Ordinance on Aadhaar

Posted on March 5, 2019 by 98410spice

The Justice Srikrishna Committee on Data Protection under Appendix had provided a comprehensive recommendation for amendment of the Aadhaar Act (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016. These recommendations were not included in the draft Bill for PDPA 2018 which the Committee submitted. Subsequently the Aadhaar judgement of the Supreme Court (Refer the series of articles) gave certain recommendations which prevented the use of Aadhaar services by private sector including the Banks.

After taking into consideration the recommendations of the Srikrishna Committee and the Judgement of the Supreme Court, the Government came up with a draft Bill However the Bill could not be passed through Rajyasabha and would lapse soon.

In order to therefore alleviate the problems created by the Supreme Court Judgement on the industry, Government has come up with an ordinance to implement some of the recommendations of the Srikrishna Committee by promulgating an “Ordinance” on 28th February 2019.

The ordinance provides for “Offline Verification of Aadhaar number” after obtaining the consent of the individual and using only the demographic information with safe guards for the information to be used only for the purpose for which it is sought.

Section 57 of the Aadhaar Act has been omitted in deference to the wishes of the Supreme Court.

The ordinance will provide the option of the use of offline Verification without authentication to verify the demographic information about an individual who provides consent to an agency to use the Aadhaar number .

Hopefully this will mitigate some of the immediate problems of the industry. However, some murmurs are being heard about challenging the ordinance in the Supreme Court and we need to wait and see how things develop.

Naavi

Reference Articles:

10:Aadhar Judgement-10: Let us debate the changes required in PDPA 2018 
9: Aadhaar Judgement-9: Definition of Personal Information revised?
8: Aadhaar Judgement-8: Limited use
7: Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?
6. Aadhaar Judgement-6.. Joint Secretary is too junior?:
5:Aadhaar Judgement-5…Collection of Metadata
4:Aadhaar Judgement…4… Making the life of law enforcement difficult…
3:Aadhaar Judgement..3.. Data retention limit of 6 months.. 
2:Aadhaar Judgement….2.. The Answers and Conclusions of the majority 
1.Aadhaar Judgement…1… Debate the areas where clarity is required.

Other References

Aadhaar Act : Srikrishna Committee Suggestions in Appendix : Aadhaar Amendment Bill :Aadhaar Amendment Ordinance

Posted in Cyber Law | Leave a comment

Naavi’s Data Trust Score Audit System..allocation of weightages

Posted on March 1, 2019 by 98410spice

Naavi is in the process of developing the Data Trust Score System  which will enable Data Auditors to evaluate the level of compliance of an organization to the required PDPA standards.

Naavi is also in the process of developing a “Personal Data Protection Standard of India” (PDPSI-0219) which will incorporate the data protection requirements of a typical organization working in India. This standard is expected to be an “Open Source Standard” and should encompass BS 10012 or such other proprietary standards in terms of what is required to be achieved.

It is left to the auditors to offer audits and for their clients to accept such audits adopting of BS or IS standards and piggy back on the perceived reputation of these standards or adopt the PDPSI-0219 standard which is dove tailed to the Indian requirements and take the responsibility for meeting the “Data Protection objectives” rather than “Certification Objectives”.

When we introduced the Naavi’s 5X5 DTS system  we had indicated that we would adopt a 5 by 5 matrix to evaluate the compliance of an organization and the five parameters to be used would include “Commitment”, “Knowledge”, “Controls”,”Review” and “Redressal”.

We had indicated that the observations would be recorded on a scale of 0-100 in five buckets of 20 each.

In arriving at the final DTS value for an organization, we had indicated that each of the five parameters may be given different weightages. If equal, each parameter would bet a weightage of 0.2.

Now we would suggest the next step of a method to assign the weightage.

For the purpose of such weightage allocation, organziations would first be classified into three categories namely, “Infant”, “Adult” and “Mature”. An infant organization is one where the data protection exercise is in the beginning and hence more focus is required on awareness building and management commitment etc. As the organization grows in maturity, the management commitment and conducting awareness training would become routine basic requirement. [P.S: These may even be considered as a “Hygiene factor” which is something which if present it is considered as necessary and if not present it would be considered as a serious lapse. The score allocation under the parameter could be a binary proposition unlike other parameters].

Considering this aspect, we have drawn a table of weightage allocation as follows.

The PDPSI 0219 will indicate  management requirements which will encompass all the above 5 parameters and will also adopt the Three Dimensional Model of Information Assurance which Naavi follows which includes Technical, Legal and Behavioural Science approaches.

Comments are welcome.

P.S: Please read this article together with the following two earlier articles.

  1. Naavi’s Data Trust Score model unleashed in the new year
  2. Naavi’s 5X5 Data Trust Score System…. Some clarifications

 

Naavi

 

Posted in Cyber Law | Tagged , | 3 Comments

Cyber Security Framework for Brokers..from SEBI

Posted on February 24, 2019 by 98410spice

Just as RBI has issued a cyber security framework for Banks, NBFCs, PPI issuers etc., SEBI has also formulated a Cyber Security Framework applicable for Brokers and Depositories. The guideline issued on December 3, 2018 has suddenly gained some traction and attracting discussions.

E Trading is similar to E Commerce or E banking in terms of risks and the need for security. However, the stakes are extremely high in the stock transactions because the value of transactions and the speed with which they take place in real time add their own risks.

E Trading which SEBI oversees includes Futures and Options as well as commodities including Gold and Metals. Only currency trading operations fall under the supervision of RBI.

In the pasts we have seen frauds some of which are pure financial cheating instances. But there have been a hint that there have been more sophisticated frauds involving technology where “Pump and Dump Frauds”, “Broker or Broker Employee related frauds” where piggy back trades are booked over customer’s genuine transactions etc. Most of the large brokers today directly allow apps and computer based trading software to be used by customers to place orders with a variety of conditionalities built in in terms of stop loss, triggers, margin trades etc and hence the scope for frauds of different kinds are high.

In the past there have also been reports of the Stock Exchange servers being manipulated for deriving time advantage in receiving price data disseminated by the trading platform so that some milli seconds advantage is obtained by one broker over the other which enable them to make unfair profits.

Taking all these into consideration, a proper information security over sight was over due. With the advent of the concept of “Sensitive Personal Information Protection” under the Data Protection legislation, it was necessary for the brokers to also realize the need to upgrade their security culture and infrastructure to meet the modern day demands.

The published Cyber Security Framework of SEBI therefore requires a close look. A Copy can be accessed here: CLICK HERE

The main requirements are

a) Draft a comprehensive Cyber Security and Cyber Resilience Policy approved by the management and reviewed annually

b)Policy should be Risk Assessment based with clear policies for incident detection, response and recovery.

c) Thee policy should conform to “Guidelines for Protection of national Critical Information Infrastructure” from the Government.

d) Appoint a compliance official supported by an internal technology committee of experts.

e) Necessary access control  measures need to be implemented .

f) Sub brokers and customers need to be included in the overall policy

g) Physical and other Network security measures need to be implemented.

h) Encryption should be used in data transit and storage.

i) Brokers should ensure that the products used for trading are adequately certified for security.

j) People involved need to be adequately trained

k) measures like audit need to be implemented.

Overall, an entire system of information security has to be implemented by the brokers and depositories.

Though for Data protection professionals, this requirement is not new and with the Section 43A of ITA 2000/8 already being available and  PDPA 2018, in the anvil, it was expected that data security was recognized as a responsibility of the stock broking community.

It would be interesting how the industry players adopt to the demands. But any negligence or complacence will render the stock broker and the depositories liable as “Intermediaries” under the ITA 2000/8

Naavi

Posted in Cyber Law | Leave a comment

Draft E Commerce Policy released for Public Comments

Posted on February 24, 2019 by 98410spice

A Draft E Commerce Policy has been issued by the department for promotion of Industry and Internal Trade, for public comments.

Comments may be made upto March 9, 2019.

Other details of how the comments have to be sent etc are not clear. It will be posted as soon as it becomes available.

In the meantime, the draft of the policy is available here for study… CLICK HERE

Naavi

P.S: Last Date for submission of comments extended to 29th March 2019.

Posted in Cyber Law | Leave a comment

A step beyond BS 10012 and GDPR-Personal Data Protection Standard of India-PDPSI

Posted on February 20, 2019 by 98410spice

Personal Data Protection regulation is presently a global phenomenon. While legislation like ITA 2000 try to protect “Data” in general(Section 43/66) with specific provisions for protecting “Personal Data” (Sec 72A) and “Sensitive Personal Data” (Section 43A), legislations like GDPR have focussed on Personal Data Protection only. India is set to follow the trend with its own Personal Data Protection Act in due course.

Indian companies today are eager to get themselves certified under various standards such as BS 10012 though these so called standards are nothing but a reiteration of GDPR articles in a slightly modified language.

It must be remembered that “Certification” under a certain standard is only an internal milestone for an organization to inform its stakeholders that they have indeed taken some formal steps towards compliance and is not an end in itself in the organization’s journey towards full compliance of data protection regulations..

BS 10012 is yet to formally align with the UK’s new Data Protection Act 2018 but still for the corporate managements, the tag “BS 10012 compliant” is a desirable asset for which they are willing to spare their budget. But for Indian Companies, BS 10012 may not be sufficient to be complaint with data protection regulation since Indian laws may have to be also understood and complied with.

Cyber Law College which is the academic organ of Naavi.org considers that there is a need to develop Personal Data Protection Standard for Indian Companies which goes beyond BS 100012 and be compliant not only for GDPR but also to ITA 2000/8 and the proposed PDPA.

Currently Naavi uses the Indian Information Security Framework with the following top line implementation charter which is identified as IISF309.

As one can observe, it captures most of the control requirements expected in an information security standard though the details may not be clear in the framework as presented above.

After the advent of PDPA 2018 in draft form, Naavi floated the idea of “Data Trust Score” as a measure of a “Data Audit” conducted under PDPA 2018. This was a measure of how good is the implementation of PDPA compliance in an organization.

The criteria suggested was a 5X5 matrix where 5 parameters namely

  1. Management Commitment
  2. Knowledge in the organization
  3. Controls
  4. Review mechanism
  5. Grievance Redressal mechanism

The evaluation was suggested on a scale of 0-100 in 5 steps of 20 each and hence it was called the 5X5 grid.

In order to further fine tune the approach and make it repeatable, Naavi is now working on developing a “Standard” which cover different requirements of compliance.

This “Standard” is presently the internal Audit Standard for Ujvala Consultants Pvt Ltd, the corporate entity of Naavi that addresses the audit requirements.

The standard is called “Personal Data Protection Standard of India” (PDPSI) and will be developed by Naavi.org as a part of its educational initiative of Cyber Law College.

The future  idea is to make it an open standard which any intending corporate can adopt on their own.

Auditors are free to adopt it to their own audit framework if they feel like or ignore it if they donot feel it has any value, or adopt thoughts from this standard into their own audits.

The objective is to make an “Audit under PDPSI” incorporate principles of personal data protection imbibed in other standards including BS 10012 so that an organization which is PDPSI compliant is essentially also compliant with BS10012. It is understood that a Certification of compliance under PDPSI is not a certificate of compliance under BS 10012. However, an organization which is compliant under PDPSI should easily sail through any evaluation under BS10012.

However, we believe that “Compliance to a standard is required for a faithful protection of personal data as required under law and not just to sport a tag on which a blind faith can be placed”. Such blind faith often leads to complacency and needs to be avoided.

Conceptually therefore, PDPSI has been launched as the future of Naavi’s approach to Personal Data Protection approach and will be integrated with the DTS system which is already suggested.

The details of the standard under each of the above five parameters will be developed module by module and the standard will be published through this site.

Some may feel that by making such standards public, we will be losing an opportunity to commercialize it or we will be hurting other standards providers.

But we firmly believe that a “Suggested Standard” should be made available freely while commercial exploitation can be made through the implementation consultancy.

I trust at least a few of the data protection practitioners would accept this approach as what is required to make compliance to data protection laws affordable to most of the SMEs.

Any suggestions, comments etc are welcome.

This is also an open invitation to interested persons to join me in the development of PDPSI as a standard with wider acceptance in the community.

PDPSI first version will be referred to as PDPSI-0219, and hopefully it would get updated from time to time.

Await the publication of the different elements of PDPSI-0219 in due course.

Naavi

Posted in Cyber Law | Tagged , , , , | 7 Comments

Demystifying BS 10012 for Indian Companies

Posted on February 18, 2019 by 98410spice

Naavi has time and again emphasized that “Security” is for the good of the community and if regulatory agencies want to prescribe security guidelines it has to be easily amenable for compliance.

When a regulation like GDPR or PDPA 2018 or even ITA 2000/8 is issued as a legal instrument, then every entity coming under the jurisdiction of the law need to comply with it. Normally most entities are law-abiding and will try to be compliant. But if the regulation is unclear or too complicated, compliance will be low.

It is the duty of experts to come to the assistance of the subject entities to be compliant with the necessary guidelines and the law.

Whenever such a need exists on making people aware of a law and how it has to be implemented in practice, there arises a commercial opportunity in “Training”, “Implementation Consultancy” and “Certification”.

Ideally the law has to be made by the Government and it should be left to the private sector to equip itself with the necessary knowledge and skill. If some experts are good enough to package a service to spread the knowledge and skill, it is their ingenuity.

If Government can invest on its own on outreach programs, it would be good.

However, a law-maker cannot tell a citizen that he has to make a payment to know what the law is. If the Government does so, it becomes a “Tax”. Hence Government programs have to be essentially free for the participants. If a private sector partner is used in such training, then the cost has to be subsidized by the Government to some extent through sponsorship partly or fully.

This principle that “Law should be made known to citizen free of cost”, was discussed extensively in Naavi.org when the then UPA Government came up with Section 43A (ITA 2008) guidelines in April 2011 in which they made a mention that ” Adherence to ISO 27001 standard will be deemed to be compliance of Section 43A.

Naavi took a serious objection to this rule stating that it would make the lakhs of prospective compliance organizations to first of all buy the standard at around US$160 and then spend about Rs 3 lakhs to get certified. We said then that this was a scam bigger than 2G. The MEITY of Mr Kapil Sibal at that time was very angry about this comparison with 2G Scam and many of the executives are still harboring a grudge against Naavi for this purpose.

However, in reply to an RTI, the ministry confirmed that it is not “Mandatory” to have ISO 27001 certification to be compliant with Section 43A and though the ISO organization was allowed to make commercial gain out of the inappropriate mention in the guideline, the matter rested there.

(Details are available in earlier articles of around 2011 in this site available through the link on Old Posts)

Section 43A is now being Replaced

Presently we are in the new era of Data Protection and expecting the PDPA 2018 to be passed whenever the political will manifests. Once this is enacted, Section 43A will be replaced with a whole set of regulations in the Act itself.

As a result, the compliance managers need to understand the law and interpret it in a manner it would be acceptable in a subsequent judicial scrutiny.

Naavi has through Cyber Law College already offered to provide training on PDPA 2018 in the same manner in which he has been instrumental in spreading the awareness of ITA 2008 or HIPAA or GDPR, in India. (for all the three of which, recorded Course content is available at www.apnacourse.com.)

On PDPA 2018, Naavi has adopted a slightly different mode of online coaching since the law is yet to crystalize. These courses are of course priced and are expected to generate revenue to the provider of the course. Naavi has also been discussing with some partner organizations for sponsorship such programs.

During these courses, Naavi often presents a Framework of his own under the banner “Indian Information Security Framework-IISF-309” which tries to incorporate the requirements of compliance to the extent necessary.

This framework is actually a substitution for the “Standards” though it may not be as detailed as a standards document and is explained more during the implementation training.

Being Certified Vs Being Compliant

Many Companies however are more interested in getting themselves “certified to be compliant” rather than actually “being compliant”. For this purpose they look for an agency whose “Certificate” has some blind recognition and is available even at an expensive price.

The GDPR regime as a whole is heavily biased towards making money and hence apart from imposing insane penalties for non compliance, it enables creation of  a Certification system whereby people make money for just reprinting GDPR articles as “Implementation Guidelines” or “Standards” and creating “Certification of Certifying professionals”  as well as the “Certification of compliance” itself.

Naavi believes that this entire eco-system is dishonest since it’s purpose is making money through licensed distribution of what should be a free knowledge and not oriented towards creating an eco-system of faithful compliance.

No doubt some level of compliance does come out of such activities but the value proposition is mostly inadequate and often exploitative.

New Mission to Demystify Data Protection Regulations in India

Having declared the intentions of Naavi to work towards making “Security Knowledge” as affordable as possible to the market place, Naavi’s Cyber Law College is interested in undertaking a missionary approach towards spreading the knowledge about Data Protection Regulations in India at prices that are if possible lesser than the competition.

Towards this objective, Naavi is embarking on empowering organizations for BS 10012-2017 compliance while the Certifications can be obtained by organizations that partner Naavi in this program if required.

Just as in 2004-06, Cyber Law College  embarked upon a “Cyber Law Awareness Movement”, it is now proposed that Cyber Law College and Naavi will embark on a “Demystifying Data Protection Laws” which will include compliance of GDPR to BS 10012 standard, PDPA 2018 (as proposed) and ITA 2018 in general as applicable to data protection.

This program will consist of in-house corporate awareness programs, extended training programs and educational courses.

I look forward to other professionals and organizations to provide their guidance on how this objective can be achieved and how the mission of Cyber Law College can be made a success.

One of the objectives of this proposed movement is that by the time the PDPA 2018 comes into effect, the codes and practices etc which the DPA need to provide does not become a commodity that can be used for exploitation of the user industries and the possibility of exploitation  in selling the standards and providing certifications etc are very much reduced.

I wish that DPA never allows “Standards” organizations to create copies of the legislation and call it as proprietary standards protected by Copyright. All such standards should be declared as open source or otherwise certifications based on them should not be recognized by the DPA. Commercial exploitation should be limited to the implementation of such standards and not by selling the standards specification itself.

Naavi.org is interested in creating a knowledge distribution system in such a manner and at such a price that the possibility of such exploitation is substantially reduced if not eliminated. 

Watch out for more details in this site from time to time.

Your comments are welcome.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment