Cyber Society of India (CySi) and Foundation of Data Protection Professionals in India (FDPPI) are jointly organizing a one day seminar on Section 65B of Indian Evidence Act at Chennai.
Venue :Hotel RainTree, Annasalai, Teynempet, Chennai 600035
Time: 10.00 am to 5.30 pm
Date: 16th March 2019, Saturday
Naavi
Naavi has updated the E Book on Section 65B, titled “Section 65B of Indian Evidence Act Clarified” with an additional chapter on ‘Section 65B for Data Protection Professionals”.
A print copy of the above book is scheduled to be released in Chennai on March 16, along with the launching of the Chennai Chapter of FDPPI and a day long workshop on Section 65B organized jointly by Cyber Society of India (CySi) and FDPPI.
Naavi was the founder secretary CySi and a continuing life member, as also the Founder Chairman of FDPPI. Mr S.Balu the current president of CySi is also a member of FDPPI.
The E Book is currently priced at Rs 150/-. The Printed version of which limited copies would be available is priced at Rs 200/-. (Will be available at the conference at a concessional price of Rs 100/-).
Naavi
The Justice Srikrishna Committee on Data Protection under Appendix had provided a comprehensive recommendation for amendment of the Aadhaar Act (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016. These recommendations were not included in the draft Bill for PDPA 2018 which the Committee submitted. Subsequently the Aadhaar judgement of the Supreme Court (Refer the series of articles) gave certain recommendations which prevented the use of Aadhaar services by private sector including the Banks.
After taking into consideration the recommendations of the Srikrishna Committee and the Judgement of the Supreme Court, the Government came up with a draft Bill . However the Bill could not be passed through Rajyasabha and would lapse soon.
In order to therefore alleviate the problems created by the Supreme Court Judgement on the industry, Government has come up with an ordinance to implement some of the recommendations of the Srikrishna Committee by promulgating an “Ordinance” on 28th February 2019.
The ordinance provides for “Offline Verification of Aadhaar number” after obtaining the consent of the individual and using only the demographic information with safe guards for the information to be used only for the purpose for which it is sought.
Section 57 of the Aadhaar Act has been omitted in deference to the wishes of the Supreme Court.
The ordinance will provide the option of the use of offline Verification without authentication to verify the demographic information about an individual who provides consent to an agency to use the Aadhaar number .
Hopefully this will mitigate some of the immediate problems of the industry. However, some murmurs are being heard about challenging the ordinance in the Supreme Court and we need to wait and see how things develop.
Naavi
Reference Articles:
10:Aadhar Judgement-10: Let us debate the changes required in PDPA 2018
9: Aadhaar Judgement-9: Definition of Personal Information revised?
8: Aadhaar Judgement-8: Limited use
7: Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?
6. Aadhaar Judgement-6.. Joint Secretary is too junior?:
5:Aadhaar Judgement-5…Collection of Metadata
4:Aadhaar Judgement…4… Making the life of law enforcement difficult…
3:Aadhaar Judgement..3.. Data retention limit of 6 months..
2:Aadhaar Judgement….2.. The Answers and Conclusions of the majority
1.Aadhaar Judgement…1… Debate the areas where clarity is required.
Other References
Aadhaar Act : Srikrishna Committee Suggestions in Appendix : Aadhaar Amendment Bill :Aadhaar Amendment Ordinance
Naavi is in the process of developing the Data Trust Score System which will enable Data Auditors to evaluate the level of compliance of an organization to the required PDPA standards.
Naavi is also in the process of developing a “Personal Data Protection Standard of India” (PDPSI-0219) which will incorporate the data protection requirements of a typical organization working in India. This standard is expected to be an “Open Source Standard” and should encompass BS 10012 or such other proprietary standards in terms of what is required to be achieved.
It is left to the auditors to offer audits and for their clients to accept such audits adopting of BS or IS standards and piggy back on the perceived reputation of these standards or adopt the PDPSI-0219 standard which is dove tailed to the Indian requirements and take the responsibility for meeting the “Data Protection objectives” rather than “Certification Objectives”.
When we introduced the Naavi’s 5X5 DTS system we had indicated that we would adopt a 5 by 5 matrix to evaluate the compliance of an organization and the five parameters to be used would include “Commitment”, “Knowledge”, “Controls”,”Review” and “Redressal”.
We had indicated that the observations would be recorded on a scale of 0-100 in five buckets of 20 each.
In arriving at the final DTS value for an organization, we had indicated that each of the five parameters may be given different weightages. If equal, each parameter would bet a weightage of 0.2.
Now we would suggest the next step of a method to assign the weightage.
For the purpose of such weightage allocation, organziations would first be classified into three categories namely, “Infant”, “Adult” and “Mature”. An infant organization is one where the data protection exercise is in the beginning and hence more focus is required on awareness building and management commitment etc. As the organization grows in maturity, the management commitment and conducting awareness training would become routine basic requirement. [P.S: These may even be considered as a “Hygiene factor” which is something which if present it is considered as necessary and if not present it would be considered as a serious lapse. The score allocation under the parameter could be a binary proposition unlike other parameters].
Considering this aspect, we have drawn a table of weightage allocation as follows.
The PDPSI 0219 will indicate management requirements which will encompass all the above 5 parameters and will also adopt the Three Dimensional Model of Information Assurance which Naavi follows which includes Technical, Legal and Behavioural Science approaches.
Comments are welcome.
P.S: Please read this article together with the following two earlier articles.
Naavi
Just as RBI has issued a cyber security framework for Banks, NBFCs, PPI issuers etc., SEBI has also formulated a Cyber Security Framework applicable for Brokers and Depositories. The guideline issued on December 3, 2018 has suddenly gained some traction and attracting discussions.
E Trading is similar to E Commerce or E banking in terms of risks and the need for security. However, the stakes are extremely high in the stock transactions because the value of transactions and the speed with which they take place in real time add their own risks.
E Trading which SEBI oversees includes Futures and Options as well as commodities including Gold and Metals. Only currency trading operations fall under the supervision of RBI.
In the pasts we have seen frauds some of which are pure financial cheating instances. But there have been a hint that there have been more sophisticated frauds involving technology where “Pump and Dump Frauds”, “Broker or Broker Employee related frauds” where piggy back trades are booked over customer’s genuine transactions etc. Most of the large brokers today directly allow apps and computer based trading software to be used by customers to place orders with a variety of conditionalities built in in terms of stop loss, triggers, margin trades etc and hence the scope for frauds of different kinds are high.
In the past there have also been reports of the Stock Exchange servers being manipulated for deriving time advantage in receiving price data disseminated by the trading platform so that some milli seconds advantage is obtained by one broker over the other which enable them to make unfair profits.
Taking all these into consideration, a proper information security over sight was over due. With the advent of the concept of “Sensitive Personal Information Protection” under the Data Protection legislation, it was necessary for the brokers to also realize the need to upgrade their security culture and infrastructure to meet the modern day demands.
The published Cyber Security Framework of SEBI therefore requires a close look. A Copy can be accessed here: CLICK HERE
The main requirements are
a) Draft a comprehensive Cyber Security and Cyber Resilience Policy approved by the management and reviewed annually
b)Policy should be Risk Assessment based with clear policies for incident detection, response and recovery.
c) Thee policy should conform to “Guidelines for Protection of national Critical Information Infrastructure” from the Government.
d) Appoint a compliance official supported by an internal technology committee of experts.
e) Necessary access control measures need to be implemented .
f) Sub brokers and customers need to be included in the overall policy
g) Physical and other Network security measures need to be implemented.
h) Encryption should be used in data transit and storage.
i) Brokers should ensure that the products used for trading are adequately certified for security.
j) People involved need to be adequately trained
k) measures like audit need to be implemented.
Overall, an entire system of information security has to be implemented by the brokers and depositories.
Though for Data protection professionals, this requirement is not new and with the Section 43A of ITA 2000/8 already being available and PDPA 2018, in the anvil, it was expected that data security was recognized as a responsibility of the stock broking community.
It would be interesting how the industry players adopt to the demands. But any negligence or complacence will render the stock broker and the depositories liable as “Intermediaries” under the ITA 2000/8
Naavi
A Draft E Commerce Policy has been issued by the department for promotion of Industry and Internal Trade, for public comments.
Comments may be made upto March 9, 2019.
Other details of how the comments have to be sent etc are not clear. It will be posted as soon as it becomes available.
In the meantime, the draft of the policy is available here for study… CLICK HERE
Naavi
P.S: Last Date for submission of comments extended to 29th March 2019.
