This article is written by Preetham Kumar pursuing an MBA with a Specialisation in Data Protection and Privacy Management (From the Swiss School of Management). This article has been edited by Zigishu (Associate, Lawsikho).
This article has been published by Sneha Mahawar.
“I dream of a Digital India where cyber security becomes an integral part of our National Security.”
~ Narendra Modi, PM, India
Information exchange and data security are two sides of the same coin. One cannot go ahead without the other. IT or Information Technology, over time, has transformed into a superpower and is a globally accepted phenomenon. Today, Data and Technology are intangible assets affecting all fields (finance, economics, politics, etc.,) that run a country either directly or indirectly. In a country like India, information exchange is even more important given the advancements and pace at which everything is going. The massive explosion of data, although a boon, can turn into a bane if there are not enough security measures in place to protect this outburst of data.
India’s approach towards digital transformation
The government of India has acted in many ways to formulate and streamline the management of data and its privacy, both directly and indirectly.
- In 2015, the Government launched the Digital India Scheme with an intention to digitally empower society and transform India into a knowledge economy. It’s been six years and the digital transformation that was initially envisioned has had its hiccups due to lack of foresight and poor planning.
- Then came 2016, Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits, and services) Act. The data collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2000, under the jurisdiction of the Ministry of Electronics and Information Technology, was provisioned under this Act of 2016.
- In the most recent times, in December 2019-2021, the Personal Data Protection Bill 2019 (PDP Bill 2019) was drafted by the Ministry of Electronics and Information Technology. The Bill covers mechanisms for the protection of personal data and proposes the setting up of a Data Protection Authority (DPA) of India for the same. Further, it aims at providing a comprehensive framework for personal and non-personal data.
All these and more rules and regulations deal with data collection, management, and privacy aspects related to it. Every Bill or Act in succession to each other was drafted or amended to be better than its predecessors. Although the attempt is sincere in many ways, it digresses from the entire crux or importance of data utility end to end. Data privacy, at its core, is not as simple as merely protecting data by encryption per se, it’s about understanding the importance of different sets of data, what it can do, what powerful insight it can draw, and most importantly, if it leaks or falls into the wrong hands, what is the impact it can create. Answering all these questions will formulate a better framework around data privacy policies.
Another core problem that our existing rules and regulations undermine or hardly address is the concept of “consent from the data subjects.” When a citizen’s data is collected, he should consent to it, he should know what his rights are, he should know the purpose of collection and most importantly, should be given the right to opt-out of the whole program or procedure if he chooses to. This is currently a sleeping topic in all acts and bills.
Data, a matter of national security – a ‘Riddled Approach’ so far
In many ways these Bills, Acts, provisions introduced by the Government are commendable. The aims and objectives drafted within them look comprehensive. But the question is about their execution and success rate. And sadly, the answer struggles to skew towards a positive note.
For instance, issuing of UID or Unique Identification started in 2009 onwards under the name Aadhar ID by UDAI. The collection of data for an ID included submission of biometric details, demographic and profile-based information by the citizens in India. With time, today, almost 90% of Indians have an Aadhar card because of an activity that lasted over 10 years. In this duration, the committee had to deal with deduplication of IDs, iterate on security infra, and had to cater to many other needs. The primary intention of introducing an ID like this was to empower the poorer citizens of India in accessing financial necessities – loans, bank accounts, etc., easily. Earlier, a poorer man had to fill out lengthy forms, go through lengthy procedures, authentication processes, and so on if he wished to get a loan. The probability of his application being rejected was higher due to incomplete information that was either lost in translation or was not addressed in a timely manner. Now that he had an Aadhar, the lengthy, never-ending process was no longer required. He was able to get a loan sanctioned in a matter of a few hours. This indeed looks like a boon – something that saves a great deal of time and money.
Fast forward many years: Aadhar now, was pushed to be used as an identity card for almost every application or approval procedure. The rule was not limited to him or people like him anymore; rather every citizen was encouraged to use it at any/every place that required authentication or ID proof. Although this insight again is a success snippet, unintentionally it is also an alarming revelation of the massive volumes of data the government of India has on its citizens. From the beginning there existed a fundamental flaw in the process that was ignored. I,e., No citizen had freely consented to their personal data collection. In fact, no one realized that such data is classified as sensitive and needs consent for collection in the first place. This was rather a mandated act than a consensual one.
