Naavi.org

At a time when there is a raging debate on whether the health status of a leader like Ms Jayalalitha should be made public or held confidential and whether unnecessary secrecy breeds rumours or confidentiality is essential for public peace, Government of India has expressed its intention to bring in a Bill to provide “Privacy Rights to Individuals on their Health Data”.

Refer Article here

As per the news report, the Union Health Ministry is contemplating a new legislation tentatively titled “Healthcare Data Privacy and Security Act” (HDPSA)  to devise a “comprehensive legal framework” for  “Protection of individual health data” and “Standardization”. The statement released in the Press also says that the law will “Identify Ownership” of the data through establishment of a “National e-Health Authority” and “Health Information Exchanges”.

The law will also have “Detailed remedies for breach of data” both Civil and Criminal penalties entitling the patient to compensation if data is leaked as well as severe punitive action against “Agencies  responsible”.

It also speaks about the “Consent” to be obtained from the patient.

The law appears to have been influenced by the need for “Interoperability of Electronic Health Records (EHR)” and sounds much like the HIPAA of 1996 in USA.

It is clear that the law will follow the standard principles of privacy revolving around authorization of collection of information based on prescription and obtaining of consent of the patient. Collected data should follow the principles of minimal collection. Data Breach notification to the owner would be part of the legislation.

The mention of what is called “Information Exchanges” indicate regulation of IT facilities including Mobile App companies with a registration requirement with a National Authority to be set up and consequential “Compliance Regime”.

Like the HIPAA, there will be Unique registration numbers assigned to every health facility starting with the public sector.

A new “E-Cloud Repository” for real time health data is also envisaged.

A New Adjudicatory and Appellate Authority is also likely to be set up.

The legislation should be considered as a huge step in the Health Care Regulation in India and just as HIPAA made a seminal difference to the industry. There is a clear overlap of the proposed law with the Information Technology Act which already defines “Health Information of an Individual” as a “Sensitive Personal Information” and prescribed “Reasonable Security Practice”.

However, given the slackness of the Ministry of IT in implementing the provisions of ITA 2000/8, the emergence of the new “Healthcare Data Privacy and Security Act” or HDSPA could provide a good competition to ITA 2008 in redefining the standards of “Data Security” in India.

We therefore welcome the proposed new legislation.

HIPAA legislation in USA implemented through the HHS is a model law which is worth emulation not only from the point of view of the basic provisions but also in how it needs to be implemented in the industry.

We hope that HDPSA will also be taken through similar steps of “Receiving Comments from Public” on the draft provisions at every stage of its implementation and “Providing a Compliance Time line” for the industry unlike the ITA 2000/8 implementation which occurred through MCIT.

Watch out for more comments…

Naavi

Further Information on this Proposed Act will be covered through www.hdpsa.in

Media is considered the fourth pillar of democracy and “Free Press” is considered the hallmark of a mature democratic society. The same society also holds “Privacy Right” in high esteem. But often the “Privacy Right” of individuals clash with the “Freedom of the Press” to disseminate information.

Just as the Privacy Vs Security debate is important, Privacy Vs Free Press debate is also important for the greater good of the community.

Today, Media is also an “Industry” as much as the “Health Care” or “BFSI” or “Outsourcing”. Worldwide there has been an attempt to develop sector specific laws to address Privacy Issues which cannot be effectively handled through the approach of an omnibus Privacy Protection law  which some countries try to practice.

In this connection, a debate is due on whether there should be an attempt at a specific Privacy Law addressing the needs of the Media Industry.

In his competitive world of “One-Upmanship Journalism” and the “24 hour TV news Channels”, media chases revenue through higher Readership or Viewership ratings ignoring the “Ethics” which was once a hallmark of good journalism.

In this context of competitive reporting, “Breaking News” and “Investigative Journalism” have become important business strategies for the media. This often leads to a “Media Trial” and “Misreporting” where the “Privacy Rights” of individuals goes for a toss.

We can look at some examples to appreciate how Media in its bid to outdo others often hurt the privacy rights of others.

Presently the Complaint of Mr Ratan Tata lies in the Indian Supreme Court concerning his Privacy rights in the Nira Radia Tape issue.  The recorded telephonic conversations which were captured by the Income Tax department for their investigation of possible tax evasion by a PR Professional, Ms Nira Radia and her firm were leaked into public place because the Tax department failed to manage “Inforamtion Security” at their end. The eager media trying to expose political machinations of Nir a Radia,  also brought to open her telephonic conversations of Mr Ratan Tata which according to his complaint had no public interest component.

