Naavi.org

During the recent discussions on the amendments of the Intermediary Guidelines proposed by the Governments, there was a discussion on one of the proposals which required proactive measures by the Social Media to curb spread of fake news. Many were complaining that “Proactive monitoring” of accounts is not feasible.

The news that is just now breaking that suggests that Face Book has removed 687 pages supposedly connected with the Congress party for “Inappropriate Behaviour” indicates that the company has run some sort of analytics and found out that the owners of these pages were running their accounts in impersonated names and all of them were connected to the IT Cell of Indian National Congress and were using the pages to canvass for Congress.

Refer report here

Face Book has therefore accepted that today’s AI environment can be harnessed to at least identify some types of fake news and take proactive action. I am sure that more is possible.

Recently Naavi had raised this issue in his article in India Legal Magazine.

In this article, I had argued that Social Media companies are actually not interested in removing fake news because they are commercially beneficial to them. We have seen this tendency in ISPs who support pornography and spamming since they constitute a substantial part of data exchange on the Internet. Similarly WhatsApp can do a lot to reduce the duplication of data exchange if they really want, but obviously this does not make commercial sense. What has happened now with Face Book is therefore a positive development and must be appreciated.

A couple of month’s back, in a round table in Bangalore, Naavi had pointed out to Professor Rajiv Gowda  the spokesperson of Congress, (who was one of the participants,) that it was the political parties which were mainly responsible for the fake news. This stand has been vindicated in the current news break.

Congress as a party has been in the forefront of creating fake news and fake allegations on its political opponents and has corrupted the social media irretrievably. Naturally, it would be worried about this embarrassment and would like to create a balancing embarrassment to the BJP also. Perhaps the party will do its own research and come up with a list of pages belonging to BJP and request Face Book to remove them.

It would be good if the users themselves identify such fake pages and report to Face Book so that they can verify and remove them. This would be like “Content Rating” and “Content Filtering with Crowd sourcing of objections”. This would be a good development.

It must however be noted that Face Book has said that the removal of the pages is not because of the content but because of the attempt to hide identity. This issue is therefore not an issue of “Freedom of Expression” and hence Prashant Bhushan and his friends cannot run to the Supreme Court with their PILs.

It would however be interesting to see how these PIL experts would react to this latest set back.

Naavi

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

So far, we have discussed the Data Classification requirements and the implementation responsibilities in the PDPSI. We have also indicated the statutory scope and the need for building measurability as part of the implementation of  the standard.

Now we shall extend our discussion to three more aspects of the PDPSI which define it’s architecture.

They are

1. 1. Privacy By Design
   2. Requirement of a Charter of Implementation
   3. Certification Process

Privacy By Design

Privacy By design as an accepted concept in the implementation of Privacy Protection measures in a technical environment. It refers to the proactive measures initiated  by an organization so that information privacy is protected.

Privacy By Design is not restricted to the concept that by default a control like the “Consent” should be set to “No Consent” and the user is required to initiate some affirmative action to provide his “Consent”.

Essential aspect of the design is to capture the life cycle of personal data and embed Information Privacy protection at every step of collection, generation, processing, storage or transmission of personal data.

Towards this end-to-end privacy protection, it is necessary to recognize that “Design” is not limited to the technical architecture of a software product or service. It has to extend to Managerial, Organizational and Business Aspects of the organization. It has to take into account the three dimensions of Technology, Legal and Behavioural aspects that affect the implementation of Information Privacy protection.

Privacy by design concept therefore recognizes that while constituting the DPC (Data Protection Committee), there is a role for the HR, Legal and Marketing department to be represented besides the CISOs and DPOs.

Privacy Policy of the organization should therefore be in the radar when new business is signed up or when a call center employee attends to a customer call.

The standard can only make a statement about the need for “Privacy By design” but the proof of its implementation has to be checked by the auditor in the different aspects of the business processes followed by the organization. The Procedures of how a new business is acquired, how the data processing is planned, what kind of sanction polices are adopted for HR purpose etc are all factors that reveal whether “Privacy By Design” is actually being practiced by an organization and does not remain only a slogan.

