Naavi.org

It appears that the Personal Data Protection Bill 2019 is stuck with the Covid lock down of the Parliamentary activities. According to a report from Media Nama sources , there is a technical objection to use of “Virtual meetings of the Parliamentary committee”. This is touted as violation of the “Parliamentary Privileges”.

While this argument may suit all those who want the Government to remain dysfunctional, it is time to question this concept. Medianama quotes its “Anonymous Sources” (which itself is a breach of parliamentary privilege) that virtual meetings cannot take place because it will introduce a third party into the activity which is the video conferencing platform.

It is a ridiculous argument when the Supreme Court itself has adopted “Virtual hearings” as part of its activities and Parliamentary proceedings are broad cast live across the globe.

The argument is suggesting a surrender of democracy to Covid and has to be defeated.

I hope that the JPC will not allow this argument to prevail and adopt Virtual meetings as part of its procedure. The video platform can be managed by NIC and a separate server within the Parliamentary building can be set up for the purpose. The connections can be on a VPN so that it is encrypted from the user’s end to the server. The depositions can be conducted in such a manner that streaming video is pushed from the user’s application to the server and the session of a deponent is closed after his deposition is over. A secure app based browser can be used to retain confidentiality and authenticity.

It is time the MeitY should provide the confidence to the Parliamentary members and the Speaker that we have the technology to create a secure virtual arrangement and conduct the proceedings.

Naavi

The proposed Indian Data Protection Act (PDPA 2020) refers to “Personal Data”,  “Anonymization”  and “De-identification/Pseudonymization”.

Anonymisation is defined as an “Irreversible” process of transforming the personally identifiable data to a form where the identity is irreversibly removed. Anonymization frees the data from PDPA controls.

On the other hand

de-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

The definition of de-identification includes “Pseudonymization” by way of replacement of identifiers from the identifiable personal data set.

De-identification is a technical control that is used as a feature to mitigate the risk during a data processing environment so that the real identity of the information attached to an identified data principal is not shared within the organization.

Naavi has been advocating the use of a “Pseudonymization Gateway” as a standard feature so that an organization immediately pseudonymize all identity parameters at the entrance of a personal data and create a confidential mapping of pseydonymized parameters with the real parameters and a unique data identity to enable re-identification when required.

If this suggestion is technically implemented, then the entire organization will work on the personal data processing on the de-identified/pseudonymized data reducing the risk of data breach to near zero. The Pseuodymization gateway would be managed by an “Internal Data Controller” and will maintain the mapping table as securely as possible with appropriate encryption, split keys in the custody of multiple custodians etc.

When the processed data is to be disclosed, if it is to be re-identified, the designated “Internal Data Disposers” would be responsible to re-identify the data and create the “Processed version of the data with real identity” and then disclose it to the recipients as may be required.

The controls for personal data breach mitigation therefore is confined to the Internal data controllers and internal data disposers

(P.S: Here the word ‘internal’ refers to the person/s being employees of the organization though the disclosure of information is to outsiders. The term ‘dispose” refers to both external disclosures and destruction of identity of a personal data or deletion of the personal data)

PDPA has not used the term “Differential Privacy” which is a term developed by data scientists in the Big Data processing scenario.

The Sri Krishna Committee while winding up its recommendations made a comment that there is a separate need for developing regulation of “Community Data” which referred to a form of aggregation of data which is relevant for “Differential Privacy”. This is now before the Kris Gopalakrishna committee on Data Governance.

As a concept, “Differential Privacy” addresses the need for processing of aggregated data in such a manner that identity of a data subject becomes irrelevant in the aggregation and disclosure. In other words, while the aggregation happens with the identifiable data, the process of aggregation and processing is managed in such a manner that the disclosed data does not affect the privacy of an individual whose personal data is a component of the processed data.

One of the definitions of “Differential Privacy” is that

“Differential privacy is a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset.”

For example, A, B and C undergo a medical test and A and B are diagonized diabetic and C as say healthy. (In actual situation the numbers would be large and A, B and C may represent groups of a large number of persons). Now when we say 33% of the persons are healthy and 67% are diabetic, we are disclosing the personal information of A,B or C. However, if the disclosed data remains at the level of these percentages, the identity of the individuals remains masked.

When the data of another subject is added or deleted from the data set, then (assuming the large numbers), the pattern of the disclosed data does not reveal the identity of the person whose data was added or subtracted. Since the query result of the processed data cannot be used to infer whether the person whose data was added or subtracted was diabetic or healthy, it is considered that the “Privacy is preserved”.

The development of processing that meets this criteria is referred to as “Differential Privacy” by data scientists.

More technically,

” A Processing algorithm is considered differentially private if an observer seeing its output cannot tell if a particular individual’s information was used in the computation”

This concept is used by statistical organizations processing personal information.

The fact that Indian PDPA does not refer to Differential Privacy, (nor the other laws such as GDPR),  is because, these data protection laws consider that the statistical processing of the type referred to above can be done with “De-identified” or “Pseudonymized Data”.  Hence the issue of identifying an individual whose data set moves in or out of a collection of data does not matter for the privacy of an individual.

A Big Data Processor who is today looking at Differential Privacy can as well introduce an automated data anonymization process so that all incoming identified data sets become anonymised data sets at the gateway and remains at the machine level visibility. When the data is filtered into the internal systems visible for human beings it is already in an “Anonymized State” and hence the “Differential Privacy” concept may not be required.

This suggestion was made by the undersigned to one company processing CCTV footages and can be a substitute for differential privacy.

If there is any specific processing requirement where the input has to be on an identified basis and disclosure is required to be made, then the use of “Differential Privacy as an algorithmic feature” becomes the responsibility of the processor under “Legitimate Interest”.

The Kris Gopalakrishna committee on Data Governance may need to debate “Differential Privacy” in greater detail.

If the Government pursues the concept of “Open Data” and wants to collect, process and disclose identifiable personal data in an aggregated form for the benefit of the society, the concept of Differential Privacy may be useful.

Similarly, data research organizations harvesting personal data from public sources and profiling the behaviour of communities also need to adopt the principles of differential data privacy into their processing and present a legitimate interest claim when they submit DPIA to the data processing authorities.

(This topic requires further discussion. I have tried to seed some thoughts for discussion and comments and inputs are invited..Naavi)

Naavi

While in India, the Personal Data Protection Act of India  (PDPA 2020) is awaiting clearance of the Parliament, Being compliant with the Personal Data Protection law has become the top of the mind concern for most corporate managers.

Some ultra cautious professionals are waiting for the Personal Data Protection Bill 2019 to be passed by the Parliament before doing anything towards compliance. The more optimistic professionals are however going ahead and getting ready for the law with the presumption that the law will get passed soon and even if it is delayed, PDPA being an extension of ITA 2000 is relevant as “Due Diligence” under ITA 2000 even today.

In the meantime other countries are racing against each other to introduce their own laws. DIFC, UAE, South Africa, Brazil, New Zealand have all introduced their respective data protection laws.

India being the global hub for data processing, Indian companies  often deal with personal data from multiple countries which exposes them to the compliance of  multiple data protection laws. Indian data processing industry is therefore looking for ways and means of finding out the best way to implement a Personal Data Protection System in their organizations which will enable them to be compliant with multiple global laws along with the upcoming Indian law.

Some of the large organizations with high stake in GDPR have adopted ISO 27701 as a standard for implementation to be compliant with GDPR

While ISO 27701 is tailored to meet the GDPR and  could serve the compliance of GDPR it will not meet the requirement of compliance of  PDPA.

Also, ISO 27701 is meant for the rich large corporations and will require the base compliance of ISO27001, 27002 and probably some other connected standards. Together it is a massive exercise and a massive expense unsuitable for smaller companies.

It is also imperative that we need to develop indigenous standards which are a reflection of our self reliance (Atma Nirbhar) in such matters.

Recognizing this need, the team of professionals in FDPPI (Foundation of Data  Protection professionals in India) have embarked on using the Personal Data Protection Standard of India (PDPSI).

This framework will  meet the unique requirement of being compliant with PDPA 2020.

PDPSI-IN would be the instance of the framework which would be tightly mapped to PDPA 2020. This is the immediate need for self reliance of PDPA compliance in India.

At the next stage, when we move from “Local to Global”, other instances of PDPSI would be developed for compliance of other data protection laws.

With this approach,  PDPSI-EU would be mapped to GDPR, PDPSI-CCPA would be mapped to CCPA and so on. These frameworks will  basically enable the Indian organizations with stake of multiple data protection laws to ensure compliance with ease.

It is possible that if the frameworks turnout to be useful to the industry, it can become standard frameworks to be exported. Hopefully the Indian Government will see the potential of this thought as a “Make in India and Take it Global” concept and provide it’s support.

Watch out for more information on this. Contact Naavi for more details.

Naavi

In meeting with the Compliance requirements under the different Data protection regulations, organizations face one huge challenge which is to protect the Data subject’s rights of “Portability” and “Erasure” or “Right to Forget”. The problem arises because in the current systems of processing, personal data of an individual may be processed by different persons in an organization at different points of time and several instances of a single data set gets generated and stored under the control of different employees.

When a portability or erasure request has to be complied with, it becomes a difficult task to identify if all instances of the personal data is removed. If an organization has to be confident of having ported or erased the personal data of a verified data subject, it has to be certain that no other instance of the personal data remains in the organization.

One method used for this purpose could be to run a “Personal Data Discovery Search” and identify where all in the organization the personal data of the given subject resides and then collate it for porting or destruction. There are several “Personal Data Discovery Tools” that may be available for the purpose but they may not always be as efficient as we may desire.

This “Search and Collate” method is unavoidable for an organization with legacy personal data. However, organizations starting their activity in the post-Data Protection era need to think of making their work simpler since “Search and Collate” may not always be an efficient form of discovery of personal data.

Even the existing organizations can explore if they can adopt an alternate system for the future collections of personal  data if available.

Single Instance Storage

One solution which companies need to think therefore is the “Single Instance Storage” of personal data as discussed here.

Under this system, an organization will maintain a single instance of a set of personal data for a given data subject and all activities of processing are carried out in such a manner that multiple instances are not created in different systems except when they are to be ported or disclosed to an entity outside the organization including the customer to whom it has been processed.

Companies mostly use “Virtualization” as a means of achieving this centralization of personal data.

Virtualization can work efficiently when the collection of personal data itself happens through a collection of a form on the web.

But if we need to ensure that the virtualization works in practice, there should also be an efficient method of managing the inflow of personal data through unstructured form in the form of e-mail attachments received by any employee of the organization.

Similarly challenge arises when during the life cycle of data processing, a Non Personal Data may assume the status of an identified data due to a specific step in processing.

In both these cases of an employee receiving personal data through his/her personal e-mail or converting a non personal data to personal data as a part of processing which he/she is doing, the generated personal data needs to be specifically committed to the centralized data storage system by the individual who first becomes aware that he is in possession of personal data.

How PDPSI addresses this need

It is to enable this “Committing of Personal Data to the Central Repository” that PDPSI (Personal Data Protection Standard of India) recommends that employees of an organization need to be classified as “Internal Data Controllers”, “Internal Data Processors” and “Internal Data Disposers”.

The person who first receives the personal data in his custody or generates the personal data is the “Internal Data Controller” who has the responsibility to hand it over to the Central repository and immediately erase the instance of personal data at his custody.

The “Internal Data Disposer” is the one who deals with customer relationships and has to retrieve the processed data from the repository and send it out to an external entity. If in the process of such sending, the Internal Data Disposer has created a temporary instance in his system, it is his duty to purge it at the earliest.