In the Sheena Bora murder case, TV channels conducted their own investigations and dragged a forgotten ex-husband of Indrani Mukherjee into TV studios unmindful of the damage to his own family with wife and children.

In both these cases, Media had no respect for the Privacy rights of the individuals.  There are many instances of irresponsible political criticism politicians freely infringe on the privacy of individuals and when challenged, simply escape defamation charge with an apology.

Media keeps publishing such stories without any respect for the privacy of the politicians under the ground that a “Public Servant has no right to Privacy”.

At the same time, we also observe that there are instances where Media tries to show a  holier than thou attitude and goes out of the way to protect the privacy of information which perhaps requires to be disclosed in public interest.

A few months back, two Companies in Mumbai were reported to have paid a ransom of $ 5 million each to hackers who threatened to disclose some corporate data to which they had hacked in. The Companies paid the ransom but succeeded in ensuring that no publication revealed the names of the companies who had suffered the data breach.

The fact that the companies considered that they could pay a ransom of $5 million to keep the data under wraps indicated that probably the revelation might have uncovered an illegal activity  which could have caused a huge embarassment to the company.

But media wanted to protect the “Confidentiality” of the identity of the companies to protect their reputation. Though “Protection of Confidentiality of a Company’s identity” is not the same as “Protecting the identity of an individual” in the context of Privacy Rights, media mis-understood the need to protect a corporate interest where there was a public interest for disclosure as a “Privacy Issue” where there was a duty to disclose.

In a similar manner, the health status of important leaders like Ms Sonia Gandhi and J. Jayalalitha have been kept under wraps though there is a public interest involved in such information.

There are also many instances of information involving Judicial Authorities where there is a public interest involved but the information does not become news since there is the fear of “Contempt of Court” proceedings.

This inconsistent approach to   “Protection of Privacy” and “Confidentiality of Information” by media indicates that perhaps there is a need to think of a sectoral Privacy law exclusively directed to provide a guideline to the Media on how to handle Private information.

I am aware that any such hint would immediately be jumped upon by media as “Regressive”, “Draconian” etc.

But the same media would not hesitate to bring new legislation on Social Media including “WhatsApp” or “Facebook” or “Twitter”.

Presently, even the Delhi High Court in its judgement on the WhatsApp Privacy Policy has commented that the services such as WhatsApp may be regulated by the Government.

Why should “Social Media” be subjected to a different “Privacy Law” than the “Conventional Media”? is a point we need to discuss.

If regulation of Privacy in Social Media is acceptable, we should also be able to consider a Privacy regulation for the conventional media to  ensure the protection of Privacy in media coverage.

Perhaps this “Privacy Law for the Media Industry” will attempt to strike a balance between the Right to Privacy and Right to Free Expression in such a manner that without hurting the fourth pillar of democracy which is the “Free Press”, we usher in an era of “Decent Journalism”.

In structuring the “Privacy laws for the Media”, we need to incorporate the role of Media and Social Media, when does a “One to one Messaging” becomes “Publishing”, “How the “Advertising Norms” and “Press Council Norms” be integrated”, “How the law of Contempt of Court or Copyright to the extent they affect the media”, may also be addressed. Obviously, there will be some aspects of “Prevention of Press Censorship” or “Dispute Resolution Mechanism” which should also be integrated with such a law.

Comments?

Naavi

In an interesting report highlighting the new dimensions of Cyber threats that may arise from IoT (Internet of Things)  devices, BBC reported (Refer article here) that a webhosting company OVH suffered a DDOS attack from an army of Webcams acting as Zombies remotely controlled by the attacker. This is reported to be perhaps the largest DDOS attack with more than one terrabit of data being fired at the server to bring it down.

The attack was mounted by around 145000 web cams acting as a botnet and indicates how the large number of devices capable of being connected to a server and sending data could be misused by the hackers to redirect the data towards a single server and cause the server to be brought down.

According to security experts such attacks could be easily executed using tools available on the net with minimal amount of skills required.

With more and more devices under IoT getting connected through internet, there is an urgent need to ensure that enough security is built into the device to prevent this sort of hacking. This also means that professionals who install such devices as smart Webcams or other smart devices should have a reasonable knowledge of information security and configure the devices with suitable information security controls.

Some of these controls need to be enabled at the time of manufacturing of the PLCs (Programmable Logic Controllers) that may drive such devices and the quality certifications of such devices should include their security evaluations.

India is dreaming of Smart Cities, smart Trains and various other devices where off the shelf devices are likely to be used with default security configurations which create the security vulnerabilities that can be exploited.

Hopefully the corporate security professionals will wake up to this new type of emerging threat which use “Physical Security Devices” and create “Cyber Security Issues”.

Naavi

It is reported that the Insurance Regulatory and Development Authority of India (IRDA) has mandated that the Indian Insurance companies should store all critical customer data in domestic servers within the next 3 to 6 months. (See article here)

This would mean that many of the Insurance companies which have joint ventures and are storing their data in foreign servers (or on the cloud) will now be required to set up new data centers in India so that Customer data does not move out of India.

It is expected that this move would require substantial investments from these insurance companies such as Tata AIG, Bharti AXA, ICICI Lombard, Birla Sunlife, Bajaj Alliance etc.

The decision follows the issue of the Outsourcing guidelines which inter alia indicate the following norms.

According to the guidelines, only Indian companies can be the outsource agents though there is a provision to approve any other authority that may be approved by IRDA.

The guidelines also suggest that the Insurance company has to ensure that the outsourcing agency has adequate information security measures and also conduct periodical audit of the outsourcing arrangement.

A detailed guideline of the clauses that the outsourcing contract must have has also been indicated in the exposure draft.

Though the guideline only reiterates some of the known principles of Information security for management of outsourcing agencies which are already in place in case of other regulated industries such as the Banks, it brings in a new focus on the Insurance companies and the need for storing the data within India.

Naavi

The multiplicity of frameworks trying to compete with each other on how “Privacy” of an individual has to be protected has created a web of confusion in the Corporate circles since all managements ultimately have limited resources and has to balance their compliance activities in the form of audits, generation of reports etc with their commercial limitations.

If there is an Indian Company having 10% of its business in EU data processing, 10% of business from HIPAA entities and balance in India, and would use cloud services of Amazon, they need to address the questions such as

– Should I opt for compliance of ISO 27001/ 27018, HIPAA-HITECH Act, GDPR or ITA 2008?

-besides other security frameworks such as PCI DSS which may also be applicable to them?

-How practical is it to consider compliance of all regulations concurrently,… which is of course the ideal approach?

I am sure that the Privacy Professionals attached to these companies will be scrambling to develop excel sheets showing the mapping of controls meant for one framework with the other.  They will try to prove that if I am ISO 27001 certified, I am already deemed to have been compliant with ITA 2008 or HIPAA or a EU data protection requirement.

However since most frameworks are also insisting on “Certifications” from an “Accredited” “Certification Agency”, the plight of an organization does not end with “Being Compliant” and would require “Documenting that it is Compliant”.

This is certainly good for agencies that provide “Certifications”, “Conduct Seminars/Training Programs”, “Sell Compliance Manuals” etc, (and also for consultants), one needs to pause and think if we are going overboard with the proliferation of regulations to the extent that one day organizations will revolt ignoring compliance.

It could then be the field day for Dispute Resolution Managers, (which includes the undersigned who proposes to manage an online dispute resolution mechanism under odrglobal.in) and the legal firms who specialize in such matters.

But in the interest of the industry in general we need to see how we mitigate the “Privacy Regulation Proliferation Risk”.

At the end of the day, the end objective of all Privacy Regulations is to ensure that an individual’s identity information is protected from the time it is collected by an organization, through the life cycle of its usage and until it is destroyed.

The key instruments of such protection are “Disclosure”, “Consent”,”Security”,”Destruction” and above all “Ethical Usage”.

The different frameworks may differ in the detailing of how these objectives are met and how the measures of compliance are documented, audited and reported.

If therefore there is a strong common framework that addresses the principles of Privacy protection, it should suffice.

We must recognize that no framework is in a position to completely deny the powers of an authority to demand information for national security reasons.

Hence the principle of “Privacy Right subject to reasonable Regulations” will continue to rule. The problems of the empowered law enforcement authorities themselves not following the laid down principles is a risk that no framework can address effectively.

Currently, the emphasis of privacy regulation appears to be veering towards strict enforcement with hefty fines. The GDRP proposition of 4% on global turnover appears insane.

The fines that are being contemplated and imposed under HIPAA and EU guidelines will all be transferred to the Business Associates in India through the Business Associate Contracts. Validity of such contracts are further fortified by the ITA 2000/8. Therefore these penalties need to be taken note of by the Indian companies who have a stake in the Data Processing Business.

But it is clear that the million and billion dollar penalties which are being brandished about in the US and EU market can only be indemnified by Indian companies on paper and never fulfilled without simply closing down its business. Even if they are to be insured, the insurance will be expensive and the insurers will limit their own liabilities by various means.

If therefore, one takes the penalties seriously, tries to comply and obtain coverage of Cyber Insurance to meet the contingencies, then these regulations are having such devastating effect on the Indian outsourcing industry that the costs are going to increase astronomically. The increasing costs will only make the competitive edge to vanish and harm even the US and EU companies.

It is therefore the responsibility of NASSCOM and other industry organizations to deliberate how this competing and potentially crippling privacy regulations could affect our industry in general and what steps need to be taken to provide a protective umbrella to Indian companies so that they are not dragged to international arbitration for billion dollar penalties at the drop of the hat.

On the other hand the Companies have to also organize their own compliance activities in such a manner that they try to address the compliance efforts proportionate to the risk of penalties. In this context, the managements need to realize that if they are operating in India, then they are exposed to the requirements of the Information Technology Act 2000/8 where the penalties for non compliance are “Unlimited” in civil terms and could also result in the imprisonment of the CEO and top executives for 3 to 7 years or more for non compliance.

Prudent managements realize that a “Law is as effective as its enforcement machinery”. Some times this is interpreted that they can always manage the Indian law enforcement even if they are caught in a non compliant state.  However we need to realize that Indian law has the immediate jurisdiction to enforce where as the international regulations have to hit through arbitration on contractual agreements and further through international treaties. In this aspect we can say that Indian laws are more threatening to Companies in India than the international laws.

Remember that the local police station where an inspector has a jurisdiction to strike is only across the road and some times non compliance of Indian laws may easily make him come hunting. Hence compliance of Indian laws cannot be ignored though for many organizations, it is fashionable to be compliant with international regulations and ignore local laws. This is clear from the fact that there may be more companies in India which are “Patriot Act Compliant” than “ITA 2008 compliant”.

While the industry should continue to deliberate on the methods for “Mitigation of Privacy Regulation Proliferation” there are certain initiatives that are required to be taken by the Government and the organizations such as NASSCOM and STPI if they need to provide a sense of security to businesses in India. I will try to bring it up for discussion some time later.

I hope sufficient attention would be given to this aspect in the coming days by the Government.

Naavi

Naavi.org has been working in the area of Cyber Law Compliance in various forms. While Naavi.org focuses on building awareness of Cyber Law, Cyber Law College focuses more on formal corporate training and educational programs.

ITA2008.in provides the basic information on ITA 2000/8. Cyber Lawguru.com and the android app “Cyberlawguru” provide interaction with the public for clarifying issues related to Cyber Law.

The services such as ceac.in, odrglobal.in, cyber-notice.in are focussing on different aspects of resolving issues arising out of non compliance of Cyber Laws such as ITA 2000/8.

Cyberinsurance.org.in and ujvala.in are other related web initiatives to build awareness about different related issues. Lookalikes.in and domaineering.org are other initiatives on resolving domain name disputes.

Yesterday, there was an important conference in Bangalore organized by Indian Bar Association (INBA) and International Association of Privacy Professionals (IAPP) where the challenges of the emerging global privacy compliance scenario arising out of the new regulations from the EU community were discussed. As a followup of the deliberations, it appears that there is a need for a focussed dissemination of Privacy related information relevant to India on the lines similar to how Naavi.org emerged under the needs to build awareness about ITA 2000.

Naavi has already been working in the area of HIPAA compliance as a compliance consultant along with similar consultancy regarding data protection aspects involved in ITA 2008 compliance. Naavi.org has been an instrument of building awareness of ITA2008 compliance as well as HIPAA compliance.

In the light of the new developments in the EU privacy scenario which will have a ripple effect across the globe, it is felt that India needs to take up fresh initiatives in the area of compliance to the emerging global data protection regulation regime.

While India may or may not pass a separate Privacy Protection law, the need to comply with the regulations as existing as a “Standard” or as a “Best Practice” in the global scenario is critical for the Indian IT/BPO industry.

In order to contribute towards this goal of better Privacy Compliance in India, Naavi.org now has decided to present relevant information related to “Privacy with special reference to India” through its new web site www.privacy.ind.in. (Privacy Knowledge Center)

Presently, privacy.ind.in will host information and articles on the privacy protection regime as collated and presented by Naavi. It may therefore start as a blog with the views of Naavi.

However, as and when other interested professionals contribute their views it is expected that this would become a platform for expression of all information related to Privacy Protection in India and assume the nature of a portal.

I invite Privacy professionals in India to contribute to this initiative and make it a success in the general interest of the Indian IT/BPO industry.

Naavi