Naavi.org

[PDPSI is the Personal Data Protection Standard of India as issued by Cyber Law College, the academic arm of Naavi.org. The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

This is in continuation of our previous article, “Data Classification is the first and most important element of PDPSI”in which we had highlighted that “Data Classification” is an important step in the compliance. Before even we determine the “Risks” and initiate “Privacy By Design” and “Information Security Practices”, it is necessary to understand what type of data is in the hands of a company and where it comes in or generated, where it is used, where it is stored and transmitted out.

In our previous article we had indicated 16 types of data classification within the Individually identified data. It is reiterated below for reference.

What this chart indicates is that a company should first be able to understand that PDPSI (as well as GDPR or PDPA 2018) applies only to personal information and not to corporate information however important it is.

Protection of all data is the job of the Information Security/Compliance Officer of the Company. Protection of Personal Data is a subset of this larger requirement.

The reason why there appears to be more importance given to compliance of Personal Information instead of all the information is that when there is a non compliance issue related to Personal Information, authorities such as the GDPR or DPA can come in with imposition of penalties for non compliance.

On the other hand any non compliance issues related to  non personal data is a “Best Practice” issue and gets escalated only when there is a data breach which qualifies to be called a Cyber Crime and there are victims who invoke law for claiming compensation.

Hence compliance managers and the management are more worried about compliance of “Personal Data Protection” laws rather than “All Data protection” laws though the former should be a sub-set of the latter.

Coming back to the Data Classification exercise, PDPSI has recognized the need  to identify 16 types of Individually identifiable data since the compliance requirements can vary for each of these 16 types.

Data is always a “Package” and consists of multiple elements. For Example, Name is personal data and in most cases it is the lead personal data because humans recognize the name. Name often comes with additional associated information such as the E Mail address, the Phone number, the employee ID, residential address, age etc. It may also include the “Meta Data” associated with the transactions of the data subject.

For the purpose of compliance, it is necessary to aggregate all associate data of one person into one “Personal Data Package”. This Personal Data Package is not static and it grows as more and more information flows in to the organization and is associated with the same individual data package recognized by the “Lead personal data element” (LPDE). 

It is open to an organization to allocate a customer ID or Employee ID etc to the name of a person and thereafter consider the number as the “LPDE”. It is also open to use a “Pseudonymization key” if required. It is like opening a “Ticket”. All subsequent references to the same individual has to be added to this “Identity Ticket”.

Once a Data Package with a “Designation of the LPDE”  is issued a “Data Package Identity” (DPI), the DPI becomes the reference data reference for further usage.

This DPI needs to be allocated different attributes as indicated to define what data protection law would be relevant.

We have identified four levels under which the attributes are being associated.

Level 1: Employee or Non Employee

Level 2: Subject only to Indian laws or to other foreign laws also

Level 3: Personal or Sensitive personal

Level 4: Adult or Minor

The first categorization of Employee and Non Employee is suggested because Employee personal data is subject to employment contracts and may provide the organization with more flexibility than non employee personal data.

The second level of attribute is required because the data subject may be a citizen of one country, resident of another country and the data processing may involve profiling of activities in different countries. Similarly the data may be health data subject to US laws such as HIPAA or Financial data subject to some other law of another country. It is better to identify the scope of compliance by associating which set of laws need to be kept under consideration for securing the subject DPI.

Then comes the distinction of personal and sensitive personal data, since laws my be different even within one statute.

The fourth level attribute is because law may also be different if the data subject is an adult or he is a minor.

Hence we need to identify 16 types of personal data and map the compliance requirements for each of these different types. If we include the first level of “Individually identifiable” and “Corporate” as the Level  Zer0, we will occupy a total of 5 bits that are required to identify a data package. If the “Psudonymous state” is also added as an attribute, it would consume the sixth bit in the packet.  This leaves another 2 bits in a byte to define the Data Package references. It can be extended to a 16 bit ID space if more attributes need to be added. To avoid the Y2k type problem, we may start with an allocation of 16/32 bit space straight away and keep excess bits vacant so that a “Data Package” will have a distinct identity even as it grows. This should help in implementing “Data Portability” and “Data Erasure” when required.

