Data Governance Framework as it exists in India now

With the formation of an expert committee titled “Data Governance Framework Committee” Data Professionals in India are now wondering what is in store.

Some of the questions that are in the minds of the Data Regulation Observers are

Will this committee modify the Personal data protection Bill (PDPB)?

Will it give an excuse to the Government to push the PDPB to a standing committee so that the implementation can be indefinitely delayed?

Will the Data Localization requirement of PDPB be circumvented by re-defining “Non Personal Data” to include part of the “Personal Data”?

The answers to the above will depend on the integrity of the Committee which consists of mostly a representation of business interests  which had produced a dissenting note to the Srikrishna committee report.

As is the tradition of Naavi.org, we will closely watch the developments and report our views whether it would be palatable to others or not.

In the meantime, it is essential to reflect on what is the current “Data Governance Framework” in our legislation, if any.

If we look back at ITA 2000, in the 2000 version of the Act, the emphasis was mostly on E Commerce and it introduced the important element of the use of “Digital Signature based authentication” as part of the data governance.

Additionally, some sections such as the Section 43 of the Act  and the mention of liability under Section 79 in the absence of “Due Diligence” gave some directions to the Corporate world on how the data has to be governed in their environment to avoid any liabilities.

This was  the concept of “Cyber Law Compliance” first discussed by Naavi in December 2000 in a CII seminar in Chennai.  The book “Cyber Law Compliance the Corporate Mantra for the Digital Era”, published at that time was a first attempt to bring the attention of Corporates handing data into a recommended data governance framework under ITA 2000.

Industry however looked at ITA 2000 as a law which mattered only to the Police and Lawyers and paid scant attention to ITA 2000 compliance. The stakes became higher with the amendments of 2008 and the need for ITA 2008 grew stronger. ITA 2008 also introduced the concept of Personal and Sensitive personal information along with “Intermediary guidelines under Section 79” and “Reasonable Security Guidelines under Section 43A”. (Amendment Act notified on 27th October 2009 and Rules notified on 11th April 2011)

Further the sections 67C, 69,69A, 69B, 70B, 72A etc all covered different aspects of Data Governance.

Most of the industry observers failed to recognize the data governance elements contained in the ITA 2008 and its notifications but did make efforts to comply with Section 43A. The concept of ITA 2000/8 compliance was to some extent recognized in the post 2011 time and some Techno Legal professionals emerged advising the Companies how to remain compliant with ITA 2000/8 mainly from the perspective of Section 43A.

Naavi was in the forefront of this Compliance brigade and highlighted the compliance requirements under ITA 2000/8 through the following Risk identification model.

A Comprehensive Information Security Framework IISF 309 was also recommended indicating the following responsibilities.

As a rough glance of this framework indicates, out of the 30 different requirements listed here, 23 referred to Non IT Governance. In a way this was a “Data Governance Framework” recommended under ITA 2000/8.

The focus however was on “Meeting Due Diligence” to avoid vicarious liabilities under Section 79 and Section 85 of ITA 2000/8. To that extent, it was not projected as a “Data Governance Framework”.

However after the PDPA came into broader discussion, Naavi introduced the “PDPSI” (Personal Data Protection Standard of India)  where more aspects of Data Governance were added. In particular, the Data Classification system indicating 16 different types of data and the suggested system of Personal Data Keepers and Internal data controllers etc., indicated the Governance requirements though this was in the context of the “Personal Data”. The discussion on DPSI (Data Protection Standard of India) was deferred since it was not a priority at that time.

These discussions extended by the ideas like the DTS, laid the ground work for a Data Governance Model. Though these efforts were focussed more towards “Data Protection”, they also created the early framework in India for Data Governance.

I therefore consider that a “Data Governance Framework”  does exist in India as a reference and the Data Governance Framework committee can take some ideas from these suggestions scattered through this website. Probably when I am able to collate these ideas in the New theory of Data being developed, there will be a better reference book on how to develop the Data Governance Framework.

Let us see if a working draft of the Theory would be available in time to be presented to the Committee before it arrives at its final recommendations.

Naavi

 

 

 

This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.