Requirement Charter

Normally the exercise of compliance starts with a “Gap Analysis” which tries to understand the current status of Information Privacy protection vis a vis the requirements. It is drawn up by an auditor (External or internal) and may be called a Data Protection Impact Assessment (DPIA). When a new law such as GDPR or PDPA 2018 is adopted, it will be necessary to conduct a DPIA for the entire organization. There afterwards, whenever a new project is taken up, it may be necessary to check if a separate DPIA is required or the project falls completely within the current system.

Once the “Gap Analysis Report” is ready, it is to be considered as a suggestion of an  auditor and it requires to be consciously adopted by the top management. once so adopted, it becomes the “Requirement Charter”. The Requirement Charter has to be further passed on to the implementation team.

The signing off of the Requirement Charter is essential to demonstrate the commitment of the top management as well as bring in the accountability of the top management. It will also ensure that the organization’s different departments cooperate with each other and support the DPO in his/her day to day duties in which several operational executives may find their freedom of operation trampled with.

This will also give an opportunity for the management to make a Risk Analysis, evaluate the total risk, define the Risk Appetite of the organization, buy adequate Risk Insurance and there after issue the Charter to mitigate risk to ensure that the residual absorbed risk remains as low as feasible.

Certification Process

The Certification system under PDPSI shall evaluate the managerial efficiency in defining the Implementation Charter and the implementation efficiency in implementing the charter.

This twin Certification process will ensure that the responsibilities of the top management  and the DPO are defined clearly and one will not end up blaming the other for any failure.

The Certification may be initially done by an external auditor but once accepted by the organization, it may be considered as a “Self Certification”. While accepting, the management may qualify its acceptance in which case the qualifications could lead to issue of a “Revised Supplementary Charter” to be implemented as a continuing exercise.

We shall continue with other aspects of implementation in the subsequent articles.

(Comments are welcome)

Naavi

Earlier Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Naavi’s Data Trust Score model unleashed in the new year
8. Naavi’s 5X5 Data Trust Score System…. Some clarifications
9. Naavi’s Data Trust Score Audit System…allocation of weightages

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

We have so far discussed two important aspects of the PDPSI approach. One is the data classification system which recognizes 16 data types of personal data which may require different compliance controls based on the classification. The second is the Governance system where there is collective responsibility for the organization, monitoring at the highest level and integration of multiple functions which may have inherent conflicts  in terms of authority into a Data Protection Committee (DPC).

These may be fundamental measures but they are the key aspects of PDPSI to ensure that the controls (that would be discussed later) at operational level would be implemented effectively.

Before we proceed further into the individual controls, it is necessary to indicate two other aspects of PDPSI structure which are essential for understanding the controls.

They are

a) Defining the statutory scope of PDPSI

b) Building Measurability of Compliance

Statutory Scope of PDPSI

The objective of PDPSI is to provide the Indian Data Processing industry, a framework to have a uniform approach towards meeting the compliance requirements. This Indian Data Processing Industry (IDPI) operates in a global environment both because Internet itself is a border less entity and also because there is a large component of contractual data processing of international data that happens in India.

It is essential that IDPI recognizes and incorporates the concern of the international companies about compliance of laws applicable to them without which the IDPI cannot progress. Non compliance of international data protection laws would lead to reduction of flow in the BPO activity of Indian companies. On the other hand, an assurance of compliance on the international data protection laws should help in the IDPI garner more international data processing business with better price realization.

PDPSI therefore is not a competitor to other standards but is an amalgamation of all global standards into one standard and recognizes that India has to develop as the hub of international personal data processing.

The current Indian data protection law which is represented by Section 43A of ITA 2000/8 focusses on “Contractual Obligations” between the Indian Data Processor and the supplier of personal data. If the supplier of personal data is a US health care industry and signs a BA agreement as per HIPAA-HITECH Act, then Indian Company has to be compliant with HIPAA-HITECH Act even if it works in India. Similarly if the Indian Company processes EU data, it has to have in the BA contract an obligation to comply with GDPR.

Hence, a mandate to comply with ITA 2000/8 is automatically a mandate to comply with all necessary international laws through a system of contract management.

What PDPSI achieves additionally is a systematic process by which these laws are built into the system in the data classification itself.

