On January 19, FDPPI launched a “Privacy Pledge” program inviting professionals to take a pledge as a mark of celebrating Privacy Day 2023.
The Pledge stated as follows:
Pledge of Data Privacy
On the occasion of International Data Privacy Day 2023, I hereby take a voluntary pledge to uphold the cause of “Privacy as a Human Right” by taking all steps necessary for Protection and Privacy of Personal data which I shall come across in my Professional and Personal life with due regard to the Principles of Fairness and Lawfulness of processing.
In particular:
I shall adhere to the requirement of obtaining informed consent of the data principals whose personal information comes within my control and shall use, disclose such information only as per the choice of the data principal and in accordance with the applicable laws.
I shall adhere to the principle of Minimal and purpose oriented Collection of personal data and shall ensure that it shall be shared only on a need to know basis.
I shall take necessary steps to stop using personal information if the purpose for which it came into my possession has been completed.
I shall take necessary steps to ensure that the personal data is kept updated from time to time.
I shall not disclose the personal information except as provided under law or in the genuine interest of the individual or the community.
I shall at all times take steps to ensure the security of the personal data from unauthorized access or modification or denial of access for authorized purposes.
I shall take all necessary steps to comply with the data protection law with regard to reporting of data breach or any other requirement of compliance.
I shall endeavour to keep myself aware of the data protection laws and also spread awareness in my organization and with my professional and personal contacts.
Those who took the pledge through the link CLICK HERE TO TAKE THE PLEDGE were issued a Certificate of pledge in acknowledgement of their action.
Today, I was pleasantly surprised to see that another Privacy Organization in India namely DSCI also initiated a Privacy Pledge Program with the following pledge.
This Data Privacy Day, I reaffirm my commitment to the spirit of Privacy and Pledge to:
Though the contents of the pledge are slightly different from the FDPPI pledge, I am glad to note that “Requesting and Obtaining the pledge from an individual as a demonstration of his commitment to a cause” has become a trend.
While the DSCI pledge is more towards the individual protecting his own privacy right, FDPPI pledge is directed to protecting the Privacy of the community of which the professional is a part.
We may observe that one of the elements of this model which is meant for “Motivating a Privacy and Data Protection Culture” in an organization is “Acceptance” that follows “Awareness”.
It has been my firm belief which I first propounded as a “Theory of IS Motivation” in September 2009 and used as part of the Ujvala Framework of HIPAA compliance Audit, that mere creating “Awareness” about a law with the employees would not convert itself into action. Hence we require a Commitment from the employees in writing.
While getting a written commitment does not mean that an employee can not still violate the commitment, at least it will create an ethical barrier which the employee will have to cross before violating the commitment.
Hence this principle was included in the in the PDPSI (Personal Data Protection Standard of India). Now the “Pentagon model” has been upgraded into a “Hexagon Model” and included in PDPSI-Version 2023. The addition is “Role Identification”.
In the PDPSI (Those who have not studied the PDPSI framework may request Naavi for more information), one of the key Model Implementation Specification (MIS) is “Distributed Responsibility”. Under distributed responsibility, every employee of an organization is expected to shoulder the responsibility of a DPO at his data control space. This may at first glance appear to be different from the “Accountability” principle for an organization where one “Designated DPO” is required to take the responsibility for Privacy and Data Protection. But I think it is an extension of the same at the micro level. While the designated DPO continues to the accountable to the external world, within the organization he needs to be supported by every employee who as part of his work gets access to personal data and can misuse it if he wants before the control catches him/her.
In this direction the detailed standard/specifications suggest recognition of “Internal Data Controllers” and “Internal Data Processors” where individual employees will shoulder responsibility to ensure that the Data Protection Principles are always followed. This is also relevant in case of “Unstructured Data in the possession of an employee”.
Hence after being aware of the Data Protection Requirements and accepting it, the employee has to also identify himself as the Internal Data Controller or Internal Data Processor with reference to a specific micro level of activity and apply his Internal DPO obligations accordingly.
Hence “Role Identification” has now been added to the Pentagon Model to re-define the Motivational framework for Data Protection implementation in an organization. The “Tools” represent the Polices, the different software tools made available to the individual as well as the training opportunities which could go beyond the “Awareness” into related skill development. Incentives and Sanctions are the inevitable parts of the puzzle that is required to motivate compliance and discourage non-compliance.
While these principles are part of the FDPPI training of DPOs, I thought that on this auspicious occasion of the Data Privacy day 2023, I should share these thoughts with the community.
(Comments welcome)
Naavi
PS: It is still a matter of intrigue why this concept initiated before 2009 and implemented in HIPAA and ITA 2008 audits of Ujvala despite being published, has taken 14 years to become a trend. I wish that adoption of PDPSI will not take another 14 years to become a trend. For Naavi who has taken the legislation for Neuro Rights and AI Rights as goals for the near future, convincing the professional community that PDPSI Version 2023 is the Privacy and Data Protection Audit framework to follow will be another goal for 2023 and a Privacy Day Commitment.
About Vijayashankar Na
Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
