Data Trust Score – thoughts on legal framework (Part 3)

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

(Continued from part-2)

In this concluding part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score methodology. The author is not inclined to propose a definitive scoring pattern as the bill in hand is still a legislation in the making and more changes are expected before it becomes the law of the land. Once the legislation gets the nod of both the houses, carrying out such an exercise will be more realistic and useful. Therefore in this part the discussions are limited to the components that should be part of the DTS system.

Objectives of the bill

The Preamble part of the bill declares the purpose of the legislation as, “to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data”. It further vouches (i) to protect the rights of individuals whose personal data are processed, (ii) to create a framework for organisational and technical measures in processing of data, (iii) laying down norms for accountability of entities processing personal data,(iv) remedies for unauthorised and harmful processing, and (v) to establish a Data Protection Authority of India for the said purposes.  The honourable Supreme Court in the case of Justice K.S. Puttaswamy[i] v/s Union of India has held that right to privacy is a fundamental right and therefore it is necessary to protect the personal data as an essential facet of informational privacy. At the same time it is necessary to create a collective culture that fosters a free and fair digital economy, ensuring empowerment, progress and innovation through digital governance. No doubt that the data is the lifeblood of any digital business, but on its abuse, the ultimate losers are the consumers, who may receive an irreversible shock on their private life.

Obligations of the fiduciary

The privacy rights of an individual has to be accomplished for which the data fiduciaries are expected to follow certain obligations stipulated under section 4 to section 11 of the bill.  The Bill allows the processing of data by Fiduciaries only after the due consent is obtained from the individual / Principal. For obtaining the consent of a Principal for collection or processing of personal data there is need of issue of a notice by the fiduciary to such person, stating the reasons in clear, concise and easily comprehensible terms. The procedure for issue of notice to the principal, at the time of collection of data[ii], for obtaining the consent is elaborate and due care to be taken to devise digital tools for meeting the requirements. In the notice the Principal should be informed about the purpose, nature and categories data being collected. The identity and contact details of the data Fiduciary and the contact details of the data protection officer are also to be informed to the Principal. Such Principal should be informed of the procedure to withdraw his consent in the mandated way.  Further a personal data can be processed only for specific, clear and lawful purposes. The Data Fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets necessary consent from the Data Principal. During the compliance audit, it is for the data auditor to comment on each one of these parameters followed by the fiduciary, before proceeding for the quantification of DTS score. The measure so made should indicate the trust factor of the fiduciary in handling the personal data of the principals.

It is pertinent to mention here that the relationship between the principal and fiduciary enshrined in the bill are of special and unique nature.  Here the fiduciary should extend a breach-proof mechanism to the personal data owner / principal which are equivalent to safeguarding the fundamental rights of the principal. Therefore the measure applied to score the ‘trust-worthiness’ needs to be rational and realistic. Efforts should be made to measure directly or indirectly all the stipulated obligations, compliances and functions of the fiduciary, and by using digital tools, wherever possible to meet the meet the requirement of law.

Voice of principal needs recognition

From the above deliberations we find that there are compliances mechanisms and complaint mechanism in place but the crucial element of feedback mechanism is missing in the entire framework under consideration. As stated in the earlier part, the major stake holder or the beneficiary in this entire bill is the principal, but her/his observations about the services rendered by the fiduciary are not provided due place in scoring the credentials of the fiduciary. Further any personal data breach that takes place at the fiduciary’s location, through the dark nets may land in the hands of the cyber criminals, who could exploit the data to cause injury to the principal. The safeguards taken by the fiduciary to eliminate personal data breaches protects the principal from being a victim of cyber crime. The satisfaction of the principal about the protection layer provided by the service providing fiduciary is an important element in measurement of trust score. The DTS is supposed to express the trust of the principal as to the level of protection the fiduciary has extended. Therefore the principal’s feedback about the satisfaction in the services provided by the fiduciary will be one of the best indicators of mutual trust, the author feels.

Finding fault or gap in services should not be based on the mere observations of the auditor or on sheer outcomes of the complaint mechanism in place. The principal’s voice should be heard which deserves a place in formulating the score for the fiduciary. Therefore a feedback system should be legislated wherein the fiduciary should be asked to obtain responses from their principal whenever they provide them with any service.  This will also adds value to the review mechanism of the fiduciary.

 As per the above deliberations it is clear that there is no provision made in the law for a principal to offer the feedback about the services extended by a fiduciary. This needs to be used as a positive aspect to draw the trust scores, the author observes. A suitable section could be inserted prescribing an effective feedback mechanism and using them to determine the scoring of the data trust.

Authority to be well equipped

Further in a Democratic society like Bharat, to take up the huge responsibility of implementation of this law and the disproportionate issues that could emerge, the Authority concerned should be well equipped in terms of skillful techno-legal manpower along with robust digital platform to be used as e-governance vehicle. As per section 49 of the bill,It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection” which a huge responsibility to be discharged. Further the responsibilities Authority include, (i) taking prompt and appropriate action in response to personal data breach (ii) maintaining a database and the data trust score on the web, (iii) classification of data fiduciaries, (iv) monitoring technological developments and commercial practices that may affect protection of personal data,(v) receiving and inquiring complaints, (vi) selection of auditors,(vii) prescribing the design by policy and DTS measures, together with registration and regulations of various provisions relating to safeguard the interest of the principals are going to be matters of great concern.

As the task involved is around safeguarding the fundamental rights of a citizen, it becomes all the more important as the Supreme Court and high courts could be directly approached for reliefs. Added to this the technological advancements are on an accelerated mode, so also the information exchanges and communications as well as the cyber crimes. Unless the officials are proportionately equipped with techno-legal skills, the implementation of law may leave huge scar in governing of citizens. The Authority must select officials with requisite technical and legal qualifications only. Such executives are to be suitable trained which is going to be the most critical element for the successful implementation of this new regime.

The section 49(3) requires the Authority to be treated like any other fiduciary as far as the processing of the personal data is concerned. It expressly mandates that, “it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required under any law to do so, or where it is required to carry out its function under this section”. This is a crucial aspect of the bill that deserves special attention. Further all the central government departments are following the standards prescribed under Service Quality Management System as per IS 15700- SEVOTTAM, which should be made applicable the Authority.

Conclusions

The computation of DTS by the auditor to be fair and justifiable may consist of the following major components:

  • Outputs from the measurable components like
    • (a) dynamic grievance redressal mechanism;
    • (b) online periodical compliance by fiduciary;
    • (c) reported breaches and remedial action taken along with time frame. etc.,
  • Outputs from the verification report drawn by the data auditor on subjective issues such as obligations met by the fiduciary, appreciations and deficiencies noticed during the audit etc.,. and
  • Feedbacks from the principal about the quality of the services provided as against the mandated obligations and the trust she/he could recommend.
  • The Observations by the executives who are implementing these provisions.

The suggested weightage to obtain the consolidated DTS score form the above four components could be, for first three components, 30% each and 10% for the last.   The author welcomes any additional suggestions and ways to measure the trust score so that it becomes the forerunner in the cyber society and the best practices to ensure privacy of the individual.

                                                                                                          (Concluded)

[i] (2015) 8 S.C.C. 735 (India)

[ii] Sec.7, PDP bill

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.