The PDPSI presents the set of controls required to manage the compliance under PDPA 2018 (presently ITA 2018 until the new law is enacted) and additional controls in the form of annexures depending on whether other laws become relevant. For example one annexure may indicate GDPR requirements for personal data of an Indian Citizen whose activities are monitored by a EU Company. Or that of a EU Citizen who may be profiled for his activities in India. Similarly different annexures may be there for HIPAA compliance, GLBA compliance, CCPA compliance, etc.

We will initially focus on compliance of Indian data protection laws as envisaged under PDPA 2018 and then develop other annexures one by one.

We are aware that PDPA 2018 is only a draft bill now and will have to be re-introduced and passed. But the principles of data protection and therefore the standards will not change even if PDPA 2018 becomes PDPA 2019. Further when the Indian DPA comes into existence, we need to present it with some industry led proposal as a standard so that it can focus only on modifications as may be required.

We hope that PDPSI would become the base standard from which modified versions can be developed by the DPA.  We feel that this will at least make the work of DPA simpler and quicker.

(Comments are welcome)

Naavi

Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India. We had earlier mentioned the first version of PDPSI as PDPSI-0219. It is time now to report a small progress with the second version of the document PDPSI-0319, which is also a work in progress.

The objective of this Document is to codify the set of standards that are aimed at providing compliance of data protection regulations in India.

The scope of this document  encompasses the requirements of ITA 2000/8, the proposed PDPA 2018, BS10012 principles of  GDPR.

We the people of India have adopted our own regulatory standard for personal data protection and protection of Information Privacy of Indian Citizens as guaranteed by our constitution. We first notified Information Technology Act 2000 (ITA 2000) with effect from 17^th October 2000 incorporating the responsibilities of citizens including corporate entities for protecting data both personal and otherwise. With the amendments in 2008 effective from 27^th October 2009, the new version of ITA 2000 namely the Information Technology Act 2000/8 (ITA2008) further codified the responsibilities of Body Corporates and others in protecting Personal Data and Sensitive Personal Data.  ITA 2008 and the rules that followed on 11th April 2011 also had provisions for “Reasonable Security Practice” and “Due Diligence” which were the grounds for the first set of “Personal Data Protection Standards” in India.

After the Supreme Court of India came out with its judgement on Privacy which inter-alia recognized the need for “Information Privacy Protection”, a strong emphasis was laid on Personal Data Protection in India. The operating guidelines for meeting the expectations of the Supreme Court expanding the scope of ITA 2008 and its rules came in the draft form through the Draft Bill titled “Personal Data Protection Act 2018” (PDPA 2018). Though PDPA 2018 is today only a work in progress to be re-introduced as a new Bill after the next elections, the broad contours of Personal Data Protection in India has been firmly laid by this proposed bill drafted by a former Justice of Supreme Court namely Justice Bellur Narayanaswamy Srikrishna.

Though PDPA 2018 has adopted several principles of Privacy Protection from global documents including the GDPR (General Data Protection Regulation of the European Union), the compliance requirements in India regarding Information Privacy Protection is distinct and includes compliance of ITA 2000/8 as well as parts of Aadhaar Act as well as the proposed PDPA 2018 etc.

In view of this wider and distinctive scope of Indian regulations on Information Privacy Protection, it is considered that global standards of data protection contained in ISO 27001 or BS 10012 are considered inadequate to meet the requirements in India.

The long term objective of this document is to ensure that “Standards” are not to remain “Proprietary” and must be made known to the stake holders who are expected to implement them. Hence Naavi intends to make this standard open source once a formal sufficiently refined version of the standard emerges.  Until then, only some high level concepts may be publicly released.

In the new version, an attempt has been made to expand the portion of “Classification of Data” because it is the key to further implementation. The required classification is depicted in the following diagram.

Salient Features

This system of data classification will first recognize the data that may be flowing in the organization and classify them in the first level to “Individually Identifiable Data” and “Corporate Data”.

Personal data will consist of such data that identifies an individual. Corporate data includes business related data which does not contain personal data. Protection of Corporate data is part of the DPSI while PDPSI focuses on protection of Personal data.

Individually Identifiable Data is further tagged with the following attributes

1. 1. Employees and Non Employees
   2. Subject to Indian Laws only and Subject to Indian and Foreign Laws
   3. Personal and Sensitive Personal
   4. Adult and Minor

Individually identifiable data of Employees is considered as “Corporate Data” but may be subject to additional compliance requirements depending on the applicable laws whether Indian or foreign.

Classification of Personal and Sensitive Personal, adult and minor may also be different based on the applicable laws.

The above attribute tagging will be applied to a set of data elements which is considered as a “Package”. Each such “Individually identifiable Data package” shall carry a distinct identity as “Package ID”. Every element of the Package ID shall be tagged in further usage with the “Package ID”.

Every package will be identified with a “lead element”, which could be the name or another identity parameter.

(I welcome comments)

Naavi

We have earlier discussed the broad contours of Naavi’s  “Personal Data Protection Standard of India” (PDPSI) followed by Ujvala Consultant’s Pvt Ltd. The PDPSI is meant to cover the requirements of Data Protection by Indian Companies exposed to the compliance requirements under PDPA 2018 (as proposed) and encompass the best practices covered under BS10012.

As a refinement of the approach to the standards, it is now decided that PDPSI-0219 will be considered as a subset of DPSI which shall be the standard for Data Protection in general by a Data Processing industry. This should be compliant with the ITA 2000/8 which applies to all kinds of data whether it is Personal or Corporate.

PDPSI itself will be divided into two levels namely Level I which will apply to Personal Data and Level 2 which will apply to Sensitive personal Data. DPSI will apply to Personal Data, Sensitive personal data and corporate data which does not consist of Personal Data.

Further DPSI will have schedules that map PDPSI to different regulations of other countries such as GDPR, CCPA, HIPAA, UK-PDPA etc.

The Data Protection Audit suggested by Naavi would be based on DPSI/PDPSI as the case may be.

The objective of developing these standards is to make the guideline available free of charge to the companies who need to implement data security as against the current system where they need to incur enormous expenses to buy standards even before implementing them.

More information will follow.

Naavi

It was interesting to note that one of the law colleges in Bangalore has announced a moot court competition which recognizes some of the latest developments in the field of technology and law in India.

It is a general observation that the curriculum of LLB does not have an in depth discussion of ITA 2000/8. Though Bar Council has requested all colleges to incorporate Cyber Laws in their regular curriculum, it remains mainly an optional subject.

In the light of this perception, it was a surprise to know that Bishop Cotton Women’s Christian Law College, Bangalore has chosen for its 7th National Moot Court competition a problem which includes “Artificial Intelligence”, “Facebook Cambridge Analytica”, “Personal  Data Protection Act” etc.

A Copy of the Moot Court challenge is available here.

Though the link between AI, FaceBook and PDPA 2018 are structured a bit artificially, the attempt to introduce new technology terms to the law students is a matter to be appreciated.

Naavi

Naavi joins the lighting of the lamp in inaugurating the workshop 

A Unique one day workshop was conducted in Chennai on 16th March 2019 on “Section 65B of Indian Evidence Act”.

The Workshop was inaugurated by Honourable Justice Sri M. Jaichandren, in the presence of Honourable Justice, Dr S. Vimala, Senior Advocates, Mr Masilamani and A Thiagarajan. Mr Na Vijayashankar (Naavi) as Founder Chairman of Foundation of Data Protection Professionals in India (FDPPI), and a pioneer in Section 65B, conducted the knowledge session. Mr S.Balu President of Cyber Society of India (CySi) and formerly head of the Cyber Crime division of Chennai organized the event.