Today, since everyone is talking about data privacy, the underlying question or debates around draft/bill were also around “why do we need one single ID like Aadhar which is linked to almost everything a citizen interacts within his network (bank, place of work, his residence, his verification at many places)?” and “why doesn’t the bill, although in time will seek legislative powers, not say anything about its security?” Besides, India already has many different databases for nuanced purposes. For example, the government has a database on BPL (Below Poverty Line) cardholders. Why does it have to be substituted with something like Aadhar? Or why should a BPL card be linked with Aadhar? These are some fundamental questions that the bills at the moment do not address. Some even argue that this scheme of data collection is a matter of national security and will someday result in a draconian rule which can be used to influence political and religious sentiments.
An alternative compliance framework
It’s already clear that India has miles to go in terms of figuring out what would work the best for a country like ours, especially in a country where Data-Privacy is not understood correctly. Nevertheless, India has made and is making many attempts to imbibe legislative powers to these acts and rules. But at the same time, it might be a good idea to create awareness among citizens about data privacy, rights, framework, etc.
Data protection in India is currently governed by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”) notified under the Information Technology Act, 2000 (“IT Act”).
Also, the Bureau of Indian Standards (“BIS”) issued new standards for data privacy assurance i.e. the IS 17428. It is intended to provide a privacy assurance framework for organizations to establish, implement, maintain and continually improve their data privacy management system. It is a certification for organizations to assure their customers and employees of their privacy practices and can be strategically used as a differentiator amongst market competitors. BIS is a national standards body constituted to regulate standardization, conformity assessment, and quality assurance of goods and services in India.
To ensure data privacy assurance to individuals and to help the organizations who process data, the Bureau of Indian standards has published two Indian Standards:
IS 17428 (Part 1) Data Privacy Assurance Part 1 Engineering and Management Requirements
sets forth Engineering and Management Requirements (“IS Requirements”) which lay down basic requirements of engineering design and information management and are mandatory in nature; similar to IS/ISO/IEC 29100: 2011 Information Technology — Security Techniques — Privacy framework
IS 17428 (Part 2) Data Privacy Assurance Part 2 Engineering and Management Guidelines sets forth Engineering and Management Guidelines (“IS Guidelines”) which provide detailed practices that aid in implementing these requirements and are suggestive in nature. Similar to IS/ISO/IEC 27001: 2013 Information Technologies — Security Techniques — Information Security Management Systems — Requirements.
Salient features of IS 17428
Defines keywords such as data controller, data processor, personal information, sensitive personal information, processing, consent for an organization to adequately identify its role and responsibilities. With the aid of these definitions, an organization would need to assess the role that it plays, the nature of the data being processed, and to whom the data is being shared.
The organization must incorporate certain engineering and design requirements at the time of the development life cycle of any product, service, or solution. These requirements include:
- The organization’s privacy requirements considering the applicable jurisdiction;
- Verification and testing of applicable data privacy control prior to development and at regular intervals.
The organization must also establish certain privacy management processes/functions such as:
- The nature of personal information and outsourcing policies;
- Defining its structure, responsibilities, accountability, communication, and governance systems;
- Inventory and flow of such information;
- Implement privacy policies;
- Record logs and evidence and determine the retention period of the data;
- Establish a privacy impact assessment methodology;
- Setup a grievance redressal mechanism to identify and publish the contact information of the grievance officer, as well as set up complaint filing and escalation procedures;
- Upskill the relevant staff of the organization involved in handling personal information
Managing operations in the most populated economy on the planet are no joke, and one single approach will definitely not fit in the existing scenario to see it succeed. Although a lot of the Acts, Bills, Committees, etc., came into existence over 20 years, the processes are yet to reap the benefits they initially set out to seek. Data privacy in India is at its nascent stage. Simply put, it’s at the very first step of the entire data cycle.
In the grander scheme of things, understanding the power of data is where the true strength lies. Before it is too late, the country should be open to adopting western or European data compliance models to manage processing activities. Data privacy and protection policy is a strategic and continuous process. The sooner we start, the less hassle we face.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: