Personal Data Protection Act of India now available
Seek Answers to Your Queries here
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
On September 23, 2014, Naavi.org had written
China has always been an unreliable nation and cannot be trusted for business relations. China is the leader in Cyber Warfare and using their technologies for our bullet trains and smart cities is an open invitation to disaster if and when there is a cyber war between India and China.
It is good for Mr Modi to keep China at arms length in the field of technology and ensure that India tries to develop its capabilities in the technology era with the assistance of Japan and USA.
Indian companies doing business with China should also be careful not to transfer any critical technology to China in the long term interest of our country
This was not the first time, Naavi.org had highlighted the China risk. The fact that China was working on Quantum Supremacy and developing it’s own encryption system, the risk of buying Chinese mobiles, POS machines and computers which may have Manchurian Chips installed or malware installed, the risk of hiring Chinese employees, the risk of transfering IT knowledge to China, Possible use of Bitcoins by China to destabilize Indian economy, have all been highlighted at different points of time.
At the same time Naavi had also brought to the notice of Cert In some time in May 2017 that there was a suspicion that an incident report sent to the email address firstname.lastname@example.org appeared to have been opened in China and the same had been investigated and cleared by CERT- In.
It is therefore no surprise that when the border tensions with China are mounting, there could be a Cyber Attack on India. The CERT-In has issued an advisory indicating that there could be a large scale phishing attack and even an e-mail address such as “email@example.com” could be used in the phishing. This indicated that CERT In had actually identified that an e-mail account by this name could have been created in the Government domain and the same could be linked to China.
It is therefore reasonable to presume that there is a prima facie evidence of an “Attempt to initiate a Cyber Attack” which can be considered as “Cyber Terrorism” under Section 66F of ITA 2000.
If so, the response of CERT-In to issue an advisory of the type they have issued is only the minimum requirement but is grossly insufficient.
CERT In can perhaps warn China that India reserves its right to come out with its evidence and launch a case against China for Cyber Terrorism in an international court.
At the same time, Government should start putting some check on Chinese mobile and laptop sales in India so that the risks of implanted backdoor is curtailed. It was reported that the sale of One Plus 8 mobiles was quickly over booked showing the demand for China products.
Each of these devices could be planted spyware in India and we need to check them before allowing their import. Just as China insisted that Microsoft had to deposit their Windows Code before selling windows computers in China, we have to insist that the codes in OS in Chinese mobiles must be deposited with the Government before allowing import of any mobiles from China.
It is only such strong moves that will have any security impact on China and the advisory on Phishing is a grossly insufficient response.
In its continued effort to prepare the professionals to “Be Ready..Be Compliant…Be Aware”, Cyber Law College and Naavi.org have introduced an on-demand education program on PDPA.
The Program consists of
- 14 hours of video from Naavi
- One hour of live interaction
On completion of the course, the participants will receive the participation certificate from Cyber Law College. They can alternatively also opt to take FDPPI’s Certification program for “Certified Data Protection Professional-Module I” by paying the prescribed examination fee as per the terms of FDPPI.
The program is available for subscription of the video lectures for a period of 3 months.
Simultaneously, a similar online program is also being introduced on Cyber Laws and Information Technology Act.
After the present Personal Data Protection Bill becomes an Act, a free online upgrade session to discuss the changes if any will also be conducted. This course will be revised subsequently with fresh recordings after the Act comes into effect and the people who have subscribed to this version of the course would be given discounted subscription for the post-Act version of the course.
PDPSI (Personal Data Protection Framework) is one of the suggested frameworks for compliance of the data protection regulations, like the BS10012 or ISO 27701.
PDPSI framework tries to address the requirements of the Data Fiduciaries/Data Processors incorporating all the best practices under the international frameworks and extending it to meet some of the difficulties that are encountered by the implementing agencies.
In this article, I try to explain a few concepts which are necessary to adopt PDPSI framework for compliance of data protection regulations. (Please refer to www.pdpsi.in where there are many other articles on the framework)
We often use the terms Data Protection and Information Security as synonyms. However with the advent of strong Personal Data Protection regulations like the GDPR and the forthcoming Indian PDPA, there is now a need to distinguish the terms Data Protection and Personal Data Protection. If we would like to use the term “Data Protection” only in the context of “Personal Data Protection”, then we should use the term “Information Security” for referring to “Protection of Non Personal Data”.
We should adopt this convention and also distinguish the two terms in terms of implementation of any compliance requirements.
“Data” is generally recognized as an “Asset” of an organization. It is often generated within the operations of the organization and some times acquired at a cost.
The Objective of any commercial organization is to earn legitimate profits in business by using its assets. Hence companies which want to use Data as a raw material for their business activity are well within their rights.
While processing “Data”, the organization has to recognize that the subset “Personal Data” requires a separate treatment because it has to be compliant with the applicable laws.
“Personal Data” is like the hazardous inventory that an Inventory Manager has to confront with, storing and processing of which requires the special knowledge of the data protection laws. It is for this reason that while the CISO handles the responsibilities of securing the Data asset in an organization and a Data Governance Manager/Officer (DGO) handles the responsibilities of ensuring the productive use of Data asset of an organization, the Personal Data Protection Officer (DPO) is assigned the special role of protecting the Personal Data which is in the custody of an organization.
While the DGO and CISO handle the “Non Personal Data” from the management and security perspective, the DPO needs to handle the “Personal Data” both from the point of view of management and also from the point of view of security.
The DPO will determine how productively personal data can be used and also how to secure it as per the law. Since the processing of the personal information should conform to the requirements of the relevant data protection regulation, a proper compliance of this provision requires
a) Classification of data as Personal data
b) Identifying the purpose of processing
c) Identifying the lawful means of processing
The Data Protection laws place a high reliance on the “Informed Consent”. But at the same time, they also recognize that some times, obtaining “Consent” may be practically not feasible and in such cases factor in exemptions and derogations. Additionally emergencies and public interest also have to be recognized.
Beyond all these lies the concept of “Legitimate Interest of the Data Fiduciary/Data Controller”.
While “Purpose” is the end objective of processing, “Means” is the path through which the objective is achieved. In the context of Data Processing, Purpose and Means are closely related and often used synonymous.
In view of the different purposes of processing permitted under the data protection laws, the Data Fiduciary/Data Controller can use an appropriate means of processing of personal data which may fall into any of the 5 categories indicated in the following diagram.
Purpose of processing which is “Unlawful” is obviously out of consideration of a Data Fiduciary.
Those purposes of processing which are not covered by the exemptions and derogations and are also not covered under the consent or emergencies have to be considered under the “Legitimate Interest of the Data Fiduciary”.
Any other purpose would be considered as “Non compliant”.
The management of the “Legitimate Interest” of the organization in a manner in which personal data remains to be productive without increasing the risk of non compliance of data protection regulations is the challenge that the DPO has to handle.
However, the DPO has to appreciate that most data protection laws try to draw a line between “Legitimate Interest” and “Harming the Privacy Right of Data Principals(Also called Data Subjects)”. The boundary of the legitimate interest argument is the unacceptable harm caused to the data principal.
One extreme view of Privacy activists has always been that “Privacy is Paramount”. If this argument is accepted then there is “No Legitimate Interest argument”. Either there should be a public duty or legal compulsion of some sort (which includes the self legal defense) or there should be a “Consent”.
However, as long as the term “Legitimate Interest” remains in the legislation (Both GDPR and PDPA use this term)
GDPR recital 47 states
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller….
the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place…
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned…
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
The Indian PDPA as proposed indicates under Section 22(d) that every data fiduciary shall indicate the legitimate interest in the Privacy by Design policy which is approved by the DPA and hence becomes an “Approved Objective of Processing”. The Indian law has reduced the uncertainties between what the Data Fiduciary may consider as the “Legitimate Interest” and what the privacy activist may consider as an “Intrusion of Privacy” by bringing in the concept of “Privacy By Design Policy” which is a document that is filed with the DPA at the time of registration of a Significant Data Fiduciary.
In the light of the above, let us now introduce how PDPSI tries to address the legitimate interest of a business.
PDPSI differs from other frameworks such as ISO27701 or BS 10012 as it tries to bring in a concept of ” Unified Data Protection Program”. Both ISO27701 and BS 10012 address the PIMS for GDPR. PDPSI on the other hand addresses PIMS for PDPA-India, GDPR-PDPA-Singapore,CCPA, Dubai DPA, UK DPA., etc. It is a single framework which branches off into individual compliance requirements. It also encourages the technical architecture that supports the need for multiple data protection requirements.
