair profits.

Taking all these into consideration, a proper information security over sight was over due. With the advent of the concept of “Sensitive Personal Information Protection” under the Data Protection legislation, it was necessary for the brokers to also realize the need to upgrade their security culture and infrastructure to meet the modern day demands.

The published Cyber Security Framework of SEBI therefore requires a close look. A Copy can be accessed here: CLICK HERE

The main requirements are

a) Draft a comprehensive Cyber Security and Cyber Resilience Policy approved by the management and reviewed annually

b)Policy should be Risk Assessment based with clear policies for incident detection, response and recovery.

c) Thee policy should conform to “Guidelines for Protection of national Critical Information Infrastructure” from the Government.

d) Appoint a compliance official supported by an internal technology committee of experts.

e) Necessary access control  measures need to be implemented .

f) Sub brokers and customers need to be included in the overall policy

g) Physical and other Network security measures need to be implemented.

h) Encryption should be used in data transit and storage.

i) Brokers should ensure that the products used for trading are adequately certified for security.

j) People involved need to be adequately trained

k) measures like audit need to be implemented.

Overall, an entire system of information security has to be implemented by the brokers and depositories.

Though for Data protection professionals, this requirement is not new and with the Section 43A of ITA 2000/8 already being available and  PDPA 2018, in the anvil, it was expected that data security was recognized as a responsibility of the stock broking community.

It would be interesting how the industry players adopt to the demands. But any negligence or complacence will render the stock broker and the depositories liable as “Intermediaries” under the ITA 2000/8


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Draft E Commerce Policy released for Public Comments

A Draft E Commerce Policy has been issued by the department for promotion of Industry and Internal Trade, for public comments.

Comments may be made upto March 9, 2019.

Other details of how the comments have to be sent etc are not clear. It will be posted as soon as it becomes available.

In the meantime, the draft of the policy is available here for study… CLICK HERE


P.S: Last Date for submission of comments extended to 29th March 2019.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

A step beyond BS 10012 and GDPR-Personal Data Protection Standard of India-PDPSI

Personal Data Protection regulation is presently a global phenomenon. While legislation like ITA 2000 try to protect “Data” in general(Section 43/66) with specific provisions for protecting “Personal Data” (Sec 72A) and “Sensitive Personal Data” (Section 43A), legislations like GDPR have focussed on Personal Data Protection only. India is set to follow the trend with its own Personal Data Protection Act in due course.

Indian companies today are eager to get themselves certified under various standards such as BS 10012 though these so called standards are nothing but a reiteration of GDPR articles in a slightly modified language.

It must be remembered that “Certification” under a certain standard is only an internal milestone for an organization to inform its stakeholders that they have indeed taken some formal steps towards compliance and is not an end in itself in the organization’s journey towards full compliance of data protection regulations..

BS 10012 is yet to formally align with the UK’s new Data Protection Act 2018 but still for the corporate managements, the tag “BS 10012 compliant” is a desirable asset for which they are willing to spare their budget. But for Indian Companies, BS 10012 may not be sufficient to be complaint with data protection regulation since Indian laws may have to be also understood and complied with.

Cyber Law College which is the academic organ of considers that there is a need to develop Personal Data Protection Standard for Indian Companies which goes beyond BS 100012 and be compliant not only for GDPR but also to ITA 2000/8 and the proposed PDPA.

Currently Naavi uses the Indian Information Security Framework with the following top line implementation charter which is identified as IISF309.

As one can observe, it captures most of the control requirements expected in an information security standard though the details may not be clear in the framework as presented above.

After the advent of PDPA 2018 in draft form, Naavi floated the idea of “Data Trust Score” as a measure of a “Data Audit” conducted under PDPA 2018. This was a measure of how good is the implementation of PDPA compliance in an organization.

The criteria suggested was a 5X5 matrix where 5 parameters namely

  1. Management Commitment
  2. Knowledge in the organization
  3. Controls
  4. Review mechanism
  5. Grievance Redressal mechanism

The evaluation was suggested on a scale of 0-100 in 5 steps of 20 each and hence it was called the 5X5 grid.

In order to further fine tune the approach and make it repeatable, Naavi is now working on developing a “Standard” which cover different requirements of compliance.

This “Standard” is presently the internal Audit Standard for Ujvala Consultants Pvt Ltd, the corporate entity of Naavi that addresses the audit requirements.

The standard is called “Personal Data Protection Standard of India” (PDPSI) and will be developed by as a part of its educational initiative of Cyber Law College.

The future  idea is to make it an open standard which any intending corporate can adopt on their own.

Auditors are free to adopt it to their own audit framework if they feel like or ignore it if they donot feel it has any value, or adopt thoughts from this standard into their own audits.

The objective is to make an “Audit under PDPSI” incorporate principles of personal data protection imbibed in other standards including BS 10012 so that an organization which is PDPSI compliant is essentially also compliant with BS10012. It is understood that a Certification of compliance under PDPSI is not a certificate of compliance under BS 10012. However, an organization which is compliant under PDPSI should easily sail through any evaluation under BS10012.

However, we believe that “Compliance to a standard is required for a faithful protection of personal data as required under law and not just to sport a tag on which a blind faith can be placed”. Such blind faith often leads to complacency and needs to be avoided.

Conceptually therefore, PDPSI has been launched as the future of Naavi’s approach to Personal Data Protection approach and will be integrated with the DTS system which is already suggested.

The details of the standard under each of the above five parameters will be developed module by module and the standard will be published through this site.

Some may feel that by making such standards public, we will be losing an opportunity to commercialize it or we will be hurting other standards providers.

But we firmly believe that a “Suggested Standard” should be made available freely while commercial exploitation can be made through the implementation consultancy.

I trust at least a few of the data protection practitioners would accept this approach as what is required to make compliance to data protection laws affordable to most of the SMEs.

Any suggestions, comments etc are welcome.

This is also an open invitation to interested persons to join me in the development of PDPSI as a standard with wider acceptance in the community.

PDPSI first version will be referred to as PDPSI-0219, and hopefully it would get updated from time to time.

Await the publication of the different elements of PDPSI-0219 in due course.


Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , , | 1 Comment