Data Privacy Acts - Where the World needs to Converge

Data Privacy in today's world has crossed over from a requirement dependent on one agency or organization to be the global phenomenon.  Today the data traverses across the countries as well as continents at the speed unimaginable in past. In a flash of second, the data originating from EU may be transferred to China and may be who knows to another country from where a Hacker might be sitting and listening to the data traffic.

Let's take an example of some other countries say India and Brazil, both being third countries and both engaged in Off-shoring of services.  In this context we will talk about the  scenario where an Indian IT company providing services to a multinational client located in US, Australia and EU would have its service locations in India, US, Brazil and Germany.

In the scenario highlighted above, all the geographies / countries involved do have one or other kind of Data Privacy Law, let's examine them -

1. European Union - EU Data Privacy Directive - EC/95/46
2. United States - State Data Privacy Laws (enacted in 48 States), Country level Data Privacy Law pending with Senate
3. Australia - Privacy Act 1988 (National Security Legislation Amendment Act (No. 1) 2014)
4. Brazil - No definitive law covering Data Privacy, though Privacy requirements have been dealt with under various different legislation
5. India - Telegraph Act 1885 amended in 2004, Indian IT Act 2000 (Amendment Act 2008) and few others cover a part of Privacy, but no comprehensive law exists
6. Germany -  Bundesdatenschutzgesetz (BDSG), The German Federal Data Protection Act in line with EU Data Privacy Directive (Germany for that matter is part of EU and hence the European Data Privacy Directive is the base)

Now if we look at the above list, we will find that there is no commonality among the Privacy Laws across the countries / geographies except for the German Privacy Laws and the EU Data Privacy Directive.  

Coming back to our scenario, there would be no issues of data transfer between any EU nation and Germany, But with the data traversing across multiple borders, the Data Security Officer would have a nightmare to meet the compliance requirements that would include - 

1. Safe Harbor - to ensure compliance between US State Data Privacy Laws as well as EU Data Privacy Directive
2. Standard Contractual Clauses (SCCs)- to ensure compliance requirements are addressed when transferring data from EU Nations to India, Brazil and Australia.  It must be noted that SCCs would need to be executed for each EU nation and that would mean multiple SCCs to be executed.

Such scenarios are very much prevalent today and these just add to the complexities.  The organizations though have the options to file for Binding Corporate Rules or BCRs providing them the overall cover to transfer data, but it serves to be an expensive step from Business Perspective and its easier to sign multiple SCCs. All this ends up in complexities to be handled by the Data Security Officers or the Privacy Officers. So, what is the way to handle such complex situation and to avoid complexities to be handled by the Data Security Officers or the Privacy Officers?

If we take a closer look at the current prevailing situation, we will find that it is the disparity in the Privacy and Data Security Laws across the countries / geographies.  Though the Safe Harbor sort of options are available, but then that is also a self certification / attestation case.  

I personally would prefer a better option like the one between EU nations and Switzerland, Guernsey, Isle of Man, Israel etc. In such cases, we see that the EU Commission has identified the adequacy of Data Privacy Laws and adequate Protection of Personal Information / Data. In this scenario, the sole reason of the mutual trust is for the similarity of the Privacy and Data Protection Directives.

Now, if a small group of nations can have the required similarity in the Data Privacy and Protection requirements, why can't the rest of the world follow the suite. With the world converging for the global trade there is a higher degree of requirement for the bilateral trust for the Privacy and Protection of Data and for that common agenda needs to be driven. Organizations like WTO, OECD and other similar organizations may lead this effort to bring the governments together and develop Common Criteria for Data Privacy and Protection.  With the need of the time, the World needs to converge at these Common Criteria and the respective Governments must issue directives to regulate Protection of Personal Data / Information as per these Common Criteria.

Need to Security Private Information - Requirement in India

Unique Identification Authority of India (UIDAI) data center in Bangalore is reported to have got a cover of 65 star guards from multi-skilled security agency, the Central Industrial Security Force (CISF) - Your identity is guarded by 65 armed men (article on times of India).

It indeed is a commendable step by the authorities, but my question here is - Is this measure enough to secure the Identity and avert the threat from identity theft? Actually Speaking NO and the reasons that attribute to the answer NO are -

1. The personal information of an average Indian is scattered across the Government Offices, Public and Private Banks and other Financial Institutions to a large extent.  More scary portion is the availability of this information on papers across the offices
2. There is no defined mechanism to destroy the paper work by the various organizations and agencies.  Many a times some or other people from various organizations sell of these as waste papers to the scrap dealers.  There have been various incidents in past where papers with critical and sensitive information have been located with the road side vendors (bhel puri and other chat senders)
3. There is no defined guideline by the Government of India on how to use / dispose / destroy the information whether in paper or on computers
4. There are no set standards in India with respect to destruction or recycling of magnetic / optical media that may contain sensitive / private / identity information.  Such media may be Hard-Drives, Pen-Drives, Backup Tapes, CDs, DVDs, SD Cards etc among others
5. Nasscom has also not worked to this effect to advice with any standard guidelines to be utilized to this effect

Saying all this, we should not actually be cheering the news as published as it is the least of the measures that is required at deployment.  Another aspect to look at is - Has Government also provisioned a DR site for the UIDAI Data Center? Is that location also guarded with similar set of Security Personnel?  Unless we get that information, I guess this news is just a hogwash,

If you feel I am trying to belittle Government's efforts, then well I am not.  But my effort is to sensitize that there are additional steps required by the Government to ensure that the information related to the Identity of Indians as well as tourists / visitors to India is treated as sensitive and private.  Adequate measures as detailed below need to be put in place to ensure that such information is treated in fair and just manner - 

1. Enact a Data Privacy Law - Government needs to take immediate measures to ensure that the Data Privacy Law is enacted and enforced to set the expectations on dealing with Private and Sensitive Data.  The Information that needs to be treated as private and sensitive should include - Aadhar Number (as part of the UIDAI effort), PAN Card numbers (from Income Tax Authorities), Voter ID (from election commission), Ration Card, Passports and any other similar set of documents and information that can help establish the identity of any individual
2. Define Data Handling Guidelines - As part of the Data Privacy Law, Government must define the treatment of information classified as Private and Personal in a manner cognizant to safeguard the Identity of person holding it
3. Define Data Destruction Guidelines - As part of the Data Privacy Law, Government must also define how the data no more needed is to be destroyed.  For the data on paper and optical media for that matter must be destroyed by using shredders. The data on magnetic media for that matter must be destroyed by using programs that would over-write the data multiple times using different algorithms and thus rendering data as unreadable
4. Define Consent Requirement - Often this is one of the most overlooked case where the private and personal information of any individual is circulated / shared for commercial benefits.  There are cases where the Customer Relationship Officers or the Marketing Staff carries over the contact and similar other information to the next organization without consent of the Data Owners.  It needs to be noted that the receiving Organizations / Agencies are Data Custodians and not Data Owners, meaning they can use data for their internal processing purpose only.  For sharing or using data for any other reason than intended reason should not be permitted without consent from the Data Owners (Data Owner is the person about whom the information is)
5. Define Agreement Forms - Government must ensure that the Agreement forms used for the purpose of providing services are defined only for those services for which the Information is obtained.  Such Agreements must not any Clause or Fine Prints like "Organization / Agency may use this information for any of the required processing as may be deemed required by the organization / agency.

These are the basic steps to be taken to ensure Data Privacy & Protection.  These needs to be enforced along with the Indian IT Security Act 2008 Amendment Act to ensure that adequate Information Security Risks are addressed including the identity theft and information compromise.....