Naavi.org

Personal Data Gate Keepers and Internal Data Controllers in Organizations

Posted on April 5, 2019 by 98410spice

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

What we have so far discussed on PDPSI include

a) How personal data has to be classified according to PDPSI

b) How the PDPSI implementation organization has to be structured

c) Need for Risk assessment and reducing it to an implementation charter

d) How an auditor needs to build in measurability into the Data audit process

e) How the Certification process can recognize the responsibilities of the top management vis-a-vis the implementation team

Now we shall start discussing the different “Implementation Specifications” which are the “Operational Controls” suggested under the PDPSI. These include the policy documents that are essential for the operating personnel to implement the standard.

Distributed Responsibility for Data Security

Though at the higher policy making level, PDPSI recommends a Personal Data Protection Governance Structure (PDP-GS) which includes the Data Protection Committee (DPC), the Personal Data Protection officer (PDPO), at the implementation level, PDPSI considers every “Data Processing Employee” as a participant in the Personal Data Protection Eco System.

Out of all the Data Processing Employees, the person who first receives a set of what constitutes “Personal Data” is considered the “Personal Data Recipient Employee” (PDRE). Since data comes in to the eco system first without any tag, the recipient of incoming data is first recognized as the “Data Recipient Employee”. It is the responsibility of every data recipient employee to first identify and tag the data. If it is recognized as the “Identifiable personal data” then the recipient employee becomes the PDRE and becomes a stake holder in PDPSI. Otherwise, he remains the stake holder in the larger system of Data Protection but outside the PDPSI eco system.

The DRE is considered as the person responsible for tagging the incoming data with the right tags that lead to it being properly handled during the subsequent process. He is therefore the “Internal Data/Personal Data Controller” and “Subordinate Data/Personal Protection Officer” for a given data set. He acts as a “Nodal Point” for the incoming data which is tagged and redistributed within the organization.

In organizations which follow a strict “Pseudonymity principle“, all the personal data received has to be passed through a “Data Gate” where it is pseudonymized.

While the majority of the data that an organization collects can be routed through the designated “Data Gate Keeper” , in most organizations, data including personal data tend to land in the hands of the business executives first and later are turned over to the departments for necessary action.

For example, typically the call center employee is one who receives the first information about any incident along with the data associated with it, though the call center employee may be one of the junior most employees in the organizational structure. In other cases it may be the marketing team that first receives data/personal data and only there after, it can be handed over to other data protection executives.

The recipient of the data who may be called the DRE should first tag the data into one of the 16 data types and send it to the Data Gate keeper. The Data Gate keeper may be the supervisory authority to confirm the data classification and simultaneously de-identify, pseudonymize or even anonymize the data as may be dictated by the “Data Pseudonymization policy” of the organization.

Afterwards the data goes into processing as either the identifiable data only or as pseuodonymized data or as anonymized data.

The Data Gate keeper will therefore be the employee in the organization who has access to the “Re-identification Table” and should be considered as the “Principal Internal Data Controller” (PIDC).

The DRE who first receives the data and then hands it over to the PIDC remains in the knowledge of the data and therefore continues to hold the data protection responsibilities for the identifiable personal data that he receives. He therefore remains the Subordinate Internal Data Controller (SIDC).

The SIDC and the PIDC have to work with the DPO and the DPC in ensuring that the overall Information Security policies of the organization of which the Personal Data Protection Policy is a part, is successfully implemented.

In this system, there is a distributed responsibility for data protection in an organization and every PDRE is having the responsibility for data protection because he is the SIDC. The PIDC has the larger responsibility because he is also responsible for conformation of the data classification and the psydonymization.

It is possible for the PIDC to be also the DPO of the organization.

With these concepts, the Data Protection roles in an organization appear as follows:

This distributed model of data protection in an organization brings all the employees to bear the responsibility for data protection. The DPO still remains the statutorily responsible person for regulations like the GDPR or PDPA but internally the entire organization would stand in his support.

It is the responsibility of the PDPSI auditor to examine if an organization has the necessary commitment to data protection and strengthened the hands of the DPO by adopting the above structure or considers him as a scapegoat to be hanged if anything untoward happens.

(To Be continued)

Naavi

Other Reference Articles

Posted in Cyber Law | 2 Comments

Pentagon model of TISM.. An important approach to PDPSI implementation

Posted on April 4, 2019 by 98410spice

We have so far discussed some of the basic requirements of the PDPSI such as the need to have data classification, implementation responsibility, charter of implementation, measurability etc. We can now get to the second level of issues addressed by PDPSI which is the set of implementation controls.

The objective of PDPSI is to ensure the implementation of measures to meet the requirements of compliance. The measures could be technical, could be in the form of policies and procedures and could also be in the form of manpower training.

PDPSI recognizes the importance of people in implementing the Information Security. Hence “Motivating the work force” and “Measuring the motivational efforts of the organization” are considered part of the PDPSI.

While there could be many approaches to “Motivation” in the Information Security implementation, Naavi advocates the “Pentagon Model” of Information Security Motivation.

The “Pentagon Model” of the Theory of Information Security Motivation (TISM) suggests that there are five elements that need to work in tandem for proper implementation of Information Security in an organization. They should support each other and form a tight enclosure so that there is no leakage security.

The five elements consist of “Awareness” which is a training requirement, “Mandate” which is a “Policy” requirement and “Availability” which is “Technical Tool” requirement. In addition to these three, “Acceptance” and “Inspiration” are added as additional necessities to motivate people ” to accept what is imparted in the training”, “to respect and follow what policies are prescribed” and “to use the technical tools” that may be provided by the organization.

Conversion of “Awareness” to “Acceptance” is a completely behavior management issue to be handled by the HR experts in the organization. “Inspiration” is one aspect which is more an internal attitudinal factor of an individual and the organization can only try to trigger the inspirational instincts through innovative HR practices.

The PDPSI provides several controls mainly through policies to meet the requirements of TISM. The effect of such implementation needs to be captured by the auditor in the course of the audit.

Some of the measures of motivation can be captured in objective terms but most of them are subjective in nature. For example, we can measure whether 80% or 90% or 99% of employees have attended training programs and passed the relevant tests.

It may also be possible to conduct behavioural analysis tests to measure the level of acceptability of key elements of security behaviour through specially designed behaviour tests.

But measuring the “Inspirational” readiness of people may not be easily converted into objective parameters.

But there can be an identification of the efforts that the management has taken to inspire the work force to building an information security culture which can be recognized by the auditor and taken note of under the heading of “Commitment” indicated under the 5X5 DTS system.

(To Be continued)

Naavi

Earlier Articles

Posted in Cyber Law | Leave a comment

Face Book shows that proactive measures to prevent fake news is possible

Posted on April 1, 2019 by 98410spice

During the recent discussions on the amendments of the Intermediary Guidelines proposed by the Governments, there was a discussion on one of the proposals which required proactive measures by the Social Media to curb spread of fake news. Many were complaining that “Proactive monitoring” of accounts is not feasible.

The news that is just now breaking that suggests that Face Book has removed 687 pages supposedly connected with the Congress party for “Inappropriate Behaviour” indicates that the company has run some sort of analytics and found out that the owners of these pages were running their accounts in impersonated names and all of them were connected to the IT Cell of Indian National Congress and were using the pages to canvass for Congress.

Refer report here

Face Book has therefore accepted that today’s AI environment can be harnessed to at least identify some types of fake news and take proactive action. I am sure that more is possible.

Recently Naavi had raised this issue in his article in India Legal Magazine.

In this article, I had argued that Social Media companies are actually not interested in removing fake news because they are commercially beneficial to them. We have seen this tendency in ISPs who support pornography and spamming since they constitute a substantial part of data exchange on the Internet. Similarly WhatsApp can do a lot to reduce the duplication of data exchange if they really want, but obviously this does not make commercial sense. What has happened now with Face Book is therefore a positive development and must be appreciated.

A couple of month’s back, in a round table in Bangalore, Naavi had pointed out to Professor Rajiv Gowda the spokesperson of Congress, (who was one of the participants,) that it was the political parties which were mainly responsible for the fake news. This stand has been vindicated in the current news break.

Congress as a party has been in the forefront of creating fake news and fake allegations on its political opponents and has corrupted the social media irretrievably. Naturally, it would be worried about this embarrassment and would like to create a balancing embarrassment to the BJP also. Perhaps the party will do its own research and come up with a list of pages belonging to BJP and request Face Book to remove them.

It would be good if the users themselves identify such fake pages and report to Face Book so that they can verify and remove them. This would be like “Content Rating” and “Content Filtering with Crowd sourcing of objections”. This would be a good development.

It must however be noted that Face Book has said that the removal of the pages is not because of the content but because of the attempt to hide identity. This issue is therefore not an issue of “Freedom of Expression” and hence Prashant Bhushan and his friends cannot run to the Supreme Court with their PILs.

It would however be interesting to see how these PIL experts would react to this latest set back.

Naavi

Posted in Cyber Law | 1 Comment

Principles of PDPSI

Posted on April 1, 2019 by 98410spice

So far, we have discussed the Data Classification requirements and the implementation responsibilities in the PDPSI. We have also indicated the statutory scope and the need for building measurability as part of the implementation of the standard.

Now we shall extend our discussion to three more aspects of the PDPSI which define it’s architecture.

They are

1. Privacy By Design
2. Requirement of a Charter of Implementation
3. Certification Process

Privacy By Design

Privacy By design as an accepted concept in the implementation of Privacy Protection measures in a technical environment. It refers to the proactive measures initiated by an organization so that information privacy is protected.

Privacy By Design is not restricted to the concept that by default a control like the “Consent” should be set to “No Consent” and the user is required to initiate some affirmative action to provide his “Consent”.

Essential aspect of the design is to capture the life cycle of personal data and embed Information Privacy protection at every step of collection, generation, processing, storage or transmission of personal data.

Towards this end-to-end privacy protection, it is necessary to recognize that “Design” is not limited to the technical architecture of a software product or service. It has to extend to Managerial, Organizational and Business Aspects of the organization. It has to take into account the three dimensions of Technology, Legal and Behavioural aspects that affect the implementation of Information Privacy protection.

Privacy by design concept therefore recognizes that while constituting the DPC (Data Protection Committee), there is a role for the HR, Legal and Marketing department to be represented besides the CISOs and DPOs.

Privacy Policy of the organization should therefore be in the radar when new business is signed up or when a call center employee attends to a customer call.

The standard can only make a statement about the need for “Privacy By design” but the proof of its implementation has to be checked by the auditor in the different aspects of the business processes followed by the organization. The Procedures of how a new business is acquired, how the data processing is planned, what kind of sanction polices are adopted for HR purpose etc are all factors that reveal whether “Privacy By Design” is actually being practiced by an organization and does not remain only a slogan.

Requirement Charter

Normally the exercise of compliance starts with a “Gap Analysis” which tries to understand the current status of Information Privacy protection vis a vis the requirements. It is drawn up by an auditor (External or internal) and may be called a Data Protection Impact Assessment (DPIA). When a new law such as GDPR or PDPA 2018 is adopted, it will be necessary to conduct a DPIA for the entire organization. There afterwards, whenever a new project is taken up, it may be necessary to check if a separate DPIA is required or the project falls completely within the current system.

Once the “Gap Analysis Report” is ready, it is to be considered as a suggestion of an auditor and it requires to be consciously adopted by the top management. once so adopted, it becomes the “Requirement Charter”. The Requirement Charter has to be further passed on to the implementation team.

The signing off of the Requirement Charter is essential to demonstrate the commitment of the top management as well as bring in the accountability of the top management. It will also ensure that the organization’s different departments cooperate with each other and support the DPO in his/her day to day duties in which several operational executives may find their freedom of operation trampled with.

This will also give an opportunity for the management to make a Risk Analysis, evaluate the total risk, define the Risk Appetite of the organization, buy adequate Risk Insurance and there after issue the Charter to mitigate risk to ensure that the residual absorbed risk remains as low as feasible.

Certification Process

The Certification system under PDPSI shall evaluate the managerial efficiency in defining the Implementation Charter and the implementation efficiency in implementing the charter.

This twin Certification process will ensure that the responsibilities of the top management and the DPO are defined clearly and one will not end up blaming the other for any failure.

The Certification may be initially done by an external auditor but once accepted by the organization, it may be considered as a “Self Certification”. While accepting, the management may qualify its acceptance in which case the qualifications could lead to issue of a “Revised Supplementary Charter” to be implemented as a continuing exercise.

We shall continue with other aspects of implementation in the subsequent articles.

(Comments are welcome)

Naavi

Earlier Articles

Posted in Cyber Law | 4 Comments

India to be the Hub of International Personal Data Processing.. Objective of PDPSI

Posted on March 31, 2019 by 98410spice

We have so far discussed two important aspects of the PDPSI approach. One is the data classification system which recognizes 16 data types of personal data which may require different compliance controls based on the classification. The second is the Governance system where there is collective responsibility for the organization, monitoring at the highest level and integration of multiple functions which may have inherent conflicts in terms of authority into a Data Protection Committee (DPC).

These may be fundamental measures but they are the key aspects of PDPSI to ensure that the controls (that would be discussed later) at operational level would be implemented effectively.

Before we proceed further into the individual controls, it is necessary to indicate two other aspects of PDPSI structure which are essential for understanding the controls.

They are

a) Defining the statutory scope of PDPSI

b) Building Measurability of Compliance

Statutory Scope of PDPSI

The objective of PDPSI is to provide the Indian Data Processing industry, a framework to have a uniform approach towards meeting the compliance requirements. This Indian Data Processing Industry (IDPI) operates in a global environment both because Internet itself is a border less entity and also because there is a large component of contractual data processing of international data that happens in India.

It is essential that IDPI recognizes and incorporates the concern of the international companies about compliance of laws applicable to them without which the IDPI cannot progress. Non compliance of international data protection laws would lead to reduction of flow in the BPO activity of Indian companies. On the other hand, an assurance of compliance on the international data protection laws should help in the IDPI garner more international data processing business with better price realization.

PDPSI therefore is not a competitor to other standards but is an amalgamation of all global standards into one standard and recognizes that India has to develop as the hub of international personal data processing.

The current Indian data protection law which is represented by Section 43A of ITA 2000/8 focusses on “Contractual Obligations” between the Indian Data Processor and the supplier of personal data. If the supplier of personal data is a US health care industry and signs a BA agreement as per HIPAA-HITECH Act, then Indian Company has to be compliant with HIPAA-HITECH Act even if it works in India. Similarly if the Indian Company processes EU data, it has to have in the BA contract an obligation to comply with GDPR.

Hence, a mandate to comply with ITA 2000/8 is automatically a mandate to comply with all necessary international laws through a system of contract management.

What PDPSI achieves additionally is a systematic process by which these laws are built into the system in the data classification itself.

Broadly the scope of PDPSI is defined with reference to Indian laws such as

1. Personal Data Protection Act (PDPA 2018) as proposed and under development
2. Information Technology Act 2000 as amended from time to time
3. The Aadhaar (Targeted Delivery of Financial and other subsidies, benefits and services) Act, 2016 as amended from time to time
4. Guidelines of sectoral regulatory authorities including RBI, SEBI etc
5. Digital Information Security for Health Care Act (DISHA) as proposed and under development
6. Electronic Heath Record (EHR) guidelines
7. Any other law as may be considered relevant

In this list, “Any other law” includes GDPR, CCPA etc depending on the data in question. Hence incoming personal data from EU would automatically be tagged with GDPR and the controls as applicable would become applicable.

Since each country defines its own laws, the PDPSI leaves the Scope under item (G) above open ended. This will also take care of any future addition to Indian laws as well since Indian data protection laws are also in a state of evolution.

Measurability of Data Protection Compliance

In Risk Management, we some times discuss about Qualitative and Quantitative types of Risk measurement. In Technical risk assessment, various statistical methods are used to measure the risks. But in Techno Legal risk assessments, “Qualitative” or “Subjective” depiction of “Risk Measurement” is preferred.

Compliance is a “Techno Legal” factor and hence it is not easy to provide a quantitative assessment of how much of the risks are covered by the compliance process.

However, PDPA 2018 has proposed that a “Data Audit” shall be conducted annually by an external auditor and a “Data Trust Score” (DTS) is assigned to the organization. This DTS is therefore a measurable component of the “Status of Compliance” in an organization. It could be like the “Credit Rating” that is used in the Finance industry.

PDPSI recognizes the mandatory nature of DTS system in the Indian Data protection regulation and adopts it into its requirement though some changes may occur in this respect in due course when the final act is passed.

Naavi has already presented his system titled “5X5 Data Trust Score System”which attempts to present one model by which Data Audit results can be reduced to a “Numeric Index”. This is an example of how measurability can be introduced to the implementation of PDPSI.

PDPSI therefore prescribes that “Compliance shall be measurable”. It does not mandate the use of any particular system of measurement and it is left to the auditor to design an acceptable system. For the time being, Naavi’s 5X5 DTS system is considered as a suggestion which is an annexure to the PDPSI. Other measures as and when developed may also be considered for addition into the annexures. It is however recognized that though parts of the compliance and the assessment are “subjective”, at least the expression of measurability can be standardized through these annexed suggestions.

P.S:

I am presenting the PDPSI concepts one by one so that experts can go through and suggest further refinements. This will continue.

Many of my friends are wondering how I as an individual can take on the globally recognized agencies and speak of a “Standard”. I can only say that if the intentions are right, even an individual should try to make a move towards the desired goal. At the same time, I am inviting all my friends to join me in developing these standards so that it becomes a participative exercise.

But participating in this process requires commitment, courage and a self belief that we are capable of defining what is good for the Indian market better than some other international agency which anyway hires our own people to create a proprietary document to make money.

All those who have such commitment are welcome to join this movement to create PDPSI and make it acceptable to the society.

Naavi

Earlier Articles

Posted in Cyber Law | 3 Comments

Implementation Responsibility under Personal Data Protection Standard of India

Posted on March 30, 2019 by 98410spice

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI) The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

An information security standard is a set of guideline which should help an organization reach a minimum level of desired level of security implementation. The primary requirements of the standard is meant for “Implementation” and the secondary purpose is “Certification”.

Hence, how an organization handles the allocation of roles and responsibilities for implementation of information security is also considered part of the standard itself. Other standards may also address this issue under “ISMS Organization”.

In IS implementation, Naavi recognizes the implementation priority based on the “Pyramid Model”. The implementation itself is expected to be also influenced by the “Theory of Information Security Motivation”. A brief discussion of these two concepts are required for explaining the logic behind the definition of implementation responsibility.

Naavi’s Pyramid model of prioritization of Information Security goals suggests that an organization follows the implementation as indicated in the following diagram.

What this representation means is that though we say that “Security is only as strong as its weakest link”, practically, an organization follows the priority chain where it first focuses on the Availability of information to its decision makers, then the integrity and then the Confidentiality before raising to the higher levels of authentication and non repudiation. This theory is at slight variance with the CIA principle which characterizes the understanding of Information Security in general.

As a result of this, an organization in its journey towards information security, would have first created a CTO and then moved onto a CISO for entrusting responsibilities of Information Security. When the legal aspects of information security gets recognized, we have the advent of the role of “Compliance Officials”. The advent of the recent generation of data protection legislation have now brought in the roles of “Data Protection Officers” either as employees of the organization or as external consultancy agencies.

PDPSI recognizes the possibility therefore that a subject organization may already have a CTO, CISO, CCO and perhaps a DPO before it is now thinking of PDPSI implementation. Some of them could have also attempted ISO 27001, HIPAA, PCI DSS implementation and hold necessary certificates. PDPSI tries to integrate all these implementations and creates a super controller who should be responsible for all the compliance requirements.

PDPSI therefore prescribes that the implementation responsibility for PDPSI lies with the top of the top management equivalent to the Board in a corporate structure. Implementation activity of PDPSI must therefore have the backing of a Board Resolution and also incorporated in the annual report to the shareholders or other equivalent disclosure documents.

Under PDPSI, every organization shall have a designated group of persons entrusted with the overall responsibility of compliance and shall constitute the Data Protection Committee (DPC) of which the CEO of the organization and at least one member of the Board of Directors shall be a part. The group shall also designate one individual coordinator who shall be the Data Personal Data Protection Officer (PDPO) of the organization and responsible for representing the organization with the regulatory authorities and the public for compliance related issues.

Periodical Data Protection Status Assessment (DPSA) may be conducted by the PDPO but every annual exercise of Assessment of Data Protection Status shall be undertaken by an independent external agency.

Thus the responsibility for PDPSI responsibility lies with the DPC at the operational level and the Board at the policy level. PDPO will be the coordinator of the activities and will assume all the responsibilities of the DPO as envisaged under PDPA 2018 or GDPR.

However, PDPO would periodically send such status reports to the DPC that the DPC shall not absolve itself of its collective responsibility. The DPC itself shall keep the Board appraised at periodical intervals and incorporated in the corporate disclosures through the annual report etc. This ensures that even the share holders shall be kept informed at suitable intervals so that there is transparency in the activities that provide assurance of information security implementation in the organization.

The creation of an ISMS structure needs to be customized for every organization and hence further details are left to the discretion of the management and would reflect the organizational commitment to fair implementation of PDPSI which an auditor may consider for evaluating the Data Trust Score or equivalent measurable representation of the standard.

In summary, the PDPSI standard for ISMS organization creates a shared responsibility at the Board level followed by the DPC and does not load the PDPO with a responsibility which he cannot enforce. However due to the power of statute, PDPO would be saddled with the responsibilities that a PDPA 2018 or GDPR envisages though he may try to build a protective shield by escalating the issues to the top management. This would check the tendency of some managements to manipulate the DPO and compromising security because of other business priorities.

It is envisaged that all genuine business related compromises are built into the document “Legitimate Interest Policy” which is discussed later and hence PDPSI takes into account both the theoretical prescriptions of the laws like GDPR and the practical realities at the level of implementation.

(Comments are welcome. Further discussions will continue)

Naavi

Other Reference Articles