Naavi.org

Data Breach Notification.. What PDPSI expects

Posted on April 23, 2019 by 98410spice

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

Data Breach Notification is an important responsibility cast on any data processor under every Data Protection regulation.

Whenever a Data breach occurs, the Data Controller/Processor/Data Fiduciary need to report it to the regulatory authority within a certain time limit and with a certain amount of details. A failure in reporting itself is a serious non compliance issue. Even when the data breach victims may not have any compensation to claim, the regulatory authority may impose a heavy fine on the organization for the data breach and with an exalted penalty if the breach notification is delayed.

Under GDPR (Article 33) a data controller should report a breach within 72 hours to the supervisory authority. A Data Processor should report the breach to the data controller “without undue delay” after becoming aware of a personal data breach.

Under PDPA 2018, (Section 32) the time limit specification is left to the DPA to notify when the DPA comes into existence.

In the meantime, ITA 2000/8 under Section 79 prescribes “Due Diligence”, time for initiating a grievance redressal mechanism has been prescribed as 36 hours and time for taking down of disputed information upon receipt of an order from a competent authority would be considered as “Immediate”. Under rule 3(9) of the Intermediary guidelines of 2011, it was mentioned that the intermediary shall report the cyber security incidents to the CERT-IN. But no specific time was specified.

The CERT In separately gave out a notification in which details of what to be reported has been indicated. The time for reporting has to be within a “Reasonable Period”. Apart from this, sectoral regualtors like RBI expect Banks to report incidents to them for which they may prescribe different time limits.

All the regulations normally provide that a provisional report can be made immediately and progress reports can be filed later. GDPR provides that report should be made to the Data Subjects also. Some regulations like HIPAA require reporting through news paper advertisements and websites.

While we await the DPA of India to provide the time limits for data breach notification, it is necessary for us to recognize that it is not the time and content which are important for a Data Breach report. This is easy to define in a “Data Breach Notification Policy” which every organization should develop as a part of the control. This is also required under PDPSI.

However, since PDPSI attempts to provide a Data Trust Score (DTS), it is essential for the auditor to assess the quality of the data beach notification policy. If it contains only what is to be reported, to whom and when, it would not be considered an adequate policy.

We must understand that a “Wrong Data Breach Notification” would be disastrous for a company from the point of view of reputation loss and hence before classifying an event as a “Breach” some discretion has to be applied. This is the most difficult part of a DPO’s responsibility since some regulations like GDPR expects the DPO to be directly responsible to the supervisory authority and non-reporting could be a “Breach of Trust” for the DPO.

Security professionals however know that after a breach occurs, it takes time for it to be detected. First it would be a suspicion and then after a preliminary investigation, suspicion becomes confirmed as a “Breach incident”. Within this time there may be a need for an internal investigation if necessary with forensic intervention. The DPO may not be fully in control of this time frame and the delay could expose him to non compliance charge from the supervisory authority.

In order to ensure that the DPO is not exposed to unintended consequences during such internal deliberation, the “Data Breach Notification Policy” should clearly establish how a breach will be recognized, evaluated and classified. If the company has a “Whistle Blower Policy”, the data breach recognition commences with the initial whistle blower’s report. The” Incident Management Policy” should also be integrated with the Data Breach notification policy since the reported incident after being resolved, needs to be evaluated as to its classification as a “Breach”.

Additionally, all regulations provide that certain law enforcement agencies have the power to demand information and not providing information when law requires it to be provided has its own penal consequences.

Hence every organization should develop a “Data Disclosure Policy” which addresses the issues of how to respond to a “Data Disclosure Requirement”. Such request can come from a data subject or a police officer or a supervisory authority or a DPA etc. While the law may be clear on who has the right to ask for the information and it is easy to incorporate in the policy, the difficult part is to establish the identity of the person who is requesting the information.

Any disclosure to a wrong person would become a “Data Breach” and hence the “Data Disclosure Policy” has to be aligned to the “Data Breach Notification policy”, which should also be aligned with the whistle blower policy and incident management policy. To the extent that the first report of a data breach goes to the call center employee, the awareness of how to escalate a complaint to a potential incident report should be available to all the call center employees and the perimeter level personnel who interact with customers.

PDPSI requires the quality of a data breach notification policy to be assessed so that a proper DTS can be assigned.

(To Be continued)

Naavi

Other Reference Articles

Posted in Cyber Law | 1 Comment

PDPSI Controls-Grievance Redressal mechanism

Posted on April 23, 2019 by 98410spice

This article posted on April 14, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi

Posted in Cyber Law | Leave a comment

Criticality of the Grievance Redressal Mechanism in PDPSI

Posted on April 23, 2019 by 98410spice

The essence of any Information Privacy Regulation such as GDPR or PDPA is to ensure that the “Privacy Rights” guaranteed by the Constitution of the country for its citizens are not infringed while the personal information is processed in electronic form. All processors of such data are “Intermediaries” under the present law in India (ITA 2000/8) and responsibilities are hoisted on them for appropriately securing such data failing which there could be liabilities.

One of the security provisions that ITA 2000/8 has prescribed is that there has to be accountability of the intermediary by designating a “Grievance Redressal Officer” whose contact details are to be provided on the websites.

The PDPA/GDPR speaks of the same accountability in the form of a need to appoint a DPO who is expected to be both a proactive compliance manager as well as the first contact point for an aggrieved data subject.

The role of a Grievance Redressal Officer is slightly different from a “Compliance Officer” in the sense that his responsibility kicks in after a grievance is reported. If he is the same person who is also the compliance officer, then there would be a conflict of interest as he turns defensive if any grievance points to a flaw in the system.

Hence it may be necessary from the PDPSI point of view that the roles of the Compliance officer and the Grievance Redressal Officer are suitably segregated. There is nothing wrong if the compliance officer is the first reference point for a grievance since he has the knowledge of what has gone wrong. But the dispute resolution should be escalated at the earliest to another level where there is no conflict of interest.

Having an effective Grievance Redressal Mechanism is therefore a critical element of PDPSI.

PDPA 2018 does make a specific mention of Grievance Redressal under section 39 of the draft Bill. A 30 day time is provided for the grievance to be addressed after which the data principal may invoke the adjudication process of the DPA, followed by the appeal to the designated Tribunal and thereafter to the Court of appropriate jurisdiction. (Could be the Supreme Court).

GDPR makes only a vague mention of Grievance Redressal under Article 40 as a part of the code of conduct.

Under PDPSI, it is recognized that the ultimate benefit that a Data Subject expects is a proper grievance redressal and hence it is an essential control that an organization should institute and manage.

Naavi has been advocating that the grievance redressal mencahism should go through the following three stages namely

a) Service level attention by the DPO

b) Ombudsman who is an independent person of repute to whom the complaint can be referred

c) Mediation which could be an extended responsibility handled by the Ombudsman or separately.

It would be ideal if this is followed by an “Arbitration” so that before the statutory process of adjudication is invoked, all remedies available as alternative dispute resolution mechanisms are exhausted.

Since time is the essence of such resolution, an “ODR mechanism” of the type referred to under www.odrglobal.in is recommended.

The service level resolution can be provided within 48 hours and Ombudsman views can be provided within 7 days so that in the first 10 to 15 days, the matter could be ready for “Mediation” for which another 15 days could be provided. Thus within one month, the mediation option would be exhausted and the parties may decide if they have to straightaway go to the adjudicator or exhaust the arbitration.

At present, it appears that 30 days is just sufficient to complete the mediation efforts and also that “Adjudication” being a statutory remedy provided, even if the parties go through the process of “Arbitration”, it would be subordinate to the Adjudication process.

But making a provision for arbitration if necessary with a report to the Adjudicator would be a good idea for an organization to think off.

Naavi has in commenting on the “Intermediary Guidelines” suggested that just as in the case of Domain Name disputes where we use UDRP/INDRP as a self regulatory mechanism, we can consider an “Intermediary Dispute Resolution Policy” and an associated arbitration process to resolve the disputes arising between the user of an internet service and the intermediary.

A similar mechanism could work even in the PDPA scenario if the Grievance Redressal Mechansim is properly structured and implemented.

In view of the above the DTS system encourages the Data Auditors to consider the presence of an effective Grievance Redressal mechanism as part of the scoring evaluation.

It is therefore considered that under PDPSI, the presence of a Grievance Redressal mechanism and its evaluation is considered critical from the point of view of Data protection by a Data Fiduciary/Data Controller/Data Processor.

(To Be continued)

Naavi

Other Reference Articles

Posted in Cyber Law | 3 Comments

Hosting Server crashed..data lost

Posted on April 22, 2019 by 98410spice

Dear Friends

It appears that due to a server crash at my hosting services, several postings I had made since April 13th have been lost.

These related mainly to PDPSI. I may try to provide a summary of some of the postings subsequently.

However, in case any of the readers have a copy of my postings since April 13th, please send them to me through e-mail, while I continue to get the recovery done through the hosting provider.

Following four articles were lost due to the server crash.

https://www.naavi.org/wp/business-agreement-control-an-essential-ingredient-of-pdpsi/ (Substituted with a new post)

https://www.naavi.org/wp/pdpsi-controls-data-breach-notification-and-data-disclosure-policies/ (Substituted with a new post)

https://www.naavi.org/wp/pdpsi-controls-grievance-redressal-mechanism/ (Substituted with a new post)

https://www.naavi.org/wp/if-state-government-turn-rogue-misuse-of-aadhaar-data-cannot-be-prevented/

We shall re-post the essence of these articles separately.

Naavi

Posted in Cyber Law | Leave a comment

Implement “My Bhi Chowkidar” policy for Personal Data Protection.

Posted on April 13, 2019 by 98410spice

PDPSI implementation expects the top management involvement through some key foundation policies. We have discussed the “Legitimate Interest Policy” as one such policy control measure, in the drafting of which the top management needs to personally get involved.

Another such fundamental policy that needs to be developed at the top management level is the “Whistle Blower Policy”.

“Whistle Blower Policy” (WBP) essentially means that the organization creates an eco system of confidence where every employee is encouraged to be vigilant, skilled enough to identify suspicious incidents and behaviour in any of the activities surrounding the organization and a mechanism to report it for further investigation and corrective action.

The problem with implementing a good and effective Whistle Blower Policy is that

a) It has to accommodate the possibility of nuisance and malicious reports

b) It has to provide an assurance to the person reporting that his identity would be kept confidential so that the reporting does not hurt his future career.

c) It has to also give the confidence that action will be taken quickly and effectively to investigate further and correct the situation if required.

The “Data Breach Notification Policy” which is part of every Information Security Policy does envisage that a “Data Breach” should be reported to the DPA. But before the DPO reports a Data Breach to an outside agency, he has to first come to know of a potential data breach within the organization. Hence the DPO needs to have a mechanism to collect intelligence on the data breach possibilities and have the early warning of any breaches.

Additionally, the “Privacy By Design” concept needs the DPO to be able to take “Preventive Steps” to ensure that a likely data breach is nipped in the bud.

The “Whistle Blower Policy” is the means by which early warnings are gathered.

In the earlier articles we have discussed the need for “Personal Data Gate Keepers” to be identified in an organization so that the responsibility for Personal Data Protection is decentralized.

As a corollary, it is essential to have a system where a watch is kept on the activities around the organization and early warnings about the possible data breach or possible non compliance events are captured and reported to the DPO.

While the enterprise level awareness creation helps in every organizational member including the employees of the business associates who interact with Personal Data being managed by the organization, it is necessary to motivate the employees to be bold enough to bring to the notice of the appropriate persons that there could be a non-compliance issue.

When a person points out such a potential non compliance issue, it is likely that he would ruffle some feathers and that could be the feathers of a powerful employee of the organization even at levels higher than that of the person who observes the anomaly. In such instances the person is likely to keep quiet and look the other way.

The non-reporting of a potential data breach situation may actually be considered as a “Passive Assistance” for the non compliance to continue which may explode into a data breach incident on a later day. When an investigation is undertaken at that time, all those who were aware of the risk and did not take proper care to mitigate it could be considered as “Accomplices”.

The Whistlebolwer policy should therefore provide that any legitimate observation that indicates that some thing wrong may be going on, should be reported for examination and review by escalating it to the appropriate level.

In order to provide confidence to the Whistle Blower that there would be no witch hunting, it is necessary to maintain confidentiality of such reports even if some rewards are associated with useful reporting.

“Anonymous Reporting” could be one option for the organization but such anonymous reporting often encourages malicious untruthful reporting just to damage the reputation of some employees. There could also be “Nuisance Reporting” just to harass the management. Hence “Anonymous Reporting” is not recommended though it is an option that a management may consider for meeting PDPSI.

A more mature approach to Whistleblower policy is to create an “External Ombudsman” who receives all complaints with identification of the reporter who anonymizes the complaint, identifies the level at which it should be escalated for review and manage the information that needs to be shared for the purpose of the review. If necessary, the Ombudsman can also have a dialogue with the complainant to understand the problem better before escalating it.

Designing a robust Whistle Blower policy which encourages reporting, providing the confidence that such reporting would be rewarded, kept confidential and acted upon promptly is considered as a part of the “Control” that PDPSI expects organizations to set up.

Since this requires policy decisions such as the appointment of an external ombudsman etc., this decision can be initiated only by the highest level of management which accommodates complaints even against the members of the Board itself.

The integrity of the appointed ombudsman must also be ensured so that he protects the interests of the “Personal Data Protection Regulatory Expectation” and effectively manage the inherent conflicts.

It is interesting to note that Prime Minister Modi’s “My Bhi Chowkidar” campaign for the nation is actually a reflection of the “Whistle Blower Policy for the nation”. The CVC has also in the past tried to initiate a system for the purpose and introduce an app to enable citizens to report incidents. The experience with these schemes indicate the difficulties and the opposition that it may generate because there is always one set of the ecosystem which will strongly oppose such measures to protect their own vested interests, real or imaginary.

A successful designing and implementation of the system therefore requires a very high level of statesmanship by the top management.

It is to be accepted that it is a huge challenge to design an effective Whistle Blower Policy but it is for the Data Auditor to evaluate how good and robust is the policy (if available) while arriving at the Data Trust Score under the heading of “Commitment”.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles

Posted in Cyber Law | 2 Comments

Legitimate Interest Policy

Posted on April 10, 2019 by 98410spice

The compliance of Privacy Protection regulation whether under PDPA 2018 or GDPR or any other law normally starts with

a) Privacy Policy

b) Information Security Policy

The Privacy Policy declares the intentions of the organization in meeting the different requirements of the regulation. It is a comprehensive aggregation of several other sub policies that we will discuss here. It has to capture the objectives of the organization and reasonably describe how it proposes to implement the requirements.

Privacy Policy is for the organization to follow while “Privacy Notice” is meant for the information of those who interact with the company. “Privacy Notice” may contain many aspects of “Privacy Policy” but the objectives of the Policy are different from the Notice and this should reflect in the drafting of the two.

The Information Security Policy on the other hand is the policy that is intended to be followed within the organization to meet the Privacy Policy requirements.

Since a Corporate Information Security Policy has to protect both personal information and non-personal information, and the Privacy Policy is meant for Personal Information, the Information Security Policy should be broader to cover both Personal and Non Personal Information Protection.

In a way, Information Security for Privacy Protection is a sub set of Information Security for the organization as a whole. If necessary, an organization may opt to develop a “Personal Data Protection Policy” (PDPP) which could be considered as a subset of the Information Security Policy and let a DPO/DPC manage the PDPP while the CISO handles the IS Policy of the organization.

While drafting Privacy Policy , one must remember that “Privacy Policy” meant for the website is not the comprehensive Privacy Policy for the organziation. Privacy Policy for the web only relates to the information collected from the website visitors. Once the website visitor opts for some service, the privacy policy relevant for the service will be relevant. In most cases the Privacy Policy for the website visitors can be simple since no personally identifiable information other than the technical details captured by the hosting system may be collected. What is relevant for compliance is more the policy applicable to the subscribers for different services who provide identifiable personal information.

We are reasonably familiar with the drafting of Privacy Policy and the IS policy. But what PDPSI expects is that an organization has a clear view of what is the “Legitimate Interest Policy” under which certain provisions of GDPR or PDPA are sought to be implemented with some customization and dilution where necessary using the clauses which provide “Exemptions”.

In order to ensure that an organization is not confronted with the charge of “Non Compliance” when may be required to override certain standard practices for the legitimate business interests of the organization or for reasons such as National Security, Public Interest, Journalistic requirements etc., it is recommended that a separate policy document is drafted to codify why the regulation may be either not followed or followed differently with some safeguards and under what circumstances.

Naavi normally starts with the Legitimate Interest Policy before drafting the Privacy Policy and tries to get the Legitimate Interest Policy dovetailed to the business context. If any recommended aspect of the legitimate interest policy is considered as a serious violation of the Privacy law, then the legitimate interest policy may have to be suitably modified with the consent of the management.

Not having a “Legitimate Interest Policy” would make the life of the DPO difficult since he would confront powerful business executives trying to bypass the privacy policies and justifying it in business interests while the resulting consequences of non compliance becomes the responsibility of the DPO. By having a separate Legitimate Interest Policy (LIP), the DPO knows exactly what he can do and what he cannot do.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles