Naavi.org

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

The essence of any Information Privacy Regulation such as GDPR or PDPA is to ensure that the “Privacy Rights” guaranteed by the Constitution of the country for its citizens are not infringed while the  personal information is processed in electronic form. All processors of such data are “Intermediaries” under the present law in India (ITA 2000/8) and responsibilities are hoisted on them for appropriately securing such data failing which  there could be liabilities.

One of the security provisions that ITA 2000/8 has prescribed is that there has to be accountability of the intermediary by designating a “Grievance Redressal Officer” whose contact details are to be provided on the websites.

The PDPA/GDPR speaks of the same accountability in the form of a need to appoint a DPO who is expected to be both a proactive compliance manager as well as the first contact point for an aggrieved data subject.

The role of a Grievance Redressal Officer is slightly different from a “Compliance Officer”  in the sense that his responsibility kicks in after a grievance is reported. If he is the same person who is also the compliance officer, then there would be a conflict of interest as he turns defensive if any grievance points to a flaw in the system.

Hence it may be necessary from the PDPSI point of view that the roles of the Compliance officer and the Grievance Redressal Officer are suitably segregated.  There is nothing wrong if the compliance officer is the first reference point for a grievance since he has the knowledge of what has gone wrong. But the dispute resolution should be escalated at the earliest to another level where there is no conflict of interest.

Having an effective Grievance Redressal Mechanism is therefore a critical element of PDPSI.

PDPA 2018 does make a specific mention of  Grievance Redressal under section 39 of the draft Bill. A 30 day time is provided for the grievance to be addressed after which the data principal may invoke the adjudication process of the DPA, followed by the appeal to the designated Tribunal and thereafter to the Court of appropriate jurisdiction. (Could be the Supreme Court).

GDPR makes only a vague mention of Grievance Redressal under Article 40 as a part of the code of conduct.

Under PDPSI, it is recognized that the ultimate benefit that a Data Subject expects is a proper grievance redressal and hence it is an essential control that an organization should institute and manage.

Naavi has been advocating that the grievance redressal mencahism should go through the following three stages namely

a) Service level attention by the DPO

b) Ombudsman who is an independent person of repute to whom the complaint can be referred

c) Mediation which could be an extended responsibility handled by the Ombudsman or separately.

It would be ideal if this is followed by an “Arbitration” so that before the statutory process of adjudication is invoked, all remedies available as alternative dispute resolution mechanisms are exhausted.

Since time is the essence of such resolution, an “ODR mechanism” of the type referred to under www.odrglobal.in is recommended.

The service level resolution can be provided within 48 hours and Ombudsman views can be provided within 7 days so that in the first 10 to 15 days, the matter could be ready for “Mediation” for which another 15 days could be provided. Thus within one month, the mediation option would be exhausted and the parties may decide if they have to straightaway go to the adjudicator or exhaust the arbitration.

At present, it appears that 30 days is just sufficient to complete the mediation efforts and also that “Adjudication” being a statutory remedy provided, even if the parties go through the process of “Arbitration”, it would be subordinate to the Adjudication process.

But making a provision for arbitration if necessary with a report to the Adjudicator would be a good idea for an organization to think off.

Naavi has in commenting on the “Intermediary Guidelines”  suggested that just as in the case of Domain Name disputes where we use UDRP/INDRP as a self regulatory mechanism, we can consider an “Intermediary Dispute Resolution Policy” and an associated arbitration process to resolve the disputes arising between the user of an internet service and the intermediary.

A similar mechanism could work even in the PDPA scenario if the Grievance Redressal Mechansim is properly structured and implemented.

In view of the above the DTS system encourages the Data Auditors to consider the presence of an effective Grievance Redressal mechanism as part of the scoring evaluation.

It is therefore considered that under PDPSI, the presence of a Grievance Redressal mechanism and its evaluation is considered critical from the point of view of Data protection by a Data Fiduciary/Data Controller/Data Processor.

(To Be continued)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Legitimate Interest Policy
11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
12. Naavi’s Data Trust Score model unleashed in the new year
13. Naavi’s 5X5 Data Trust Score System…. Some clarifications
14. Naavi’s Data Trust Score Audit System…allocation of weightages

Dear Friends

It appears that due to a server crash at my hosting services, several postings I had made since April 13th have been lost.

These related mainly to PDPSI. I may try to provide a summary of some of the postings subsequently.

However, in case any of the readers have a copy of my postings since April 13th,  please send them to me through e-mail, while I continue to get the recovery done through the hosting provider.

Following four articles were lost due to the server crash.

https://www.naavi.org/wp/business-agreement-control-an-essential-ingredient-of-pdpsi/ (Substituted with a new post)

https://www.naavi.org/wp/pdpsi-controls-data-breach-notification-and-data-disclosure-policies/ (Substituted with a new post)

https://www.naavi.org/wp/pdpsi-controls-grievance-redressal-mechanism/ (Substituted with a new post)

https://www.naavi.org/wp/if-state-government-turn-rogue-misuse-of-aadhaar-data-cannot-be-prevented/

We shall re-post the essence of these articles separately.

Naavi

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

PDPSI implementation expects the top management involvement through some key foundation policies. We have discussed the “Legitimate Interest Policy” as one such policy control measure, in the drafting of which  the top management needs to personally get involved.

Another such fundamental policy that needs to be developed at the top management level is the “Whistle Blower Policy”.

“Whistle Blower Policy” (WBP) essentially means that the organization creates an eco system of confidence where every employee is encouraged to be vigilant, skilled enough to identify suspicious incidents and behaviour in any of the activities surrounding the organization and a mechanism to report it for further investigation and corrective action.

The problem with implementing a good and effective Whistle Blower Policy is that

a) It has to accommodate the possibility of nuisance and malicious reports

b) It has to provide an assurance to the person reporting that his identity would be kept confidential so that the reporting does not hurt his future career.

c) It has to also give the confidence that action will be taken quickly and effectively to investigate further and correct the situation if required.

The “Data Breach Notification Policy” which is part of every Information Security Policy does envisage that a “Data Breach” should be reported to the DPA. But before the DPO reports a Data Breach to an outside agency, he has to first come to know of a potential data breach within the organization.  Hence the DPO needs to have a mechanism to collect intelligence on the data breach possibilities and have the early warning of any breaches.

Additionally, the “Privacy By Design” concept needs the DPO to be able to take “Preventive Steps” to ensure that a likely data breach is nipped in the bud.

The “Whistle Blower Policy” is the means by which early warnings are gathered.

In the earlier articles we have discussed the need for “Personal Data Gate Keepers” to be identified in an organization so that the responsibility for Personal Data Protection is decentralized.

As a corollary, it is essential to have a system where a watch is kept on the activities around the organization and early warnings about the possible data breach or possible non compliance events are captured and reported to the DPO.

While the enterprise level awareness creation helps in every organizational member including the employees of the business associates who interact with Personal Data being managed by the organization, it is necessary to motivate the employees to be bold enough to bring to the notice of the appropriate persons that there could be a non-compliance issue.

When a person points out such a potential non compliance issue, it is likely that he would ruffle some feathers and that could be the feathers of a powerful employee of the organization even at levels higher than that of the person who observes the anomaly. In such instances the person is likely to keep quiet and look the other way.

The non-reporting of a potential data breach situation may actually be considered as a “Passive Assistance” for the non compliance to continue which may explode into a data breach incident on a later day. When an investigation is undertaken at that time, all those who were aware of the risk and did not take proper care to mitigate it could be considered as “Accomplices”.

The Whistlebolwer policy should therefore provide that any legitimate observation that indicates that some thing wrong may be going on, should be reported for examination and review by escalating it to the appropriate level.

In order to provide confidence to the Whistle Blower that there would be no witch hunting, it is necessary to maintain confidentiality of such reports even if some rewards are associated with useful reporting.

“Anonymous Reporting” could be one option for the organization but such anonymous reporting often encourages malicious untruthful reporting just to damage the reputation of some employees. There could also be “Nuisance Reporting” just to harass the management. Hence “Anonymous Reporting” is not recommended though it is an option that a management may consider for meeting PDPSI.

A more mature approach to Whistleblower policy is to create an “External Ombudsman” who receives all complaints with identification of the reporter who anonymizes the complaint, identifies the level at which it should be escalated for review and manage the information that needs to be shared for the purpose of the review. If necessary, the Ombudsman can also have a dialogue with the complainant to understand the problem better before escalating it.

Designing a robust Whistle Blower policy which encourages reporting, providing the confidence that such reporting would be rewarded, kept confidential and acted upon promptly is considered as a part of the “Control” that PDPSI expects organizations to set up.

Since this requires policy decisions such as the appointment of an external ombudsman etc., this decision can be initiated only by the highest level of management which accommodates complaints even against the members of the Board itself.

The integrity of the appointed ombudsman must also be ensured so that he protects the interests of the “Personal Data Protection Regulatory Expectation” and effectively manage the inherent conflicts.

It is interesting to note that Prime Minister Modi’s “My Bhi Chowkidar” campaign for the nation is actually a reflection of the “Whistle Blower Policy for the nation”. The CVC has also in the past tried to initiate a system  for the purpose and introduce an app to enable citizens to report incidents.  The experience with these schemes indicate the difficulties and the opposition that it may generate because there is always one set of the ecosystem which will strongly oppose such measures to protect their own vested interests, real or imaginary.

A successful designing and implementation of the system therefore requires a very high level of statesmanship by the top management.

It is to be accepted that it is a huge challenge to design  an effective Whistle Blower Policy but it is for the Data Auditor to evaluate how good and robust is the policy (if available) while arriving at the Data Trust Score under the heading of “Commitment”.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Legitimate Interest Policy
11. Naavi’s Data Trust Score model unleashed in the new year
12. Naavi’s 5X5 Data Trust Score System…. Some clarifications
13. Naavi’s Data Trust Score Audit System…allocation of weightages

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

The compliance of Privacy Protection regulation whether under PDPA 2018 or GDPR or any other law normally starts with

a) Privacy Policy

b) Information Security Policy

The Privacy Policy declares the intentions of the organization in meeting the different requirements of the regulation. It is a comprehensive aggregation of several other sub policies that we will discuss here. It has to capture the objectives of the organization and reasonably describe how it proposes to implement the requirements.

Privacy Policy is for the organization to follow while “Privacy Notice” is meant for the information of those who interact with the company. “Privacy Notice” may contain many aspects of “Privacy Policy” but the objectives of the Policy are different from the Notice and this should reflect in the drafting of the two.

The Information Security Policy on the other hand is the policy that is intended to be followed within the organization to meet the Privacy Policy requirements.

Since a Corporate Information Security Policy has to protect both personal information and non-personal information, and the Privacy Policy is meant for Personal Information, the Information Security Policy should be broader to cover both Personal and Non Personal Information Protection.

In a way, Information Security for Privacy Protection is a sub set of Information Security for the organization as a whole. If necessary, an organization may opt to develop a “Personal Data Protection Policy” (PDPP) which could be considered as a subset of the Information Security Policy and let a DPO/DPC manage the PDPP while the CISO handles the IS Policy of the organization.

While drafting  Privacy Policy , one must remember that “Privacy Policy” meant for the website is not the comprehensive Privacy Policy for the organziation. Privacy Policy for the web only relates to the information collected from the website visitors. Once the website visitor opts for some service, the privacy policy relevant for the service will be relevant. In most cases the Privacy Policy for the website visitors can be simple since no personally identifiable information other than the technical details captured by the hosting system may be collected. What is relevant for compliance is more the policy applicable to the subscribers for different services who provide identifiable personal information.

We are reasonably familiar with the drafting of Privacy Policy and the IS policy. But what PDPSI expects is that an organization has a clear view of what is the “Legitimate Interest Policy” under which certain provisions of GDPR or PDPA are sought to be implemented with some customization and dilution where necessary using the clauses which provide “Exemptions”.

In order to ensure that an organization is not confronted with the charge of “Non Compliance” when  may be required to override certain standard practices for the legitimate business interests of the organization or for reasons such as National Security, Public Interest, Journalistic requirements etc., it is recommended that a separate policy document is drafted to codify why the regulation may be either not followed or followed differently with some safeguards and under what circumstances.

Naavi normally starts with the Legitimate Interest Policy before drafting the Privacy Policy and tries to get the Legitimate Interest Policy dovetailed to the business context. If any recommended aspect of the legitimate interest policy is considered as a serious violation of the Privacy law, then the legitimate interest policy may have to be suitably modified with the consent of the management.

Not having a “Legitimate Interest Policy” would make the life of the DPO difficult since he would confront powerful business executives trying to bypass the privacy policies and justifying it in business interests while the resulting consequences of non compliance becomes the responsibility of the DPO. By having a separate Legitimate Interest Policy (LIP), the DPO knows exactly what he can do and what he cannot do.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Naavi’s Data Trust Score model unleashed in the new year
11. Naavi’s 5X5 Data Trust Score System…. Some clarifications
12. Naavi’s Data Trust Score Audit System…allocation of weightages

Forensics is the art and science of discovering, collection, preservation and presentation of evidence to meet a legal requirement. We normally use the term “Cyber Forensics” to describe forensic activities related to information technology devices such as computers.

Initially we used to use the term “Computer Forensics” to describe the requirement of evidence of anything connected with Computer Crimes. Slowly the terminology got replaced with “Cyber Forensics”.  Additionally terms such as “Mobile Forensics”, “Disk Forensics”, “Network Forensics” etc gathered popular usage. One popular perception of the masses still remains that “Cyber Forensics” deals with Internet and E Mails which is perhaps a very restricted view of the term.

We are today much more matured than ever we were in relation to understanding the forensic requirements connected with Cyber Crimes. In today’s context, some times “Cyber Forensics” as a term needs to be re-defined so that it captures the meaning of what is required in today’s context.

The earlier recognition of Cyber Forensics  as computer forensics, or mobile forensics etc  is a device oriented approach. Similarly, the terms Network forensics, Internet Forensics and even the Social Media forensics etc are oriented towards the usage platform.

However, the real essence of anything that we deal with today with a “Computing Device” is the “Data” which is platform independent. It is the binary impression which exists in different forms and acquires a meaning when looked at with the right glasses. If there is a picture that has a blue back ground and green letters and I wear a green glass, I may not be able to see the letters. But it does not mean that the letters donot exist. 

The real forensics therefore has to be able to look at the existence of evidence without the limitation of the surrounding platform.

This is what I call as the new approach of “Forensics” that we need to adopt and I term it as “Data Forensics”.

The objective of “Data Forensics” is to discover the presence of a meaningful stream of binary expressions that may be hidden in a background of a dependent platform, gather it, preserve it and then be able to present and prove it in a Court of law.

The much discussed Section 65B of Indian Evidence Act takes care of the linking of the platform with the data and hence is able to bring to evidence any data. 

This approach to Forensics will sustain the advent of IoT, Big Data and even Quantum Computing.

I therefore urge the industry to start focusing on “Data Forensics” from now on instead of the word “Cyber Forensics”. This should be more palatable to the “Data Protection Professionals” whose focus is the “Data” and not the “Container of the Data”.

We will therefore adopt this term slowly into our discussions including the discussions on PDPSI (Personal Data Protection Standard of India) where “Forensic Investigation and Recording of findings” are part of the requirements.

Naavi

For those who are aware of Naavi’s activities, it is known that the historic Umashankar adjudication case was a mission for Naavi starting from June 2010 when the adjudication application was filed.

Due to various reasons, the matter which went on appeal to CyAT had got stuck until now. On 3rd April 2019, TDSAT has placed its final approval on the Adjudication order bringing the matter to a successful closure.

The perseverance of Mr Umashankar who is an NRI in Abu Dhabi and his father Mr Sivasubramaniam who is in Tuticorin in pursuing the case against all odds and continued expenses must be specially hailed. Without their perseverance, I would not have been able to keep the matter going for so long.

I wish their experience in this case must be captured by  journalists from the main stream so that it becomes a guidance for other Cyber Crime victims.

Naavi