The Print Version of the book with latest updation, titled “Section 65B of Indian Evidence Act Clarified” by Naavi was released during the event.

The workshop was unique because it was completely focussed on Section 65B which has been in operation since 17th October 2000 but whose importance had not been fully realized until the Supreme Court judgement in 2014 in P V Anvar Vs P.K. Basheer, declaring that it is mandatory for admissibility of electronic document as evidence.

Since then the difficulties in understanding the provisions of Section 65B has also come up for discussion in some fora even to suggest that it may need an amendment.

Naavi clarified the doubts regarding the section and also highlighted why Section 65B was a master stroke in ITA 2000.

An illustrative caricature drawn by Mrs Saranya Devi under the guidance of S.Balu which explained the concept and attracted attention during the workshop is reproduced below.

The caricature explains how unlike a human witness who reproduces an evidence from his brain memory is not asked for any certification (other than the deposition itself) while  a CCTV footage when produced as an evidence requires to be certified under Section 65B under the same logic that the “Computer Witness like a human witness needs to depose but can do so only with the assistance of a human who is the Section 65B certifier.”

A gallery of eminent speakers made the event memorable.

A more detailed report on the event would be provided later.

During the event the Chennai Chapter of FDPPI (www.fdppi.in) was also inaugurated and Naavi explained why Section 65B is also relevant to the Data Protection Industry.

The event was a great success.

More information on the event will follow.

Naavi

The ordinance promulgated by the government on March 2, 2019, has once again brought the focus back on the use of Aadhaar and a possible challenge to it in the Supreme Court.

Aadhaar has become an “Instrument of Identity” similar to the “Social Security Number” and similar national identity instruments prevailing in other countries. Even the Supreme Court has conceded that Aadhaar can play a significant role in efficient and transparent governance, and more importantly, in the prevention of corruption.  However, the use of Aadhaar is being repeatedly challenged by privacy activists, alleging that its widespread use could lead to infringement of privacy—a fundamental right of all citizens.

It would, therefore, not be surprising if some privacy activists again knock at the doors of the Supreme Court with a plea to get the ordinance scrapped, perhaps alleging that it is an attempt to violate the principles of privacy laid out in the Supreme Court judgment of September 2018 on Aadhaar (KS Puttaswamy vs Union of India case).

The Puttaswamy judgment raised serious concerns about the use of Aadhaar by private sector companies which had been permitted under Section 57 of the Aadhaar Act. The majority judgment struck down that part of Section 57. Consequently, Section 57 of the Aadhaar Act stood read down with the following effect:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force. Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It must be recognised that the Puttaswamy judgment did not impose a blanket ban on the use of Aadhaar, either by the government or other entities. It only prohibits the use of Aadhaar under any contract not pursuant to any law. The Court therefore suggested that a proper law should be passed to enable the use of Aadhaar.

The citizens of the country are well aware of the fact that Aadhaar is an “Identity Infrastructure” created by two successive governments at enormous cost to the people of the country. Therefore, it is illogical to block the use of this infrastructure to be harnessed fully for the benefit of the citizens.

However, after the Puttaswamy judgment, the private sector stopped using Aadhaar as an identity management tool since the widely used Aadhaar authentication-based e-KYC system was not part of the Aadhaar Act.

The e-KYC system used for Aadhaar was part of the notified rules of the Controller of Certifying Authorities for e-Sign as an electronic signature under Section 3A of the Information Technology Act, which may be considered as an extension of a statutory base for its use in that context. But KYC which was part of many other regulations such as the RBI guidelines was more of an administrative guideline or a best practice adopted by the industry.

Hence, the government was under an obligation to clarify the use of Aadhaar by private sector companies by enacting suitable legislation so that it became part of Section 57 after its partial striking down by the Supreme Court.

Further, the Justice Srikrishna Committee on Data Protection had recommended a full set of amendments to the Aadhaar Act in an appendix to its report. While the government had introduced the Personal Data Protection Bill as recommended by the Srikrishna Committee, it had to introduce the Aadhaar-related amendments recommended by the committee as a separate amendment bill.

The government was therefore correct in introducing the Aadhaar (Amendment) Bill on January 2, 2019. Though this Bill was passed by the Lok Sabha, it could not be passed in the Rajya Sabha during the current tenure and hence lapsed. In order to ensure that the private sector is not inconvenienced due to the lack of a lawful process of using Aadhaar, the government came up with the Aadhaar ordinance.

Hence, sufficient justification can be provided for the need for the ordinance and its promulgation by the government at this point of time.

Key Provisions of the Ordinance

Some of the key provisions of the ordinance which we can take note of are as follows:

• The ordinance completely removes Section 57 of the Aadhaar Act though only a part of it had been struck down by the Supreme Court. The other changes are meant to offset the adverse effect of the removal of Section 57.

This was an unwarranted overreaction by the government.

• A distinction is sought to be made between the use of Aadhaar for “Authentication” and “Verification” and the concepts of “Offline Verification” and “Voluntary Permission to use Aadhaar based on an Informed Consent”. However, the distinction made between “Authentication” and “Verification” is very fragile and may require reconsideration.

“Offline Verification” is defined as a “process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations” [Proposed amended section 2(pa)]. On the other hand, “Authentication” is defined as “a process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it” [current section 2(c)]. The distinction made out appears to be merely a play of words and would be difficult to justify.

• A fairly large civil penalty of up to Rs 1 crore has been introduced for each violation in case any entity in the Aadhaar ecosystem fails to comply with the provisions of the ordinance.

The imposition of the penalty is supported by the proposal for appointment of one of the officers of the UIDAI as an adjudicator and TDSAT as the appellate authority. After a matter is decided by the TDSAT, further appeals would lie directly before the Supreme Court, thus completely eliminating the role of the high courts.

In case of Cyber Appeals, further appeals from TDSAT go to the respective state high courts and a similar provision could have been made in the Aadhaar Act also since many of the members of the Aadhaar ecosystem could be small entities across the country, and a TDSAT with a presence only in Delhi without sittings and benches elsewhere would create a huge financial burden on the litigants.

This provision has been made to make the work of UIDAI easy at the cost of inconveniencing the litigants.

• The criminal penalty prescribed under Sections 38 and 39 of the Act has been enhanced from imprisonment of 3 years to 10 years and the imprisonment term under other sections has also been enhanced, thus making the law more stringent.

This should please the privacy activists.

• In a consequential amendment to the Indian Telegraph Act, telecom companies have been permitted to use Aadhaar for identification with options being made available to the public to use alternative modes of identity verification.

This provision comes as a big relief to telecom operators.

• In a consequential amendment to the Prevention of Money Laundering Act, 2002 (PMLA 2002), the use of Aadhaar has been permitted for banking companies while others may use Offline Verification and other alternatives.

The Fintech industry is not happy with their exclusion. Perhaps those Fintech companies which are not “Banking Companies” but are registered in some regulatory category with RBI or SEBI could be provided the use of Aadhaar.

• The ordinance includes “Virtual Identity” also as an “Aadhaar number” [Proposed amended section 2(a)].

This has defeated the very purpose of introduction of the Virtual Aadhaar ID, and the government has missed an opportunity to declare it as a derivative service which does not violate the privacy of the Aadhaar holder particularly when it is used without the use of biometrics.

In summary, it can be stated that the “Ordinance” was perhaps justified but some of the provisions of the ordinance must be revisited when the Bill is finally taken up for discussion when the next Parliament meets.

It can also be stated that there is no need for any immediate judicial challenge to the ordinance since its life span is short and it will come up for automatic reconsideration within the next six months.

Naavi

[This is a reproduction of article earlier published in India Legal magazine]