Tuesday, April 22, 2014

Need to Security Private Information - Requirement in India

Unique Identification Authority of India (UIDAI) data center in Bangalore is reported to have got a cover of 65 star guards from multi-skilled security agency, the Central Industrial Security Force (CISF) - Your identity is guarded by 65 armed men (article on times of India).

It indeed is a commendable step by the authorities, but my question here is - Is this measure enough to secure the Identity and avert the threat from identity theft? Actually Speaking NO and the reasons that attribute to the answer NO are -
  1. The personal information of an average Indian is scattered across the Government Offices, Public and Private Banks and other Financial Institutions to a large extent.  More scary portion is the availability of this information on papers across the offices
  2. There is no defined mechanism to destroy the paper work by the various organizations and agencies.  Many a times some or other people from various organizations sell of these as waste papers to the scrap dealers.  There have been various incidents in past where papers with critical and sensitive information have been located with the road side vendors (bhel puri and other chat senders)
  3. There is no defined guideline by the Government of India on how to use / dispose / destroy the information whether in paper or on computers
  4. There are no set standards in India with respect to destruction or recycling of magnetic / optical media that may contain sensitive / private / identity information.  Such media may be Hard-Drives, Pen-Drives, Backup Tapes, CDs, DVDs, SD Cards etc among others
  5. Nasscom has also not worked to this effect to advice with any standard guidelines to be utilized to this effect
Saying all this, we should not actually be cheering the news as published as it is the least of the measures that is required at deployment.  Another aspect to look at is - Has Government also provisioned a DR site for the UIDAI Data Center? Is that location also guarded with similar set of Security Personnel?  Unless we get that information, I guess this news is just a hogwash,

If you feel I am trying to belittle Government's efforts, then well I am not.  But my effort is to sensitize that there are additional steps required by the Government to ensure that the information related to the Identity of Indians as well as tourists / visitors to India is treated as sensitive and private.  Adequate measures as detailed below need to be put in place to ensure that such information is treated in fair and just manner - 
  1. Enact a Data Privacy Law - Government needs to take immediate measures to ensure that the Data Privacy Law is enacted and enforced to set the expectations on dealing with Private and Sensitive Data.  The Information that needs to be treated as private and sensitive should include - Aadhar Number (as part of the UIDAI effort), PAN Card numbers (from Income Tax Authorities), Voter ID (from election commission), Ration Card, Passports and any other similar set of documents and information that can help establish the identity of any individual
  2. Define Data Handling Guidelines - As part of the Data Privacy Law, Government must define the treatment of information classified as Private and Personal in a manner cognizant to safeguard the Identity of person holding it
  3. Define Data Destruction Guidelines - As part of the Data Privacy Law, Government must also define how the data no more needed is to be destroyed.  For the data on paper and optical media for that matter must be destroyed by using shredders. The data on magnetic media for that matter must be destroyed by using programs that would over-write the data multiple times using different algorithms and thus rendering data as unreadable
  4. Define Consent Requirement - Often this is one of the most overlooked case where the private and personal information of any individual is circulated / shared for commercial benefits.  There are cases where the Customer Relationship Officers or the Marketing Staff carries over the contact and similar other information to the next organization without consent of the Data Owners.  It needs to be noted that the receiving Organizations / Agencies are Data Custodians and not Data Owners, meaning they can use data for their internal processing purpose only.  For sharing or using data for any other reason than intended reason should not be permitted without consent from the Data Owners (Data Owner is the person about whom the information is)
  5. Define Agreement Forms - Government must ensure that the Agreement forms used for the purpose of providing services are defined only for those services for which the Information is obtained.  Such Agreements must not any Clause or Fine Prints like "Organization / Agency may use this information for any of the required processing as may be deemed required by the organization / agency.
These are the basic steps to be taken to ensure Data Privacy & Protection.  These needs to be enforced along with the Indian IT Security Act 2008 Amendment Act to ensure that adequate Information Security Risks are addressed including the identity theft and information compromise.....