Naavi.org

Implement “My Bhi Chowkidar” policy for Personal Data Protection.

Posted on April 13, 2019 by 98410spice

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

PDPSI implementation expects the top management involvement through some key foundation policies. We have discussed the “Legitimate Interest Policy” as one such policy control measure, in the drafting of which the top management needs to personally get involved.

Another such fundamental policy that needs to be developed at the top management level is the “Whistle Blower Policy”.

“Whistle Blower Policy” (WBP) essentially means that the organization creates an eco system of confidence where every employee is encouraged to be vigilant, skilled enough to identify suspicious incidents and behaviour in any of the activities surrounding the organization and a mechanism to report it for further investigation and corrective action.

The problem with implementing a good and effective Whistle Blower Policy is that

a) It has to accommodate the possibility of nuisance and malicious reports

b) It has to provide an assurance to the person reporting that his identity would be kept confidential so that the reporting does not hurt his future career.

c) It has to also give the confidence that action will be taken quickly and effectively to investigate further and correct the situation if required.

The “Data Breach Notification Policy” which is part of every Information Security Policy does envisage that a “Data Breach” should be reported to the DPA. But before the DPO reports a Data Breach to an outside agency, he has to first come to know of a potential data breach within the organization. Hence the DPO needs to have a mechanism to collect intelligence on the data breach possibilities and have the early warning of any breaches.

Additionally, the “Privacy By Design” concept needs the DPO to be able to take “Preventive Steps” to ensure that a likely data breach is nipped in the bud.

The “Whistle Blower Policy” is the means by which early warnings are gathered.

In the earlier articles we have discussed the need for “Personal Data Gate Keepers” to be identified in an organization so that the responsibility for Personal Data Protection is decentralized.

As a corollary, it is essential to have a system where a watch is kept on the activities around the organization and early warnings about the possible data breach or possible non compliance events are captured and reported to the DPO.

While the enterprise level awareness creation helps in every organizational member including the employees of the business associates who interact with Personal Data being managed by the organization, it is necessary to motivate the employees to be bold enough to bring to the notice of the appropriate persons that there could be a non-compliance issue.

When a person points out such a potential non compliance issue, it is likely that he would ruffle some feathers and that could be the feathers of a powerful employee of the organization even at levels higher than that of the person who observes the anomaly. In such instances the person is likely to keep quiet and look the other way.

The non-reporting of a potential data breach situation may actually be considered as a “Passive Assistance” for the non compliance to continue which may explode into a data breach incident on a later day. When an investigation is undertaken at that time, all those who were aware of the risk and did not take proper care to mitigate it could be considered as “Accomplices”.

The Whistlebolwer policy should therefore provide that any legitimate observation that indicates that some thing wrong may be going on, should be reported for examination and review by escalating it to the appropriate level.

In order to provide confidence to the Whistle Blower that there would be no witch hunting, it is necessary to maintain confidentiality of such reports even if some rewards are associated with useful reporting.

“Anonymous Reporting” could be one option for the organization but such anonymous reporting often encourages malicious untruthful reporting just to damage the reputation of some employees. There could also be “Nuisance Reporting” just to harass the management. Hence “Anonymous Reporting” is not recommended though it is an option that a management may consider for meeting PDPSI.

A more mature approach to Whistleblower policy is to create an “External Ombudsman” who receives all complaints with identification of the reporter who anonymizes the complaint, identifies the level at which it should be escalated for review and manage the information that needs to be shared for the purpose of the review. If necessary, the Ombudsman can also have a dialogue with the complainant to understand the problem better before escalating it.

Designing a robust Whistle Blower policy which encourages reporting, providing the confidence that such reporting would be rewarded, kept confidential and acted upon promptly is considered as a part of the “Control” that PDPSI expects organizations to set up.

Since this requires policy decisions such as the appointment of an external ombudsman etc., this decision can be initiated only by the highest level of management which accommodates complaints even against the members of the Board itself.

The integrity of the appointed ombudsman must also be ensured so that he protects the interests of the “Personal Data Protection Regulatory Expectation” and effectively manage the inherent conflicts.

It is interesting to note that Prime Minister Modi’s “My Bhi Chowkidar” campaign for the nation is actually a reflection of the “Whistle Blower Policy for the nation”. The CVC has also in the past tried to initiate a system for the purpose and introduce an app to enable citizens to report incidents. The experience with these schemes indicate the difficulties and the opposition that it may generate because there is always one set of the ecosystem which will strongly oppose such measures to protect their own vested interests, real or imaginary.

A successful designing and implementation of the system therefore requires a very high level of statesmanship by the top management.

It is to be accepted that it is a huge challenge to design an effective Whistle Blower Policy but it is for the Data Auditor to evaluate how good and robust is the policy (if available) while arriving at the Data Trust Score under the heading of “Commitment”.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles

Posted in Cyber Law | 2 Comments

Legitimate Interest Policy

Posted on April 10, 2019 by 98410spice

The compliance of Privacy Protection regulation whether under PDPA 2018 or GDPR or any other law normally starts with

a) Privacy Policy

b) Information Security Policy

The Privacy Policy declares the intentions of the organization in meeting the different requirements of the regulation. It is a comprehensive aggregation of several other sub policies that we will discuss here. It has to capture the objectives of the organization and reasonably describe how it proposes to implement the requirements.

Privacy Policy is for the organization to follow while “Privacy Notice” is meant for the information of those who interact with the company. “Privacy Notice” may contain many aspects of “Privacy Policy” but the objectives of the Policy are different from the Notice and this should reflect in the drafting of the two.

The Information Security Policy on the other hand is the policy that is intended to be followed within the organization to meet the Privacy Policy requirements.

Since a Corporate Information Security Policy has to protect both personal information and non-personal information, and the Privacy Policy is meant for Personal Information, the Information Security Policy should be broader to cover both Personal and Non Personal Information Protection.

In a way, Information Security for Privacy Protection is a sub set of Information Security for the organization as a whole. If necessary, an organization may opt to develop a “Personal Data Protection Policy” (PDPP) which could be considered as a subset of the Information Security Policy and let a DPO/DPC manage the PDPP while the CISO handles the IS Policy of the organization.

While drafting Privacy Policy , one must remember that “Privacy Policy” meant for the website is not the comprehensive Privacy Policy for the organziation. Privacy Policy for the web only relates to the information collected from the website visitors. Once the website visitor opts for some service, the privacy policy relevant for the service will be relevant. In most cases the Privacy Policy for the website visitors can be simple since no personally identifiable information other than the technical details captured by the hosting system may be collected. What is relevant for compliance is more the policy applicable to the subscribers for different services who provide identifiable personal information.

We are reasonably familiar with the drafting of Privacy Policy and the IS policy. But what PDPSI expects is that an organization has a clear view of what is the “Legitimate Interest Policy” under which certain provisions of GDPR or PDPA are sought to be implemented with some customization and dilution where necessary using the clauses which provide “Exemptions”.

In order to ensure that an organization is not confronted with the charge of “Non Compliance” when may be required to override certain standard practices for the legitimate business interests of the organization or for reasons such as National Security, Public Interest, Journalistic requirements etc., it is recommended that a separate policy document is drafted to codify why the regulation may be either not followed or followed differently with some safeguards and under what circumstances.

Naavi normally starts with the Legitimate Interest Policy before drafting the Privacy Policy and tries to get the Legitimate Interest Policy dovetailed to the business context. If any recommended aspect of the legitimate interest policy is considered as a serious violation of the Privacy law, then the legitimate interest policy may have to be suitably modified with the consent of the management.

Not having a “Legitimate Interest Policy” would make the life of the DPO difficult since he would confront powerful business executives trying to bypass the privacy policies and justifying it in business interests while the resulting consequences of non compliance becomes the responsibility of the DPO. By having a separate Legitimate Interest Policy (LIP), the DPO knows exactly what he can do and what he cannot do.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles

Posted in Cyber Law | 1 Comment

Data Forensics is the new Approach to Cyber Forensics

Posted on April 7, 2019 by 98410spice

Forensics is the art and science of discovering, collection, preservation and presentation of evidence to meet a legal requirement. We normally use the term “Cyber Forensics” to describe forensic activities related to information technology devices such as computers.

Initially we used to use the term “Computer Forensics” to describe the requirement of evidence of anything connected with Computer Crimes. Slowly the terminology got replaced with “Cyber Forensics”. Additionally terms such as “Mobile Forensics”, “Disk Forensics”, “Network Forensics” etc gathered popular usage. One popular perception of the masses still remains that “Cyber Forensics” deals with Internet and E Mails which is perhaps a very restricted view of the term.

We are today much more matured than ever we were in relation to understanding the forensic requirements connected with Cyber Crimes. In today’s context, some times “Cyber Forensics” as a term needs to be re-defined so that it captures the meaning of what is required in today’s context.

The earlier recognition of Cyber Forensics as computer forensics, or mobile forensics etc is a device oriented approach. Similarly, the terms Network forensics, Internet Forensics and even the Social Media forensics etc are oriented towards the usage platform.

However, the real essence of anything that we deal with today with a “Computing Device” is the “Data” which is platform independent. It is the binary impression which exists in different forms and acquires a meaning when looked at with the right glasses. If there is a picture that has a blue back ground and green letters and I wear a green glass, I may not be able to see the letters. But it does not mean that the letters donot exist.

The real forensics therefore has to be able to look at the existence of evidence without the limitation of the surrounding platform.

This is what I call as the new approach of “Forensics” that we need to adopt and I term it as “Data Forensics”.

The objective of “Data Forensics” is to discover the presence of a meaningful stream of binary expressions that may be hidden in a background of a dependent platform, gather it, preserve it and then be able to present and prove it in a Court of law.

The much discussed Section 65B of Indian Evidence Act takes care of the linking of the platform with the data and hence is able to bring to evidence any data.

This approach to Forensics will sustain the advent of IoT, Big Data and even Quantum Computing.

I therefore urge the industry to start focusing on “Data Forensics” from now on instead of the word “Cyber Forensics”. This should be more palatable to the “Data Protection Professionals” whose focus is the “Data” and not the “Container of the Data”.

We will therefore adopt this term slowly into our discussions including the discussions on PDPSI (Personal Data Protection Standard of India) where “Forensic Investigation and Recording of findings” are part of the requirements.

Naavi

Posted in Cyber Law | Leave a comment

Ugadi Brings Naavi’s 10 year mission to a successful closure

Posted on April 6, 2019 by 98410spice

For those who are aware of Naavi’s activities, it is known that the historic Umashankar adjudication case was a mission for Naavi starting from June 2010 when the adjudication application was filed.

Due to various reasons, the matter which went on appeal to CyAT had got stuck until now. On 3rd April 2019, TDSAT has placed its final approval on the Adjudication order bringing the matter to a successful closure.

The perseverance of Mr Umashankar who is an NRI in Abu Dhabi and his father Mr Sivasubramaniam who is in Tuticorin in pursuing the case against all odds and continued expenses must be specially hailed. Without their perseverance, I would not have been able to keep the matter going for so long.

I wish their experience in this case must be captured by journalists from the main stream so that it becomes a guidance for other Cyber Crime victims.

Naavi

Posted in Cyber Law | Leave a comment

Personal Data Gate Keepers and Internal Data Controllers in Organizations

Posted on April 5, 2019 by 98410spice

What we have so far discussed on PDPSI include

a) How personal data has to be classified according to PDPSI

b) How the PDPSI implementation organization has to be structured

c) Need for Risk assessment and reducing it to an implementation charter

d) How an auditor needs to build in measurability into the Data audit process

e) How the Certification process can recognize the responsibilities of the top management vis-a-vis the implementation team

Now we shall start discussing the different “Implementation Specifications” which are the “Operational Controls” suggested under the PDPSI. These include the policy documents that are essential for the operating personnel to implement the standard.

Distributed Responsibility for Data Security

Though at the higher policy making level, PDPSI recommends a Personal Data Protection Governance Structure (PDP-GS) which includes the Data Protection Committee (DPC), the Personal Data Protection officer (PDPO), at the implementation level, PDPSI considers every “Data Processing Employee” as a participant in the Personal Data Protection Eco System.

Out of all the Data Processing Employees, the person who first receives a set of what constitutes “Personal Data” is considered the “Personal Data Recipient Employee” (PDRE). Since data comes in to the eco system first without any tag, the recipient of incoming data is first recognized as the “Data Recipient Employee”. It is the responsibility of every data recipient employee to first identify and tag the data. If it is recognized as the “Identifiable personal data” then the recipient employee becomes the PDRE and becomes a stake holder in PDPSI. Otherwise, he remains the stake holder in the larger system of Data Protection but outside the PDPSI eco system.

The DRE is considered as the person responsible for tagging the incoming data with the right tags that lead to it being properly handled during the subsequent process. He is therefore the “Internal Data/Personal Data Controller” and “Subordinate Data/Personal Protection Officer” for a given data set. He acts as a “Nodal Point” for the incoming data which is tagged and redistributed within the organization.

In organizations which follow a strict “Pseudonymity principle“, all the personal data received has to be passed through a “Data Gate” where it is pseudonymized.

While the majority of the data that an organization collects can be routed through the designated “Data Gate Keeper” , in most organizations, data including personal data tend to land in the hands of the business executives first and later are turned over to the departments for necessary action.

For example, typically the call center employee is one who receives the first information about any incident along with the data associated with it, though the call center employee may be one of the junior most employees in the organizational structure. In other cases it may be the marketing team that first receives data/personal data and only there after, it can be handed over to other data protection executives.

The recipient of the data who may be called the DRE should first tag the data into one of the 16 data types and send it to the Data Gate keeper. The Data Gate keeper may be the supervisory authority to confirm the data classification and simultaneously de-identify, pseudonymize or even anonymize the data as may be dictated by the “Data Pseudonymization policy” of the organization.

Afterwards the data goes into processing as either the identifiable data only or as pseuodonymized data or as anonymized data.

The Data Gate keeper will therefore be the employee in the organization who has access to the “Re-identification Table” and should be considered as the “Principal Internal Data Controller” (PIDC).

The DRE who first receives the data and then hands it over to the PIDC remains in the knowledge of the data and therefore continues to hold the data protection responsibilities for the identifiable personal data that he receives. He therefore remains the Subordinate Internal Data Controller (SIDC).

The SIDC and the PIDC have to work with the DPO and the DPC in ensuring that the overall Information Security policies of the organization of which the Personal Data Protection Policy is a part, is successfully implemented.

In this system, there is a distributed responsibility for data protection in an organization and every PDRE is having the responsibility for data protection because he is the SIDC. The PIDC has the larger responsibility because he is also responsible for conformation of the data classification and the psydonymization.

It is possible for the PIDC to be also the DPO of the organization.

With these concepts, the Data Protection roles in an organization appear as follows:

This distributed model of data protection in an organization brings all the employees to bear the responsibility for data protection. The DPO still remains the statutorily responsible person for regulations like the GDPR or PDPA but internally the entire organization would stand in his support.

It is the responsibility of the PDPSI auditor to examine if an organization has the necessary commitment to data protection and strengthened the hands of the DPO by adopting the above structure or considers him as a scapegoat to be hanged if anything untoward happens.

(To Be continued)

Naavi

Other Reference Articles

Posted in Cyber Law | 2 Comments

Pentagon model of TISM.. An important approach to PDPSI implementation

Posted on April 4, 2019 by 98410spice

We have so far discussed some of the basic requirements of the PDPSI such as the need to have data classification, implementation responsibility, charter of implementation, measurability etc. We can now get to the second level of issues addressed by PDPSI which is the set of implementation controls.

The objective of PDPSI is to ensure the implementation of measures to meet the requirements of compliance. The measures could be technical, could be in the form of policies and procedures and could also be in the form of manpower training.

PDPSI recognizes the importance of people in implementing the Information Security. Hence “Motivating the work force” and “Measuring the motivational efforts of the organization” are considered part of the PDPSI.

While there could be many approaches to “Motivation” in the Information Security implementation, Naavi advocates the “Pentagon Model” of Information Security Motivation.

The “Pentagon Model” of the Theory of Information Security Motivation (TISM) suggests that there are five elements that need to work in tandem for proper implementation of Information Security in an organization. They should support each other and form a tight enclosure so that there is no leakage security.

The five elements consist of “Awareness” which is a training requirement, “Mandate” which is a “Policy” requirement and “Availability” which is “Technical Tool” requirement. In addition to these three, “Acceptance” and “Inspiration” are added as additional necessities to motivate people ” to accept what is imparted in the training”, “to respect and follow what policies are prescribed” and “to use the technical tools” that may be provided by the organization.

Conversion of “Awareness” to “Acceptance” is a completely behavior management issue to be handled by the HR experts in the organization. “Inspiration” is one aspect which is more an internal attitudinal factor of an individual and the organization can only try to trigger the inspirational instincts through innovative HR practices.

The PDPSI provides several controls mainly through policies to meet the requirements of TISM. The effect of such implementation needs to be captured by the auditor in the course of the audit.

Some of the measures of motivation can be captured in objective terms but most of them are subjective in nature. For example, we can measure whether 80% or 90% or 99% of employees have attended training programs and passed the relevant tests.

It may also be possible to conduct behavioural analysis tests to measure the level of acceptability of key elements of security behaviour through specially designed behaviour tests.

But measuring the “Inspirational” readiness of people may not be easily converted into objective parameters.

But there can be an identification of the efforts that the management has taken to inspire the work force to building an information security culture which can be recognized by the auditor and taken note of under the heading of “Commitment” indicated under the 5X5 DTS system.

(To Be continued)

Naavi

Earlier Articles