The remaining employees of the organization who simply process the personal data in the repository under a virtualized system are the “Internal Data Processors” because they donot create an instance of the personal data in the systems they control.

This kind of processing constitutes “Privacy By Design” which includes the technical process as well as employee responsibility distribution.

Use of Psudonymization Gateway

If the processing is amenable for pseudonymization, then the Internal Data Controller can pseudonymize the data and release it to the Internal data processors without the need for processing in the virtualized environment. This could reduce the cost of compliance and also the dependency on the Virtualization service.

In such a system the “Processed Pseudonymized data” has to be re-identified before disposal to the customer/external entity which will be done by the Internal Data Disposers.

Where a Pseudonymization gateway system has been introduced instead of the Virtualization environment, the Pseudonymization department will act as both Internal Data Controller and Internal Data disposer. They alone control the mapping of real identity vs pseudo identity which has to be protected in an appropriate manner.

Thus the need to comply with Portability and Erasure of personal data is effectively addressed in the PDPSI system suggested by Naavi as “Single Instance Data Storage System” as a combination of “Pseudonymization Gateway” and  “Distributed Responsibilities” .

Naavi

Often in our professional career, we get into a conflict between what we believe is correct and what is happening around us. A large number of professionals in whom the “Fear of Failure” dominate, tend to avoid opening out with their thoughts because they may be either not confident of themselves or are more concerned about being ridiculed.

It is a fact of life that there is always a “Resistance to Change” in the community and when we challenge the established order, we do have many people who would call the move thoughtless or risky etc. Some may call it as premature unethical etc. It is possible that many of the thoughts from the thought leaders appear premature because the society around may not be ready for it. Hence a fair amount of such resistance is normal and the person who believes that he is moving in the right direction needs to overcome such murmurs and carry on.

I don’t intend a theoretical discussion on these concepts of leadership at this point but just to give a few examples of recent developments in my work space that made me reflect on these aspects.

In January when I released my book “Personal Data Protection Act of India (PDPA2020)” many of my friends were disturbed. The book was based on the Bill pending before the Parliament and which had not yet technically become an Act. By naming the book as it was named, I was exercising the author’s prerogative to give a title to a Book and explaining it in the content that it is the name used for reference only. I had used a similar nomenclature of ITA 2008 for the amended Information Technology Act 2000 which also at that time drew some objections from experts. I agreed that the experts had a point of view which was not unreasonable but insisted that I had the right to use an alternate “name” which was useful for me to pass on a concept. I opted for utility versus convention.

Then came the launching a “Certification” program from the Foundation of Data Protection Professionals in India (FDPPI) to confer the title of “Certified Data Protection Professional-Module I” covering the training in the proposed PDPA. This also caused a stir as many thought it was premature to award certifications for an yet to be made law. But the need of the community was that sooner or later this law would come and from the first day there would be a need for professionals who are aware of the law. This would be possible only if some body took the lead in creating the certification program and FDPPI went ahead with its program.

Recently State Bank of India and Tech Mahindra have released recruitment notices for recruiting Data Protection Officers and both have asked for people with certifications in GDPR knowledge. While GDPR may be relevant for both organizations, the lack of awareness of the emerging local data protection laws and the need for the DPOs to be aware of them was missed by both HR departments. Hopefully the certifications created by FDPPI will be noticed by the HR departments who will be recruiting DPOs in the coming days.

FDPPI is now embarking on another major initiative shortly which will also shake the established system. I may wait for a couple of more days to make an announcement in this regard, but as we prepare for the same, a thought occurs that the saga of the Bold First Step inviting a potential critical reaction seems to continue.

Will come back more on this in the next few days…

Naavi

Cyber Law College has opened registrations for training only. Fees Rs 6000/- . Participants may opt for FDPPI Certification by paying additional amount as per FDPPI terms.

Naavi