The identification of what falls under the “Legitimate Interest” is the responsibility of the apex Governance committee for Personal Data Protection. This apex committee which may be called by names such as the Personal Data Protection Committee or by any other name should have representation of
1) At least one Independent Director of the Company
2) The CEO
3) The DPO
4) The CISO
5) The CTO
6) The CCO
7) One or more Business managers
8) HR Manager
9) Data Governance Manager (if any)
The designation of a DPO without conflicting responsibilities and constitution of this committee is an essential starting point for compliance of PDPA and PDPSI places a significant weightage on this aspect.
In the committee, proposition of what should constitute the legitimate interest of the organization beyond what is otherwise permitted should be discussed and approved into the charter of implementation.
As a process,
the legitimate interest discussion stems from a business proposition by the Business Manager that is converted into a technical process by the CTO and approved by the CISO but objected to by the DPO.
The DPO may raise objections for the reason that the identified process and the purpose may infringe on the Privacy rights of a data principal.
The Committee has to deliberate and arrive at a consensus on why the suggested process is necessary for the business and what safeguards can be introduced based on the suggestions of the DPO.
Following this, the process will be part of the Privacy By Design Policy or a DPIA and in both cases, Indian law envisages an approval from the DPA. If the DPA suggests any modifications, the process has to be discussed once again and approved.
The DPO on his own may have to refrain from a unilateral decision since the determination of the legitimate interest has an impact on every other business functionary and should carry the concurrence of the top management.
We shall explore more on how PDPSI achieves this unified data protection implementation in the follow up articles.
(To Be Continued)
In the aftermath of the Chinese aggression, there is a small section of people in India who are trying to show their patriotism by trying to opposing the use of “Zoom” as the video conferencing application. As a person who had highlighted the “China Risk” decades back and expressed unhappiness with our IT Companies opening offices in China and transferring the IT knowledge to then not so knowledgeable Chinese, I would like to state that the current show of patriotism through “Zoom Bashing” is not warranted. In a way it is diverting attention from other actionable thoughts which would be more useful.
First of all I would like to state that Zoom is not a Chinese company since the revenue of Zoom is not going to China nor the Government of China has control over the company. It is a US company promoted and managed by a Chinese entrepreneur who is said to have become a US Citizen in 2007. (Refer here: Zoom CEO says Company is American). Today, an Indian may be a CEO of Google or Facebook but they are not considered as Indian Companies.
The security issues raised against Zoom have been addressed already and pointed out that there are no concerns left. (Refer here: When Zoom got Bombed) There have been many instances of US companies including the major companies where it is believed that they have systematically shared confidential customer data with the FBI or the US Government. In the Zoom case, people are wrongly assuming that the data of video conferences are being spied on by Chinese Government. This is not correct, While Zoom does maintain servers in China like in many other countries, there is an option to configure that the servers in China are not used by users.
Those who are opposing Zoom as a Chinese product are mislead by their business rivals who had lost their business. Even MHA issued its guidelines without properly assessing the issue under the possible influence of the business rivals of Zoom. We must call this bluff.
On the other hand where there is need for action is in the area of various computer supplies that are coming from China which include our mobile phones and computers. Most of the Chinese models have been suspected to have back doors for listening into the conversations or tapping into data or even immobilize the equipments. The recent seizure of mobiles with duplicate IMEI indicates that Chinese manufacturers deliberately duplicate IMEI numbers and vitiate the control systems which affect crime management. UK have once found Manchurian Chips in the POS machines supplied from China. We still use such POS machines even for Aadhaar based biometric connectivity. Even some mobiles assembled in India with the chips supplied by China may have similar risks
There have been instances of Chinese planting their people as spies in Indian companies who have diverted key information in projects to China. The work in China about Cyber warfare and in Quantum computing continues to be a threat in India. Indian Telecom industry is completely under the control of Chinese products which may be having a backdoor. When the Government of India set up a committee led by IISC, Bangalore for security certification of Chines equipments (under the previous UPA rule), the Government allowed Huawei to be the sponsor for the project, allowing them to influence the committee which as could be expected didnot do anything to secure the Indian interests.
Presently major mobile apps including Swiggy, Zomato, PayTm, Flipkart,Make My Trip etc have funding from China which provides access to the information. Major computers like Acer, Lenovo etc or mobiles including Oppo, Vivo, One Plus, Redmi, Xiomi etc are assembled and supplied from China. The manufacturing sector also has many products dumped in India from China. The dependency is today so high that any action to boycott China could boomerang on India and we have to do it with finesse not abrasively.
I would call upon the partriots who are opposing Zoom today to leave Zoom and try what we can do in the long term to reduce the dependence of China. Most of our small scale, Tiny scale industries were closed down because they were not competitive against Chinese imports. We therefore need to reintroduce our tariff barriers against China so that simple plastic products which involve no technology donot take away our precious foreign exchange. We need to ensure that every small product which we import from China today need to be identified for manufacturing in India. Governments both in the Center and the State has to focus on “Import Substitution for Chinese products” and initiate dialogue with entrepreneurs and create hundreds of small scale industries to substitute the Chinese products. We need to see industrial estates created for such import substitution the way “China market” is created for selling Chinese products.
Let’s therefore stop Zoom bashing and take up constructive projects for “Independence from China Products”. This will be a long drawn battle which will need at least 5 years to even see the effect. But this is required and will also improve our economy. People however have to be patient and wait for quality improvement and price reduction happening over time.
In the meantime we need to ensure that all products sold on Amazon or Flipkart carry the “Country of Origin” tag so that consumers can take their own decision whether to buy Chinese products or not.
A similar tag can also be placed on software products as an information to the buyers. But MHA or CERT In should do their homework properly and donot wrongly classify Zoom as a Chinese product because the CEO is a Chinese.
In manufactured products we can look at the Chinese economic content in the product to decide whether we should discourage the purchase. In the case of electronic product what is more important is whether the Chinese Government has control over the data processed by the equipments/software. So, for computer products, “Risk of China spying on data” should be recognized and flagged.
If activists focus on what can bring results in taming China, they will have to re-think their misplaced aggression on Zoom.
State bank of India became one of the first Bankers to call for applications for the appointment of a “Data Protection Officer”. It has recently released an advertisement calling for applications.
It is good to know that the Bank has recognized the need for an exclusive officer. But it is clear that this is driven more from the international demand from their branches out of India who should have received notices from some supervisory authorities rather than a realization that data protection is a necessity of business.
The educational qualification indicated is
Basic: Graduation or its equivalent
Preferred Professional Certification:
Certified EU GDPR Foundation,
CIPP (Certified Information Privacy Professional),
CIPT (Certified Information Privacy Technologist),
CIPM (Certified Information Privacy Manager) etc
Post qualification work experience required is
Basic: Minimum 15 years’ post qualification work experience (as on 01.04.2020) as executive/ Supervisor in Corporate Sector out of which at least 10 years’ experience should be in BFSI Sector.
Preferred: Experience in Data Privacy Laws & Regulations and other Data Security areas with associated IT skills.
The age restriction is 55 years and the appointment is a contractual for 2 years.
The special skills required have been indicated as follows:
• Highly developed specialist knowledge in the General Data Privacy Regulation underpinned by theory and experience.
• Evidence of continuing professional and/ or personal self- development.
• Expert knowledge of data privacy laws and practices.
• Exposure to Data Privacy laws & regulations such as General Data Protection Regulation “GDPR”), UK Data Protection Act 1998 etc.
• Knowledge of Information lifecycle, risk management & data security areas.
• Extensive knowledge of Information Governance disciplines.
• Skill of interpretation of national guidance and legislation and subsequent local implementation.
• Flair for managing staff and implementing budgets. Training Delivery.
• Capacity to work with cross functional teams, attention to detail, organizational skills and multitasking.
• Strong management, motivational & leadership skills with ability to drive large change management programs within organizations.
• Ability to maintain confidentiality and deal with situations in a sensitive manner.
• Ability to communicate across all organizational boundaries in an appropriate manner.
In the above job description and indicated qualification, there is no mention of the Indian law for data protection either on the basis of the Information Technology Act 2000/8 or the proposed Data Protection Act.
However, we can presume that “etc” at various places includes the knowledge of Indian regulations and it will be taken into account when candidates are screened.
This is an indication that other Banks will also start thinking of such positions shortly and the career opportunities for “Data Protection Professionals” will start opening up.
Interested persons can visit this link and get more details.