(published in Express Computer 16-31 July edition and Security Practices Knowledge Center - 2 of CIO Research Center)
In the information security realm, we generally get to hear the prefixes total, comprehensive, best in class, etc. I had never heard the prefix reasonable (in the context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.
Data transfer
If organizations want to transfer sensitive personal information to any other organization, e.g. outsourced data processing unit, call centre or data centre, then they would need to ensure that such a third party would also have the same level of security as maintained it. It will be imperative for organizations to mandate the level of security and also ensure that these standards are met with by partners through regular audits.
Data destruction
In the information security realm, we generally get to hear the prefixes total, comprehensive, best in class, etc. I had never heard the prefix reasonable (in the context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.
Privacy is another term which was rarely used in the Indian context. True to the Indian fondness for imported stuff, we were well versed with laws like HIPAA, EU data protection and PCI-DSS. However, we lacked indigenous data privacy legislation.
On 11 April 2011, the Government of India brought about a sweeping change in one stroke with the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 thereby changing the rules of the game. Lets examine the significance of this news for Indian organizations.
Sensitive personal information
To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective or current customers, partners and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company) or even a contest on a Web site. As per the rules, passwords also constitute sensitive personal information. Therefore, if you require a customer or partner to create an account on your Web site with a user id and password, then you are required to comply with these rules, even though you may not be taking any other personal information such as financial details, debit/credit card or bank account numbers, health information, etc.
Privacy policy
All organizations in India, collecting, storing or transferring sensitive personal information will need to put a privacy policy in place and make it available publicly i.e. on the company’s Web site.
A privacy policy should include
- Commitment to privacy
- The information collected
- How and where information is stored and shared
- Commitment to data security
- How to access or correct your information
- Contact details
- A grievance redressal mechanism
Information collection and retention
Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or e-mail. This could turn out to be a challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled or information is collected online e.g. during online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear if ticking an I Accept box on terms and conditions on a Web site suffices. If organizations choose to take this consent over e-mail, will this electronic record be held as valid only if it is digitally signed in accordance with the IT Act?
Organizations will be required to educate the information owner on the purpose, intended recipients as well as the agency, which will retain the information that is collected. This means that, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.
Organizations are also required to allow the information owners to review the information that has been stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the Web site.
The information owner can also withdraw this consent (in writing of course) and the personal information will need to be struck from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their records for a particular period, if required by law. It seems to be a contradiction and this will need some clarification.
If organizations want to transfer sensitive personal information to any other organization, e.g. outsourced data processing unit, call centre or data centre, then they would need to ensure that such a third party would also have the same level of security as maintained it. It will be imperative for organizations to mandate the level of security and also ensure that these standards are met with by partners through regular audits.
Data destruction
Organizations should not store data for a period longer than is required for providing the products or services unless required by law. The organizations will need to implement secure data deletion processes for all data including backups store on tapes, off-site locations, DR sites and, not to forget, the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites.
Reasonable security
Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they would need to get their measures approved by the central government.
Organizations will also be required to get their security measures audited at least once a year by an independent auditor approved by the central government. In the unfortunate event of an information security breach, the affected organizations will have to demonstrate to the investigating agency that they had put reasonable security processes in place. However, it is not clear if this will absolve them of their liability.
Checker-board
Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. Nevertheless, these rules should be practical and reasonable in terms of implementation. In their current form, some of these rules pose multiple challenges if they are to be implemented in their true spirit. Again, what constitutes reasonable security will remain a matter of interpretation and this would be an area of major debate in the days to come.Steps to consider:
- Analyze if you collect any sensitive private information
- Draft a privacy policy and publicize it
- Take consent from information providers
- Implement reasonable security measures to protect information
- Ensure that your partners who access or use this information are equally secure
- Don’t forget to destroy the sensitive information once it is no longer required
- Get an annual audit done to ensure compliance with reasonable security measures
No comments:
Post a Comment