Naavi.org

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI) The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

An information security standard is a set of guideline which should help an organization reach a minimum level of desired level of security implementation. The primary requirements of the standard is meant for “Implementation” and the secondary purpose is “Certification”.

Hence, how an organization handles the allocation of roles and responsibilities for implementation of information security is also considered part of the standard itself. Other standards may also address this issue under “ISMS Organization”.

In IS implementation, Naavi recognizes the implementation priority based on the “Pyramid Model”. The implementation itself is expected to be also influenced by the “Theory of Information Security Motivation”. A brief discussion of these two concepts are required for explaining the logic behind the definition of implementation responsibility.

Naavi’s Pyramid model of prioritization of Information Security goals suggests that an organization follows the implementation as indicated in the following diagram.

What this representation means is that though we say that “Security is only as strong as its weakest link”, practically, an organization follows the priority chain where it first focuses on the Availability of information to its decision makers, then the integrity and then the Confidentiality before raising to the higher levels of authentication and non repudiation. This theory is at slight variance with the CIA principle which characterizes the understanding of Information Security in general.

As a result of this, an organization in its journey towards information security, would have first created a CTO and then moved onto a CISO for entrusting responsibilities of Information Security. When the legal aspects of information security gets recognized, we have the advent of the role of “Compliance Officials”. The advent of the recent generation of data protection legislation have now brought in the roles of “Data Protection Officers” either as employees of the organization or as external consultancy agencies.

PDPSI recognizes the possibility therefore that  a subject organization may already have a CTO, CISO, CCO and perhaps a DPO before it is now thinking of PDPSI implementation. Some of them could have also attempted  ISO 27001, HIPAA, PCI DSS implementation and hold necessary certificates. PDPSI tries to integrate all these implementations and creates a super controller who should be responsible for all the compliance requirements.

PDPSI therefore prescribes that the implementation responsibility for PDPSI lies with the top of the top management equivalent to the Board in a corporate structure. Implementation activity of PDPSI must therefore have the backing of a Board Resolution and also incorporated in the annual report to the shareholders or other equivalent disclosure documents.

Under PDPSI, every organization shall have a designated group of persons entrusted with the overall responsibility of compliance and shall constitute the Data Protection Committee (DPC) of which the CEO of the organization and at least one member of the Board of Directors shall be a part. The group shall also designate one individual coordinator who shall be the Data Personal Data Protection Officer (PDPO) of the organization and responsible for representing the organization with the regulatory authorities and the public for compliance related issues.

Periodical Data Protection Status Assessment (DPSA) may be conducted by the PDPO but every annual exercise of Assessment of Data Protection Status shall be undertaken by an independent external agency.

Thus the responsibility for PDPSI responsibility lies with the DPC at the operational level and the Board at the policy level. PDPO will be the coordinator of the activities and will assume all the responsibilities of the DPO as envisaged under PDPA 2018 or GDPR.

However, PDPO would periodically send such status reports to the DPC that the DPC shall not absolve itself of its collective responsibility. The DPC itself shall keep the Board appraised at periodical intervals and incorporated in the corporate disclosures through the annual report etc. This ensures that even the share holders shall be kept informed at suitable intervals so that there is transparency in the activities that provide assurance of information security implementation in the organization.

The creation of an ISMS structure needs to be customized for every organization and hence further details are left to the discretion of the management and would reflect the organizational commitment to fair implementation of PDPSI which an auditor may consider for evaluating the Data Trust Score or equivalent measurable representation of the standard.

In summary, the PDPSI standard for ISMS organization creates a shared responsibility at the Board level followed by the DPC and does not load the PDPO with a responsibility which he cannot enforce. However due to the power of statute, PDPO would be saddled with the responsibilities that a PDPA 2018 or GDPR envisages though he may try to build a protective shield by escalating the issues to the top management. This would check the tendency of some managements to manipulate the DPO and compromising security because of other business priorities.

It is envisaged that all genuine business related compromises are built into the document “Legitimate Interest Policy” which is discussed later and hence PDPSI takes into account both the theoretical prescriptions of the laws like GDPR and the practical realities at the level of implementation.

(Comments are welcome. Further discussions will continue)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Naavi’s Data Trust Score model unleashed in the new year
9. Naavi’s 5X5 Data Trust Score System…. Some clarifications
10. Naavi’s Data Trust Score Audit System…allocation of weightages

[PDPSI is the Personal Data Protection Standard of India as issued by Cyber Law College, the academic arm of Naavi.org. The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

This is in continuation of our previous article, “Data Classification is the first and most important element of PDPSI”in which we had highlighted that “Data Classification” is an important step in the compliance. Before even we determine the “Risks” and initiate “Privacy By Design” and “Information Security Practices”, it is necessary to understand what type of data is in the hands of a company and where it comes in or generated, where it is used, where it is stored and transmitted out.

In our previous article we had indicated 16 types of data classification within the Individually identified data. It is reiterated below for reference.

What this chart indicates is that a company should first be able to understand that PDPSI (as well as GDPR or PDPA 2018) applies only to personal information and not to corporate information however important it is.

Protection of all data is the job of the Information Security/Compliance Officer of the Company. Protection of Personal Data is a subset of this larger requirement.

The reason why there appears to be more importance given to compliance of Personal Information instead of all the information is that when there is a non compliance issue related to Personal Information, authorities such as the GDPR or DPA can come in with imposition of penalties for non compliance.

On the other hand any non compliance issues related to  non personal data is a “Best Practice” issue and gets escalated only when there is a data breach which qualifies to be called a Cyber Crime and there are victims who invoke law for claiming compensation.

Hence compliance managers and the management are more worried about compliance of “Personal Data Protection” laws rather than “All Data protection” laws though the former should be a sub-set of the latter.

Coming back to the Data Classification exercise, PDPSI has recognized the need  to identify 16 types of Individually identifiable data since the compliance requirements can vary for each of these 16 types.

Data is always a “Package” and consists of multiple elements. For Example, Name is personal data and in most cases it is the lead personal data because humans recognize the name. Name often comes with additional associated information such as the E Mail address, the Phone number, the employee ID, residential address, age etc. It may also include the “Meta Data” associated with the transactions of the data subject.

For the purpose of compliance, it is necessary to aggregate all associate data of one person into one “Personal Data Package”. This Personal Data Package is not static and it grows as more and more information flows in to the organization and is associated with the same individual data package recognized by the “Lead personal data element” (LPDE). 

It is open to an organization to allocate a customer ID or Employee ID etc to the name of a person and thereafter consider the number as the “LPDE”. It is also open to use a “Pseudonymization key” if required. It is like opening a “Ticket”. All subsequent references to the same individual has to be added to this “Identity Ticket”.

Once a Data Package with a “Designation of the LPDE”  is issued a “Data Package Identity” (DPI), the DPI becomes the reference data reference for further usage.

This DPI needs to be allocated different attributes as indicated to define what data protection law would be relevant.

We have identified four levels under which the attributes are being associated.

Level 1: Employee or Non Employee

Level 2: Subject only to Indian laws or to other foreign laws also

Level 3: Personal or Sensitive personal

Level 4: Adult or Minor

The first categorization of Employee and Non Employee is suggested because Employee personal data is subject to employment contracts and may provide the organization with more flexibility than non employee personal data.

The second level of attribute is required because the data subject may be a citizen of one country, resident of another country and the data processing may involve profiling of activities in different countries. Similarly the data may be health data subject to US laws such as HIPAA or Financial data subject to some other law of another country. It is better to identify the scope of compliance by associating which set of laws need to be kept under consideration for securing the subject DPI.

Then comes the distinction of personal and sensitive personal data, since laws my be different even within one statute.

The fourth level attribute is because law may also be different if the data subject is an adult or he is a minor.

Hence we need to identify 16 types of personal data and map the compliance requirements for each of these different types. If we include the first level of “Individually identifiable” and “Corporate” as the Level  Zer0, we will occupy a total of 5 bits that are required to identify a data package. If the “Psudonymous state” is also added as an attribute, it would consume the sixth bit in the packet.  This leaves another 2 bits in a byte to define the Data Package references. It can be extended to a 16 bit ID space if more attributes need to be added. To avoid the Y2k type problem, we may start with an allocation of 16/32 bit space straight away and keep excess bits vacant so that a “Data Package” will have a distinct identity even as it grows. This should help in implementing “Data Portability” and “Data Erasure” when required.

The PDPSI presents the set of controls required to manage the compliance under PDPA 2018 (presently ITA 2018 until the new law is enacted) and additional controls in the form of annexures depending on whether other laws become relevant. For example one annexure may indicate GDPR requirements for personal data of an Indian Citizen whose activities are monitored by a EU Company. Or that of a EU Citizen who may be profiled for his activities in India. Similarly different annexures may be there for HIPAA compliance, GLBA compliance, CCPA compliance, etc.

We will initially focus on compliance of Indian data protection laws as envisaged under PDPA 2018 and then develop other annexures one by one.

We are aware that PDPA 2018 is only a draft bill now and will have to be re-introduced and passed. But the principles of data protection and therefore the standards will not change even if PDPA 2018 becomes PDPA 2019. Further when the Indian DPA comes into existence, we need to present it with some industry led proposal as a standard so that it can focus only on modifications as may be required.

We hope that PDPSI would become the base standard from which modified versions can be developed by the DPA.  We feel that this will at least make the work of DPA simpler and quicker.

(Comments are welcome)

Naavi

Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India. We had earlier mentioned the first version of PDPSI as PDPSI-0219. It is time now to report a small progress with the second version of the document PDPSI-0319, which is also a work in progress.

The objective of this Document is to codify the set of standards that are aimed at providing compliance of data protection regulations in India.

The scope of this document  encompasses the requirements of ITA 2000/8, the proposed PDPA 2018, BS10012 principles of  GDPR.

We the people of India have adopted our own regulatory standard for personal data protection and protection of Information Privacy of Indian Citizens as guaranteed by our constitution. We first notified Information Technology Act 2000 (ITA 2000) with effect from 17^th October 2000 incorporating the responsibilities of citizens including corporate entities for protecting data both personal and otherwise. With the amendments in 2008 effective from 27^th October 2009, the new version of ITA 2000 namely the Information Technology Act 2000/8 (ITA2008) further codified the responsibilities of Body Corporates and others in protecting Personal Data and Sensitive Personal Data.  ITA 2008 and the rules that followed on 11th April 2011 also had provisions for “Reasonable Security Practice” and “Due Diligence” which were the grounds for the first set of “Personal Data Protection Standards” in India.

After the Supreme Court of India came out with its judgement on Privacy which inter-alia recognized the need for “Information Privacy Protection”, a strong emphasis was laid on Personal Data Protection in India. The operating guidelines for meeting the expectations of the Supreme Court expanding the scope of ITA 2008 and its rules came in the draft form through the Draft Bill titled “Personal Data Protection Act 2018” (PDPA 2018). Though PDPA 2018 is today only a work in progress to be re-introduced as a new Bill after the next elections, the broad contours of Personal Data Protection in India has been firmly laid by this proposed bill drafted by a former Justice of Supreme Court namely Justice Bellur Narayanaswamy Srikrishna.

Though PDPA 2018 has adopted several principles of Privacy Protection from global documents including the GDPR (General Data Protection Regulation of the European Union), the compliance requirements in India regarding Information Privacy Protection is distinct and includes compliance of ITA 2000/8 as well as parts of Aadhaar Act as well as the proposed PDPA 2018 etc.

In view of this wider and distinctive scope of Indian regulations on Information Privacy Protection, it is considered that global standards of data protection contained in ISO 27001 or BS 10012 are considered inadequate to meet the requirements in India.

The long term objective of this document is to ensure that “Standards” are not to remain “Proprietary” and must be made known to the stake holders who are expected to implement them. Hence Naavi intends to make this standard open source once a formal sufficiently refined version of the standard emerges.  Until then, only some high level concepts may be publicly released.

In the new version, an attempt has been made to expand the portion of “Classification of Data” because it is the key to further implementation. The required classification is depicted in the following diagram.

Salient Features

This system of data classification will first recognize the data that may be flowing in the organization and classify them in the first level to “Individually Identifiable Data” and “Corporate Data”.

Personal data will consist of such data that identifies an individual. Corporate data includes business related data which does not contain personal data. Protection of Corporate data is part of the DPSI while PDPSI focuses on protection of Personal data.

Individually Identifiable Data is further tagged with the following attributes

1. 1. Employees and Non Employees
   2. Subject to Indian Laws only and Subject to Indian and Foreign Laws
   3. Personal and Sensitive Personal
   4. Adult and Minor

Individually identifiable data of Employees is considered as “Corporate Data” but may be subject to additional compliance requirements depending on the applicable laws whether Indian or foreign.

Classification of Personal and Sensitive Personal, adult and minor may also be different based on the applicable laws.

The above attribute tagging will be applied to a set of data elements which is considered as a “Package”. Each such “Individually identifiable Data package” shall carry a distinct identity as “Package ID”. Every element of the Package ID shall be tagged in further usage with the “Package ID”.

Every package will be identified with a “lead element”, which could be the name or another identity parameter.

(I welcome comments)

Naavi

We have earlier discussed the broad contours of Naavi’s  “Personal Data Protection Standard of India” (PDPSI) followed by Ujvala Consultant’s Pvt Ltd. The PDPSI is meant to cover the requirements of Data Protection by Indian Companies exposed to the compliance requirements under PDPA 2018 (as proposed) and encompass the best practices covered under BS10012.

As a refinement of the approach to the standards, it is now decided that PDPSI-0219 will be considered as a subset of DPSI which shall be the standard for Data Protection in general by a Data Processing industry. This should be compliant with the ITA 2000/8 which applies to all kinds of data whether it is Personal or Corporate.

PDPSI itself will be divided into two levels namely Level I which will apply to Personal Data and Level 2 which will apply to Sensitive personal Data. DPSI will apply to Personal Data, Sensitive personal data and corporate data which does not consist of Personal Data.

Further DPSI will have schedules that map PDPSI to different regulations of other countries such as GDPR, CCPA, HIPAA, UK-PDPA etc.

The Data Protection Audit suggested by Naavi would be based on DPSI/PDPSI as the case may be.

The objective of developing these standards is to make the guideline available free of charge to the companies who need to implement data security as against the current system where they need to incur enormous expenses to buy standards even before implementing them.

More information will follow.

Naavi

It was interesting to note that one of the law colleges in Bangalore has announced a moot court competition which recognizes some of the latest developments in the field of technology and law in India.

It is a general observation that the curriculum of LLB does not have an in depth discussion of ITA 2000/8. Though Bar Council has requested all colleges to incorporate Cyber Laws in their regular curriculum, it remains mainly an optional subject.

In the light of this perception, it was a surprise to know that Bishop Cotton Women’s Christian Law College, Bangalore has chosen for its 7th National Moot Court competition a problem which includes “Artificial Intelligence”, “Facebook Cambridge Analytica”, “Personal  Data Protection Act” etc.

A Copy of the Moot Court challenge is available here.

Though the link between AI, FaceBook and PDPA 2018 are structured a bit artificially, the attempt to introduce new technology terms to the law students is a matter to be appreciated.

Naavi

Naavi joins the lighting of the lamp in inaugurating the workshop 

A Unique one day workshop was conducted in Chennai on 16th March 2019 on “Section 65B of Indian Evidence Act”.

The Workshop was inaugurated by Honourable Justice Sri M. Jaichandren, in the presence of Honourable Justice, Dr S. Vimala, Senior Advocates, Mr Masilamani and A Thiagarajan. Mr Na Vijayashankar (Naavi) as Founder Chairman of Foundation of Data Protection Professionals in India (FDPPI), and a pioneer in Section 65B, conducted the knowledge session. Mr S.Balu President of Cyber Society of India (CySi) and formerly head of the Cyber Crime division of Chennai organized the event.

The Print Version of the book with latest updation, titled “Section 65B of Indian Evidence Act Clarified” by Naavi was released during the event.

The workshop was unique because it was completely focussed on Section 65B which has been in operation since 17th October 2000 but whose importance had not been fully realized until the Supreme Court judgement in 2014 in P V Anvar Vs P.K. Basheer, declaring that it is mandatory for admissibility of electronic document as evidence.

Since then the difficulties in understanding the provisions of Section 65B has also come up for discussion in some fora even to suggest that it may need an amendment.

Naavi clarified the doubts regarding the section and also highlighted why Section 65B was a master stroke in ITA 2000.

An illustrative caricature drawn by Mrs Saranya Devi under the guidance of S.Balu which explained the concept and attracted attention during the workshop is reproduced below.

The caricature explains how unlike a human witness who reproduces an evidence from his brain memory is not asked for any certification (other than the deposition itself) while  a CCTV footage when produced as an evidence requires to be certified under Section 65B under the same logic that the “Computer Witness like a human witness needs to depose but can do so only with the assistance of a human who is the Section 65B certifier.”

A gallery of eminent speakers made the event memorable.

A more detailed report on the event would be provided later.

During the event the Chennai Chapter of FDPPI (www.fdppi.in) was also inaugurated and Naavi explained why Section 65B is also relevant to the Data Protection Industry.

The event was a great success.

More information on the event will follow.

Naavi