Broadly the scope of PDPSI is defined with reference to Indian laws such as

1. 1. Personal Data Protection Act (PDPA 2018) as proposed and under development
   2. Information Technology Act 2000 as amended from time to time
   3. The Aadhaar (Targeted Delivery of Financial and other subsidies, benefits and services) Act, 2016 as amended from time to time
   4. Guidelines of sectoral regulatory authorities including RBI, SEBI etc
   5. Digital Information Security for Health Care Act (DISHA) as proposed and under development
   6. Electronic Heath Record (EHR) guidelines
   7. Any other law as may be considered relevant

In this list, “Any other law” includes GDPR, CCPA etc depending on the data in question. Hence incoming personal data from EU would automatically be tagged with GDPR and the controls as applicable would become applicable.

Since each country defines its own laws, the PDPSI leaves the Scope under item (G)  above open ended. This will also take care of any future addition to Indian laws as well since Indian data protection laws are also in a state of evolution.

Measurability of Data Protection Compliance

In Risk Management, we some times discuss about Qualitative and Quantitative types of Risk measurement. In Technical risk assessment, various statistical methods are used to measure the risks. But in Techno Legal risk assessments, “Qualitative” or “Subjective” depiction of “Risk Measurement” is preferred.

Compliance is a “Techno Legal” factor and hence it is not easy to provide a quantitative assessment of how much of the risks are covered by the compliance process.

However, PDPA 2018 has proposed that a “Data Audit” shall be conducted annually by an external auditor  and a “Data Trust Score” (DTS) is assigned to the organization.  This DTS is therefore a measurable component of the “Status of Compliance” in an organization. It could be like the “Credit Rating” that is used in the Finance industry.

PDPSI recognizes the mandatory nature of DTS system in the Indian Data protection regulation and adopts it into its requirement though some changes may occur in this respect in due course when the final act is passed.

Naavi has already presented his system titled “5X5 Data Trust Score System”which attempts to present one model by which Data Audit results can be reduced to a “Numeric Index”. This is an example of how measurability can be introduced to the implementation of PDPSI.

PDPSI therefore prescribes that “Compliance shall be measurable”. It does not mandate the use of any particular system of measurement and it is left to the auditor to design an acceptable system. For the time being, Naavi’s 5X5 DTS system is considered as a suggestion which is an annexure to the PDPSI. Other measures as and when developed may also be considered for addition into the annexures. It is however recognized that though parts of the compliance and the assessment are “subjective”,  at least the expression of measurability can be standardized through these annexed suggestions.

P.S:

I am presenting the PDPSI concepts one by one so that experts can go through and suggest further refinements. This will continue.

Many of my friends are wondering how I as an individual can take on the globally recognized agencies and speak of a “Standard”. I can only say that if the intentions are right, even an individual should try to make a move towards the desired goal. At the same time, I am inviting all my friends to join me in developing these standards so that it becomes a participative exercise.

But participating in this process  requires commitment, courage and a self belief that we are capable of defining what is good for the Indian market better than some other international agency which anyway hires our own people to create a proprietary document to make money.

All those who have such commitment are welcome to join this movement to create PDPSI and make it acceptable to the society.

Naavi

Earlier Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. Naavi’s Data Trust Score model unleashed in the new year
7. Naavi’s 5X5 Data Trust Score System…. Some clarifications
8. Naavi’s Data Trust Score Audit System…allocation of weightages

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI) The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

An information security standard is a set of guideline which should help an organization reach a minimum level of desired level of security implementation. The primary requirements of the standard is meant for “Implementation” and the secondary purpose is “Certification”.

Hence, how an organization handles the allocation of roles and responsibilities for implementation of information security is also considered part of the standard itself. Other standards may also address this issue under “ISMS Organization”.

In IS implementation, Naavi recognizes the implementation priority based on the “Pyramid Model”. The implementation itself is expected to be also influenced by the “Theory of Information Security Motivation”. A brief discussion of these two concepts are required for explaining the logic behind the definition of implementation responsibility.

Naavi’s Pyramid model of prioritization of Information Security goals suggests that an organization follows the implementation as indicated in the following diagram.

What this representation means is that though we say that “Security is only as strong as its weakest link”, practically, an organization follows the priority chain where it first focuses on the Availability of information to its decision makers, then the integrity and then the Confidentiality before raising to the higher levels of authentication and non repudiation. This theory is at slight variance with the CIA principle which characterizes the understanding of Information Security in general.

As a result of this, an organization in its journey towards information security, would have first created a CTO and then moved onto a CISO for entrusting responsibilities of Information Security. When the legal aspects of information security gets recognized, we have the advent of the role of “Compliance Officials”. The advent of the recent generation of data protection legislation have now brought in the roles of “Data Protection Officers” either as employees of the organization or as external consultancy agencies.

PDPSI recognizes the possibility therefore that  a subject organization may already have a CTO, CISO, CCO and perhaps a DPO before it is now thinking of PDPSI implementation. Some of them could have also attempted  ISO 27001, HIPAA, PCI DSS implementation and hold necessary certificates. PDPSI tries to integrate all these implementations and creates a super controller who should be responsible for all the compliance requirements.

PDPSI therefore prescribes that the implementation responsibility for PDPSI lies with the top of the top management equivalent to the Board in a corporate structure. Implementation activity of PDPSI must therefore have the backing of a Board Resolution and also incorporated in the annual report to the shareholders or other equivalent disclosure documents.

Under PDPSI, every organization shall have a designated group of persons entrusted with the overall responsibility of compliance and shall constitute the Data Protection Committee (DPC) of which the CEO of the organization and at least one member of the Board of Directors shall be a part. The group shall also designate one individual coordinator who shall be the Data Personal Data Protection Officer (PDPO) of the organization and responsible for representing the organization with the regulatory authorities and the public for compliance related issues.

Periodical Data Protection Status Assessment (DPSA) may be conducted by the PDPO but every annual exercise of Assessment of Data Protection Status shall be undertaken by an independent external agency.

Thus the responsibility for PDPSI responsibility lies with the DPC at the operational level and the Board at the policy level. PDPO will be the coordinator of the activities and will assume all the responsibilities of the DPO as envisaged under PDPA 2018 or GDPR.

However, PDPO would periodically send such status reports to the DPC that the DPC shall not absolve itself of its collective responsibility. The DPC itself shall keep the Board appraised at periodical intervals and incorporated in the corporate disclosures through the annual report etc. This ensures that even the share holders shall be kept informed at suitable intervals so that there is transparency in the activities that provide assurance of information security implementation in the organization.

The creation of an ISMS structure needs to be customized for every organization and hence further details are left to the discretion of the management and would reflect the organizational commitment to fair implementation of PDPSI which an auditor may consider for evaluating the Data Trust Score or equivalent measurable representation of the standard.

In summary, the PDPSI standard for ISMS organization creates a shared responsibility at the Board level followed by the DPC and does not load the PDPO with a responsibility which he cannot enforce. However due to the power of statute, PDPO would be saddled with the responsibilities that a PDPA 2018 or GDPR envisages though he may try to build a protective shield by escalating the issues to the top management. This would check the tendency of some managements to manipulate the DPO and compromising security because of other business priorities.

It is envisaged that all genuine business related compromises are built into the document “Legitimate Interest Policy” which is discussed later and hence PDPSI takes into account both the theoretical prescriptions of the laws like GDPR and the practical realities at the level of implementation.

(Comments are welcome. Further discussions will continue)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Naavi’s Data Trust Score model unleashed in the new year
9. Naavi’s 5X5 Data Trust Score System…. Some clarifications
10. Naavi’s Data Trust Score Audit System…allocation of weightages

[PDPSI is the Personal Data Protection Standard of India as issued by Cyber Law College, the academic arm of Naavi.org. The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

This is in continuation of our previous article, “Data Classification is the first and most important element of PDPSI”in which we had highlighted that “Data Classification” is an important step in the compliance. Before even we determine the “Risks” and initiate “Privacy By Design” and “Information Security Practices”, it is necessary to understand what type of data is in the hands of a company and where it comes in or generated, where it is used, where it is stored and transmitted out.

In our previous article we had indicated 16 types of data classification within the Individually identified data. It is reiterated below for reference.

What this chart indicates is that a company should first be able to understand that PDPSI (as well as GDPR or PDPA 2018) applies only to personal information and not to corporate information however important it is.

Protection of all data is the job of the Information Security/Compliance Officer of the Company. Protection of Personal Data is a subset of this larger requirement.

The reason why there appears to be more importance given to compliance of Personal Information instead of all the information is that when there is a non compliance issue related to Personal Information, authorities such as the GDPR or DPA can come in with imposition of penalties for non compliance.

On the other hand any non compliance issues related to  non personal data is a “Best Practice” issue and gets escalated only when there is a data breach which qualifies to be called a Cyber Crime and there are victims who invoke law for claiming compensation.

Hence compliance managers and the management are more worried about compliance of “Personal Data Protection” laws rather than “All Data protection” laws though the former should be a sub-set of the latter.

Coming back to the Data Classification exercise, PDPSI has recognized the need  to identify 16 types of Individually identifiable data since the compliance requirements can vary for each of these 16 types.

Data is always a “Package” and consists of multiple elements. For Example, Name is personal data and in most cases it is the lead personal data because humans recognize the name. Name often comes with additional associated information such as the E Mail address, the Phone number, the employee ID, residential address, age etc. It may also include the “Meta Data” associated with the transactions of the data subject.

For the purpose of compliance, it is necessary to aggregate all associate data of one person into one “Personal Data Package”. This Personal Data Package is not static and it grows as more and more information flows in to the organization and is associated with the same individual data package recognized by the “Lead personal data element” (LPDE). 

It is open to an organization to allocate a customer ID or Employee ID etc to the name of a person and thereafter consider the number as the “LPDE”. It is also open to use a “Pseudonymization key” if required. It is like opening a “Ticket”. All subsequent references to the same individual has to be added to this “Identity Ticket”.

Once a Data Package with a “Designation of the LPDE”  is issued a “Data Package Identity” (DPI), the DPI becomes the reference data reference for further usage.

This DPI needs to be allocated different attributes as indicated to define what data protection law would be relevant.

We have identified four levels under which the attributes are being associated.

Level 1: Employee or Non Employee

Level 2: Subject only to Indian laws or to other foreign laws also

Level 3: Personal or Sensitive personal

Level 4: Adult or Minor

The first categorization of Employee and Non Employee is suggested because Employee personal data is subject to employment contracts and may provide the organization with more flexibility than non employee personal data.

The second level of attribute is required because the data subject may be a citizen of one country, resident of another country and the data processing may involve profiling of activities in different countries. Similarly the data may be health data subject to US laws such as HIPAA or Financial data subject to some other law of another country. It is better to identify the scope of compliance by associating which set of laws need to be kept under consideration for securing the subject DPI.

Then comes the distinction of personal and sensitive personal data, since laws my be different even within one statute.

The fourth level attribute is because law may also be different if the data subject is an adult or he is a minor.

Hence we need to identify 16 types of personal data and map the compliance requirements for each of these different types. If we include the first level of “Individually identifiable” and “Corporate” as the Level  Zer0, we will occupy a total of 5 bits that are required to identify a data package. If the “Psudonymous state” is also added as an attribute, it would consume the sixth bit in the packet.  This leaves another 2 bits in a byte to define the Data Package references. It can be extended to a 16 bit ID space if more attributes need to be added. To avoid the Y2k type problem, we may start with an allocation of 16/32 bit space straight away and keep excess bits vacant so that a “Data Package” will have a distinct identity even as it grows. This should help in implementing “Data Portability” and “Data Erasure” when required.

The PDPSI presents the set of controls required to manage the compliance under PDPA 2018 (presently ITA 2018 until the new law is enacted) and additional controls in the form of annexures depending on whether other laws become relevant. For example one annexure may indicate GDPR requirements for personal data of an Indian Citizen whose activities are monitored by a EU Company. Or that of a EU Citizen who may be profiled for his activities in India. Similarly different annexures may be there for HIPAA compliance, GLBA compliance, CCPA compliance, etc.

We will initially focus on compliance of Indian data protection laws as envisaged under PDPA 2018 and then develop other annexures one by one.

We are aware that PDPA 2018 is only a draft bill now and will have to be re-introduced and passed. But the principles of data protection and therefore the standards will not change even if PDPA 2018 becomes PDPA 2019. Further when the Indian DPA comes into existence, we need to present it with some industry led proposal as a standard so that it can focus only on modifications as may be required.

We hope that PDPSI would become the base standard from which modified versions can be developed by the DPA.  We feel that this will at least make the work of DPA simpler and quicker.

(Comments are welcome)

Naavi

Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India. We had earlier mentioned the first version of PDPSI as PDPSI-0219. It is time now to report a small progress with the second version of the document PDPSI-0319, which is also a work in progress.

The objective of this Document is to codify the set of standards that are aimed at providing compliance of data protection regulations in India.

The scope of this document  encompasses the requirements of ITA 2000/8, the proposed PDPA 2018, BS10012 principles of  GDPR.

We the people of India have adopted our own regulatory standard for personal data protection and protection of Information Privacy of Indian Citizens as guaranteed by our constitution. We first notified Information Technology Act 2000 (ITA 2000) with effect from 17^th October 2000 incorporating the responsibilities of citizens including corporate entities for protecting data both personal and otherwise. With the amendments in 2008 effective from 27^th October 2009, the new version of ITA 2000 namely the Information Technology Act 2000/8 (ITA2008) further codified the responsibilities of Body Corporates and others in protecting Personal Data and Sensitive Personal Data.  ITA 2008 and the rules that followed on 11th April 2011 also had provisions for “Reasonable Security Practice” and “Due Diligence” which were the grounds for the first set of “Personal Data Protection Standards” in India.

After the Supreme Court of India came out with its judgement on Privacy which inter-alia recognized the need for “Information Privacy Protection”, a strong emphasis was laid on Personal Data Protection in India. The operating guidelines for meeting the expectations of the Supreme Court expanding the scope of ITA 2008 and its rules came in the draft form through the Draft Bill titled “Personal Data Protection Act 2018” (PDPA 2018). Though PDPA 2018 is today only a work in progress to be re-introduced as a new Bill after the next elections, the broad contours of Personal Data Protection in India has been firmly laid by this proposed bill drafted by a former Justice of Supreme Court namely Justice Bellur Narayanaswamy Srikrishna.

Though PDPA 2018 has adopted several principles of Privacy Protection from global documents including the GDPR (General Data Protection Regulation of the European Union), the compliance requirements in India regarding Information Privacy Protection is distinct and includes compliance of ITA 2000/8 as well as parts of Aadhaar Act as well as the proposed PDPA 2018 etc.

In view of this wider and distinctive scope of Indian regulations on Information Privacy Protection, it is considered that global standards of data protection contained in ISO 27001 or BS 10012 are considered inadequate to meet the requirements in India.

The long term objective of this document is to ensure that “Standards” are not to remain “Proprietary” and must be made known to the stake holders who are expected to implement them. Hence Naavi intends to make this standard open source once a formal sufficiently refined version of the standard emerges.  Until then, only some high level concepts may be publicly released.

In the new version, an attempt has been made to expand the portion of “Classification of Data” because it is the key to further implementation. The required classification is depicted in the following diagram.

Salient Features

This system of data classification will first recognize the data that may be flowing in the organization and classify them in the first level to “Individually Identifiable Data” and “Corporate Data”.

Personal data will consist of such data that identifies an individual. Corporate data includes business related data which does not contain personal data. Protection of Corporate data is part of the DPSI while PDPSI focuses on protection of Personal data.

Individually Identifiable Data is further tagged with the following attributes

1. 1. Employees and Non Employees
   2. Subject to Indian Laws only and Subject to Indian and Foreign Laws
   3. Personal and Sensitive Personal
   4. Adult and Minor

Individually identifiable data of Employees is considered as “Corporate Data” but may be subject to additional compliance requirements depending on the applicable laws whether Indian or foreign.

Classification of Personal and Sensitive Personal, adult and minor may also be different based on the applicable laws.

The above attribute tagging will be applied to a set of data elements which is considered as a “Package”. Each such “Individually identifiable Data package” shall carry a distinct identity as “Package ID”. Every element of the Package ID shall be tagged in further usage with the “Package ID”.

Every package will be identified with a “lead element”, which could be the name or another identity parameter.

(I welcome comments)

Naavi