Naavi.org

Naavi was the author of the first book on Cyber Laws in India when he released “Cyber Laws For Netizens” on December 9, 2000, the day when Information Technology Bill 1999 was introduced in the Parliament.

Now the proposed draft Bill titled “Personal Data Protection Act 2018” had been introduced in the last Parliament on the recommendations of the Justice Sri Krishna Committee.  This would have been the first dedicated Data Protection legislation in India and would be so when it is ultimately passed into a law.

At present the Bill has lapsed due  to the dissolution of the Parliament and will have to be re-introduced in the next Parliament.

There is no reason to think that the Bill will not be re-introduced immediately after the new Parliament comes into existence and becomes a law which may be renamed as “Personal Data Protection Act-2019”.

After the developments in the Election scenario in the last two days, it appears that the BJP Government led by Mr Modi is likely to come back. We can therefore expect that the Bill PDPA 2018 will be reintroduced shortly without much changes and will be passed during the current year.

Naavi has already taken the initiative to create an online training program on PDPA 2018.in as it exists now.

As a part of the curriculum support, Naavi is now preparing a Book titled “Personal Data Protection Act” which will be released shortly.

Initially the book will be used as course material for the PDPA training program and will be placed on the E book section thereafter.

Naavi

We have been discussing the different aspects of the  Personal Data Protection Standard of India. (PDPSI).  During these several articles, we have discussed the philosophy behind the PDPSI and some of the controls which require a special mention.

In continuation of our exploration of PDPSI, I would like to present the “Pentagon Model of Personal Data Protection” which provides a quick overview of the PDPSI approach.

The model is presented in the picture above. Naavi has earlier adopted the Pyramid Model for Information Security Implementation  and a Pentagon model for Information Security Motivation 

The pyramid model was appropriate for prioritization but the closed polygon model was found more suitable to represent the Information Security Motivation. A similar model appears appropriate for representing the requirements of the Personal Data Protection also.

The difference between the hierarchial model of the pyramid and the closed model of the polygon is that the hierarchial model is meant to be built level by level while the polygon model would require all wings to be in place simultaneously to close the polygon.

Since “Pentagon” represents security in general, we have adopted the pentagon model and put all requirements identified under PDPSI into the five categories which form the five boundaries of the Personal Data Protection pentagon.

To understand the five elements of the pentagon, let us analyze each of them with reference to our earlier detailed articles.

Element 1: Classification

As we have discussed in detail,  (Article 1:Article 2) “Data Classification” is the starting point for the exercise and the foundation of a proper construction of Privacy by design. Data Classification also defines the scope of the compliance exercise since it maps the Data Protection law to which the compliance needs to be bench marked. 

Element 2: Responsibilities

The responsibilities under PDPSI does not start and end with the DPO. DPO will remain the pivot around whom the responsibility is shared across the organization starting from the Board and the Data Protection Committee at the top to “Internal Data Controllers” spread across the organizations handling different functional responsibilities. This system of diversified responsibility recognizes the practical problems that a DPO would face in an organization particularly if it is spread across different functions and different geographical locations. Once the functional management of data and its security are in proximity, the implementation of any policy becomes easier.

Element 3: Tech Controls

Technical controls of Information Security are well researched and there is a lot of knowledge and skill in organizations around the world. These controls in the form of different hardware and software devices/applications provide solutions for meeting the CIA aspects of Information security and the extended concepts of accountability which includes Authentication and Non Repudiation. The Firewalls, IDS, Anti Virus, Access Control, Encryption, Digital Signature, version control, Data Leak Prevention systems, Multi factor authentication systems, the DRP/BCP systems, Forensic devices, etc all form the control tools under this head. 

Element 4: Policies

The Policies part of the pentagon represent all the different policy and procedure documents that are required under the data protection laws including the Information Security policy, Privacy Policy, the Notification, Business Associate policy, Whistle Blower Policy , legitimate interest policy, Incident management policy, Data Disclosure cum Breach Notification policy, Business Agreement Control policy, HR recruitment, termination, sanction policies, the BYOD, Hardware/Software purchase policies, the web and email usage policies, documentation policies etc are all part of this segment of compliance.

Element 5: Culture

Apart from the Technical and Legal aspects of compliance addressed by the two earlier elements, the “people” aspect and in particular the “Behavioural Aspects of People” that affects the compliance is an important issue in itself. This may include the awareness building, motivation of people to be compliant, along with the incentives and disincentives to ensure that a proper “Data Protection Culture” is built in the organization. 

While Classification and Responsibility assignment are essentially a one time exercise (except for changes that need to be accommodated from time to time), the three other segments require continuous monitoring and may also require different skills and knowledge. In large organizations three different experts may be required to address these three issues differently or the DPO should have the multi dimensional expertise.

This model breaks down the PDPSI into 5 elements for easy management. I suppose that this Pentagon model of Personal data protection would provide some clarity to organizing  the Data Protection Compliance exercise in an organization. 

Naavi

“Internet was born free but is found everywhere in Chains” was a statement made by Naavi in 2002. Several articles   were showcased discussing the developments at that time which may make interesting reading even today. I hope for students of the philosophy of Cyber Space, these articles may be interesting. 

However during the last nearly 2 decades, things have changed in our society. Many of the apprehensions expressed at that time have become true today. The borderless state of Internet and the Anonymity inherent in its design has now given way to Cyber crimes of unlimited proportions across the globe forcing rethinking on the “Security issues in Internet”. 

While there is one segment of the law makers who still swear by Privacy and Freedom of Speech over Internet, there is an equally strong lobby who swear by the need for Security. At present laws are trying to balance these requirements though not with complete success.

China started a trend of creating a firewall to segregate Chinese Internet space from the rest through creation of its own search engine, its own social media etc making the Google and Facebook redundant.

Now Russia seems to have taken a further step by creating a specific law to build a “Cyber Border” for Russia.

The concept of each sovereign country defining its own Cyber Space and legal jurisdiction over it started long back when Cyber Crimes investigations cut across borders. So far attempts have been made to bridge this jurisdictional gap by creating MLATs for Cyber Crimes to address the issue of cross border jurisdiction.

However, it is now reported that Russia is adopting law to isolate “Runet” from Internet. Naavi has in recent times veered to the view that there is a need for setting up a “Digitally Identified Network” within “Internet” which we can call “Internet-S” where S stands for Secure. The idea is that every Netizen of Internet-S is identified by a system as good as a legally recognized digital signature system with the backing of a sovereign Government. In this world, every Netizen’s activity is mapped to an identified individual.

The Concept of “Regulated Anonymity” which we have discussed repeatedly in Naavi.org advocates that anonymity and privacy in transactions with others can be protected without sacrificing national security if we can create “Trusted Identity Intermediaries” who issue proxy identities but protect national interest under a proper regulated process.

This concept has now become a legal possibility in India with the proposed PDPA 2018 in the form of Data Fiduciaries, though I am personally not sure if this possibility would be recognized by other Privacy professionals in India and the law makers.

Data Localization requirements under the Indian laws also assert the concept of “Data Sovereignty” through PDPA 2018. (Proposed Personal Data Protection Act)

In the meantime, what has happened in Russia is to be recognized as a significant step of redefining the way Internet functions as a “Federation of Net Societies allied with sovereign Governments in the physical space”.

According to the new law reported to have been adopted by the State Duma, in order to protect the Country from external threats, Russia wants to create a “Sovereign Cyber Space” over which it has complete control. (See Report here)

Some of the key provisions in this law include the introduction of a system that will channel Russian internet traffic through government-controlled routing points as well as granting unlimited powers to Roskomnadzor, which will be able to cut off non-complying internet providers. The country’s telecom watchdog will set up a monitoring center that will detect threats and issue instructions. Roskomnadzor will also create and maintain a national domain name system (DNS).

The new legislation is designed to ensure that online data transfers between Russian citizens, businesses and organizations are executed within the country instead of being routed internationally.

The Runet law is scheduled to enter into force in November this year, with the rules governing Russian domains and cryptographic protection of information expected to be introduced on January 1, 2021.

As could be expected, there is an opposition to the proposal which is accused as a measure of censorship. The counter argument is very forceful but it is not clear if the opposition would be able to scuttle the law. Most probably Mr Putin would push through this legislation which will become a fore runner to other countries passing similar laws.

If such a law is brought in India particularly in the present regime of Mr Modi, there would be an immediate outcry from the opposition. Many of the IS professionals would also feel that this is an extreme step that would curtail the freedom of expression on the Internet and the Democracy. Probably they may be right and India would not go the extent of passing such laws.

But it is necessary for us to recognize that most of the Democratic countries are hypocritical when it comes to their stand on preservation of “Data Sovereignty”. Today “Data Localization” has become a norm and most countries try to retain data generated within the country confined to its borders. Where countries agree on Cross border data transfers, they impose severe restrictions. Whether they are called Safeharbour agreements or by any other name, they are like signing of “Data Transfer Treaties” at corporate level. Every country wants to have its own laws of data protection applied to personal data generated from within its borders which makes it necessary for data processors to classify personal data in accordance with the privacy protection laws to which it is subject to. (Refer PDPSI Classification and Scope Definition articles).

In a way we have already drawn borders in cyberspace by the data protection laws of each country defining norms for protection of data of their citizens and with data localization within their physical borders.  What Russia is set to do is a bolder and more transparent way of expressing that Cyber Space of a Country belongs to its sovereign jurisdiction and anybody entering in and out need to identify themselves and allow being monitored lime an Cyber Passport and Cyber VISA system

PDPA 2018 (Draft) provides a perfect legal ground to implement some of the provisions of this Russian Law without the need for modifications to ITA 2000/8.

We need to watch how things develop in India in the next decade and whether the Russian approach would be replicated in India also either with a separate law (which is difficult) or with a suitable interpretation of the Data Localization requirements under the current laws.

Naavi

This article posted on April 16, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

PDPSI is a standard for a “Techno Legal Compliance”. Hence the controls under PDPSI go beyond the usual technical controls such as the Firewalls, IDS systems, Access Control, Encryption etc.

The Legal controls include the policy documents such as the Privacy Policy, the Sanction policies in the HR arena etc.

Additionally it is important for us to recognize that most organizations use outsourcing for many of their activities and are also themselves the sub contractors for certain data processing activities.

The regulatory framework envisages that the entire eco-system of personal data processing needs to be accountable for meeting the regulatory compliance requirements. As a result of this, every organization has a liability to its upstream data provider and imposes liabilities to the down stream data processors. These transfer of responsibilities occur through the business contracts. 

Most of the time the business contracts stop at defining the service requirements and the financial commitments. But in the current regime of data protection, the “Information Security” obligations also need to be defined as a part of such contracts. Thus a Data Collector (First Data Controller) collects personal information under a consent contract, hand over the information to a secondary data controller who in turn hands it over to the data processor etc.. all through business contracts.

Hence every organization processing data will have several business contracts which may have prescriptions of its data processing liabilities. It is therefore necessary for the DPO to understand such obligations and factor it into his activities.

Most of the time these business contracts  are executed by business executives without adequate consideration of the information security requirements. Hence the DPO needs to ensure that his requirements are well understood by the business executives so that every contract is “Compliance Ready”.

Assuming that the business executives do execute such contracts, it is the responsibility of the DPO to keep track of the inventory of “Data Protection Liabilities” arising out of these contracts and monitor changes that may occur from time to time. 

Some times there would be difficulties in implementing these requirements and notices of compromise may have to be exchanged. All such requirements need to be documented for the purpose of compliance.

PDPSI therefore expects that the subject company has a robust policy where every contract signed in the name of the company is brought on record, serially numbered and the obligations undertaken are duly taken note of for compliance throughout the life cycle of the contract.

(To Be continued)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Legitimate Interest Policy
11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
12. Criticality of the Grievance Redressal Mechanism in PDPSI
13. Data Breach Notification-What PDPSI expects
14. Naavi’s Data Trust Score model unleashed in the new year
15. Naavi’s 5X5 Data Trust Score System…. Some clarifications
16. Naavi’s Data Trust Score Audit System…allocation of weightages

This article posted on April 15, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi