Naavi.org

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

The compliance of Privacy Protection regulation whether under PDPA 2018 or GDPR or any other law normally starts with

a) Privacy Policy

b) Information Security Policy

The Privacy Policy declares the intentions of the organization in meeting the different requirements of the regulation. It is a comprehensive aggregation of several other sub policies that we will discuss here. It has to capture the objectives of the organization and reasonably describe how it proposes to implement the requirements.

Privacy Policy is for the organization to follow while “Privacy Notice” is meant for the information of those who interact with the company. “Privacy Notice” may contain many aspects of “Privacy Policy” but the objectives of the Policy are different from the Notice and this should reflect in the drafting of the two.

The Information Security Policy on the other hand is the policy that is intended to be followed within the organization to meet the Privacy Policy requirements.

Since a Corporate Information Security Policy has to protect both personal information and non-personal information, and the Privacy Policy is meant for Personal Information, the Information Security Policy should be broader to cover both Personal and Non Personal Information Protection.

In a way, Information Security for Privacy Protection is a sub set of Information Security for the organization as a whole. If necessary, an organization may opt to develop a “Personal Data Protection Policy” (PDPP) which could be considered as a subset of the Information Security Policy and let a DPO/DPC manage the PDPP while the CISO handles the IS Policy of the organization.

While drafting  Privacy Policy , one must remember that “Privacy Policy” meant for the website is not the comprehensive Privacy Policy for the organziation. Privacy Policy for the web only relates to the information collected from the website visitors. Once the website visitor opts for some service, the privacy policy relevant for the service will be relevant. In most cases the Privacy Policy for the website visitors can be simple since no personally identifiable information other than the technical details captured by the hosting system may be collected. What is relevant for compliance is more the policy applicable to the subscribers for different services who provide identifiable personal information.

We are reasonably familiar with the drafting of Privacy Policy and the IS policy. But what PDPSI expects is that an organization has a clear view of what is the “Legitimate Interest Policy” under which certain provisions of GDPR or PDPA are sought to be implemented with some customization and dilution where necessary using the clauses which provide “Exemptions”.

In order to ensure that an organization is not confronted with the charge of “Non Compliance” when  may be required to override certain standard practices for the legitimate business interests of the organization or for reasons such as National Security, Public Interest, Journalistic requirements etc., it is recommended that a separate policy document is drafted to codify why the regulation may be either not followed or followed differently with some safeguards and under what circumstances.

Naavi normally starts with the Legitimate Interest Policy before drafting the Privacy Policy and tries to get the Legitimate Interest Policy dovetailed to the business context. If any recommended aspect of the legitimate interest policy is considered as a serious violation of the Privacy law, then the legitimate interest policy may have to be suitably modified with the consent of the management.

Not having a “Legitimate Interest Policy” would make the life of the DPO difficult since he would confront powerful business executives trying to bypass the privacy policies and justifying it in business interests while the resulting consequences of non compliance becomes the responsibility of the DPO. By having a separate Legitimate Interest Policy (LIP), the DPO knows exactly what he can do and what he cannot do.

[To Be Continued… Comments welcome]

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Naavi’s Data Trust Score model unleashed in the new year
11. Naavi’s 5X5 Data Trust Score System…. Some clarifications
12. Naavi’s Data Trust Score Audit System…allocation of weightages

Forensics is the art and science of discovering, collection, preservation and presentation of evidence to meet a legal requirement. We normally use the term “Cyber Forensics” to describe forensic activities related to information technology devices such as computers.

Initially we used to use the term “Computer Forensics” to describe the requirement of evidence of anything connected with Computer Crimes. Slowly the terminology got replaced with “Cyber Forensics”.  Additionally terms such as “Mobile Forensics”, “Disk Forensics”, “Network Forensics” etc gathered popular usage. One popular perception of the masses still remains that “Cyber Forensics” deals with Internet and E Mails which is perhaps a very restricted view of the term.

We are today much more matured than ever we were in relation to understanding the forensic requirements connected with Cyber Crimes. In today’s context, some times “Cyber Forensics” as a term needs to be re-defined so that it captures the meaning of what is required in today’s context.

The earlier recognition of Cyber Forensics  as computer forensics, or mobile forensics etc  is a device oriented approach. Similarly, the terms Network forensics, Internet Forensics and even the Social Media forensics etc are oriented towards the usage platform.

However, the real essence of anything that we deal with today with a “Computing Device” is the “Data” which is platform independent. It is the binary impression which exists in different forms and acquires a meaning when looked at with the right glasses. If there is a picture that has a blue back ground and green letters and I wear a green glass, I may not be able to see the letters. But it does not mean that the letters donot exist. 

The real forensics therefore has to be able to look at the existence of evidence without the limitation of the surrounding platform.

This is what I call as the new approach of “Forensics” that we need to adopt and I term it as “Data Forensics”.

The objective of “Data Forensics” is to discover the presence of a meaningful stream of binary expressions that may be hidden in a background of a dependent platform, gather it, preserve it and then be able to present and prove it in a Court of law.

The much discussed Section 65B of Indian Evidence Act takes care of the linking of the platform with the data and hence is able to bring to evidence any data. 

This approach to Forensics will sustain the advent of IoT, Big Data and even Quantum Computing.

I therefore urge the industry to start focusing on “Data Forensics” from now on instead of the word “Cyber Forensics”. This should be more palatable to the “Data Protection Professionals” whose focus is the “Data” and not the “Container of the Data”.

We will therefore adopt this term slowly into our discussions including the discussions on PDPSI (Personal Data Protection Standard of India) where “Forensic Investigation and Recording of findings” are part of the requirements.

Naavi

For those who are aware of Naavi’s activities, it is known that the historic Umashankar adjudication case was a mission for Naavi starting from June 2010 when the adjudication application was filed.

Due to various reasons, the matter which went on appeal to CyAT had got stuck until now. On 3rd April 2019, TDSAT has placed its final approval on the Adjudication order bringing the matter to a successful closure.

The perseverance of Mr Umashankar who is an NRI in Abu Dhabi and his father Mr Sivasubramaniam who is in Tuticorin in pursuing the case against all odds and continued expenses must be specially hailed. Without their perseverance, I would not have been able to keep the matter going for so long.

I wish their experience in this case must be captured by  journalists from the main stream so that it becomes a guidance for other Cyber Crime victims.

Naavi

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

What we have so far discussed on PDPSI include

a) How personal data has to be classified according to PDPSI

b) How the PDPSI implementation organization has to be structured

c) Need for Risk assessment and reducing it to an implementation charter

d) How an auditor needs to build in measurability into the Data audit process

e) How the Certification process can recognize the responsibilities of the top management vis-a-vis the implementation team

Now we shall start discussing the different  “Implementation Specifications” which are the “Operational Controls” suggested under the PDPSI. These include the policy documents that are essential for the operating personnel to implement the standard.

Distributed Responsibility for Data Security

Though at the higher policy making level, PDPSI recommends a Personal Data Protection Governance Structure (PDP-GS) which includes the Data Protection Committee (DPC), the Personal Data Protection officer (PDPO), at the implementation level, PDPSI considers every “Data Processing Employee”  as a participant in the Personal Data Protection Eco System.

Out of all the Data Processing Employees, the person who first receives a set of what constitutes “Personal Data” is considered the “Personal Data Recipient Employee” (PDRE). Since data comes in to the eco system first without any tag, the recipient of incoming data is first recognized as the “Data Recipient Employee”.  It is the responsibility of every data recipient employee to first identify and tag the data. If it is recognized as the “Identifiable personal data” then the recipient employee becomes the PDRE and becomes a stake holder in PDPSI. Otherwise, he remains the stake holder in the larger system of Data Protection but outside the PDPSI eco system.

The DRE is considered as the person responsible for tagging the incoming data with the right tags that lead to it being properly handled during the subsequent process. He is therefore the “Internal Data/Personal Data Controller” and “Subordinate Data/Personal Protection Officer” for a given data set. He acts as a “Nodal Point” for the incoming data which is tagged and redistributed within the organization.

In organizations which follow a strict “Pseudonymity principle“, all the personal data received has to be passed through a “Data Gate” where it is pseudonymized.

While the majority of the data that an organization collects can be routed through the designated “Data Gate Keeper” , in most organizations, data including personal data tend to land in the hands of the business executives first and later are turned over to the departments for necessary action.

For example, typically the call center employee is one who receives the first information about any incident along with the data associated with it, though the call center employee may be one of the junior most employees in the organizational structure. In other cases it may be the marketing team that first receives data/personal data and only there after, it can be handed over to other data protection executives.

The recipient of the data who may be called the DRE should first tag the data into one of the 16 data types and send it to the Data Gate keeper. The Data Gate keeper may be the supervisory authority to confirm the data classification and simultaneously de-identify, pseudonymize or even anonymize the data as may be dictated by the “Data Pseudonymization policy” of the organization.

Afterwards the data goes into processing as either the identifiable data only or as pseuodonymized data or as anonymized data.

The Data Gate keeper will therefore be the employee in the organization who has access to the “Re-identification Table” and should be considered as the “Principal Internal Data Controller” (PIDC).

The DRE who first receives the data and then hands it over to the PIDC remains in the knowledge of the data and therefore continues to hold the data protection responsibilities for the identifiable personal data that he receives. He therefore remains the Subordinate Internal Data Controller (SIDC).

The SIDC and the PIDC have to work with the DPO and the DPC in ensuring that the overall Information Security policies of the organization of which the Personal Data Protection Policy is a part, is successfully implemented.

In this system, there is a distributed responsibility for data protection in an organization and every PDRE is having the responsibility for data protection because he is the SIDC. The PIDC has the larger responsibility because he is also responsible for conformation of the data classification and the psydonymization.

It is possible  for the PIDC to be also the DPO of the organization.

With these concepts, the Data Protection roles in an organization appear as follows:

This distributed model of data protection in an organization brings all the employees to bear the responsibility for data protection. The DPO still remains the  statutorily responsible person for regulations like the GDPR or PDPA but internally the entire organization would stand in his support.

It is the responsibility of the PDPSI auditor to examine if an organization has the necessary commitment to data protection and strengthened the hands of the DPO by adopting the above structure or considers him as a scapegoat to be hanged if anything untoward happens.

(To Be continued)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Naavi’s Data Trust Score model unleashed in the new year
10. Naavi’s 5X5 Data Trust Score System…. Some clarifications
11. Naavi’s Data Trust Score Audit System…allocation of weightages

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

We have so far discussed some of the basic requirements of the PDPSI such as the need to have data classification, implementation responsibility, charter of implementation, measurability etc. We can now get to the second level of issues addressed by PDPSI which is the set of implementation controls.

The objective of PDPSI is to ensure the implementation of  measures to  meet the requirements of compliance. The measures could be technical, could be in the form of policies and procedures and could also be in the form of manpower training.

PDPSI recognizes the importance of people in implementing the Information Security. Hence “Motivating the work force” and “Measuring the motivational efforts of the organization” are considered part of the PDPSI.

While there could be many approaches to “Motivation” in the Information Security implementation, Naavi advocates the “Pentagon Model” of Information Security Motivation.

The “Pentagon Model” of the Theory of Information Security Motivation (TISM) suggests that there are five elements that need to work in tandem for proper implementation of Information Security in an organization. They should support each other and form a tight enclosure so that there is no leakage security.

The five elements consist of “Awareness” which is a training requirement, “Mandate” which is a “Policy” requirement and “Availability” which is “Technical Tool” requirement. In addition to these three, “Acceptance” and “Inspiration” are added as additional necessities to motivate people ” to accept what is imparted in the training”, “to respect and follow what policies are prescribed” and “to use the technical tools” that may be provided by the organization.

Conversion of “Awareness” to “Acceptance” is a completely behavior management issue to be handled by the HR experts in the organization.  “Inspiration” is one aspect which is more an internal attitudinal factor of an individual and the organization can only try to trigger the inspirational instincts through innovative HR practices.

The PDPSI provides several controls mainly through policies to meet the requirements of TISM. The effect of such implementation needs to be captured by the auditor in the course of the audit.

Some of the measures of motivation can be captured in objective terms but most of them are subjective in nature. For example, we can measure whether 80% or 90% or 99% of employees have attended training programs and passed the relevant tests.

It may also be possible to conduct behavioural analysis tests to measure the level of acceptability of key elements of security behaviour through specially designed behaviour tests.

But measuring the “Inspirational” readiness of people may not be easily converted into objective parameters.

But there can be an identification of the efforts that the management has taken to inspire the work force to building an information security culture  which can be recognized by the auditor and taken note of under the heading of “Commitment” indicated under the 5X5 DTS system.

(To Be continued)

Naavi

Earlier Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Naavi’s Data Trust Score model unleashed in the new year
9. Naavi’s 5X5 Data Trust Score System…. Some clarifications
10. Naavi’s Data Trust Score Audit System…allocation of weightages

During the recent discussions on the amendments of the Intermediary Guidelines proposed by the Governments, there was a discussion on one of the proposals which required proactive measures by the Social Media to curb spread of fake news. Many were complaining that “Proactive monitoring” of accounts is not feasible.

The news that is just now breaking that suggests that Face Book has removed 687 pages supposedly connected with the Congress party for “Inappropriate Behaviour” indicates that the company has run some sort of analytics and found out that the owners of these pages were running their accounts in impersonated names and all of them were connected to the IT Cell of Indian National Congress and were using the pages to canvass for Congress.

Refer report here

Face Book has therefore accepted that today’s AI environment can be harnessed to at least identify some types of fake news and take proactive action. I am sure that more is possible.

Recently Naavi had raised this issue in his article in India Legal Magazine.

In this article, I had argued that Social Media companies are actually not interested in removing fake news because they are commercially beneficial to them. We have seen this tendency in ISPs who support pornography and spamming since they constitute a substantial part of data exchange on the Internet. Similarly WhatsApp can do a lot to reduce the duplication of data exchange if they really want, but obviously this does not make commercial sense. What has happened now with Face Book is therefore a positive development and must be appreciated.

A couple of month’s back, in a round table in Bangalore, Naavi had pointed out to Professor Rajiv Gowda  the spokesperson of Congress, (who was one of the participants,) that it was the political parties which were mainly responsible for the fake news. This stand has been vindicated in the current news break.

Congress as a party has been in the forefront of creating fake news and fake allegations on its political opponents and has corrupted the social media irretrievably. Naturally, it would be worried about this embarrassment and would like to create a balancing embarrassment to the BJP also. Perhaps the party will do its own research and come up with a list of pages belonging to BJP and request Face Book to remove them.

It would be good if the users themselves identify such fake pages and report to Face Book so that they can verify and remove them. This would be like “Content Rating” and “Content Filtering with Crowd sourcing of objections”. This would be a good development.

It must however be noted that Face Book has said that the removal of the pages is not because of the content but because of the attempt to hide identity. This issue is therefore not an issue of “Freedom of Expression” and hence Prashant Bhushan and his friends cannot run to the Supreme Court with their PILs.

It would however be interesting to see how these PIL experts would react to this latest set back.

Naavi