One of the key provisions of the Indian PDPB 2019, is the introduction of a concept referred to as the “Data Trust Score”. The DTS is a function of the Level of Trust that can be placed on the Data Fiduciary in terms of the compliance of data protection norms. Data Auditor has been given this responsibility. The Section stipulates that “A Data Auditor may assign a rating in the form of a Data Trust Score to the data fiduciary pursuant to a data audit conducted under this section”.
Data Trust Score, as a suggestion, was originally mooted in the draft PDPB 2018 which was presented by Justice Sri Krishna Committee. There is a very strong school of thought that this provision may be either diluted or even deleted when the draft becomes a law. However, experts believe that the concept will always be relevant as a rating of different organizations against how they adopt and implement the recommendations of PDPB 2019. The Data Fiduciary needs to display the DTS Score to on its (DF’s) Privacy Notice.
Data Auditors are to be ‘registered’ by the DPA. Criteria for Data Auditors has to be specified. Data Auditors need to conduct audits to check compliance of DFs to the requirements of the Act – details to be specified by DPA. The data audit may cover all aspects including Managerial, Administrative, Technical, Policy matters and Measures regarding motivating the personal.
Based on the above parameters, a DTS score is to be generated. The Act has not defined any particular scoring system, therefore the DTS score could be as subjective as High, Medium & Low. This author Vijayshankar, has recommended a simple formula that the Data Auditor can look at, to calculate DTS, including factors such as:
-Implementation Control mechanism
-Redressal mechanism for grievances of the Data Principals
Each parameter can then be assigned a different score to get to the final DTS.
According to the Act, the Data Protection Authority (DPA) will only broadly specify the criteria, for the data Auditors, for assigning a rating in the form of a Data Trust Score, having regard to following factors:
a) Collection of data-Clarity and Effectiveness of Notices
b) Privacy by Design-Effectiveness of the measures adopted
c) Transparency-in relation to processing activities
d) Security Safeguards-adopted
e) Instances of personal data Breach and response of the data fiduciary
f) Any other incidence of comments made by the DPA on the DPIA
In terms of types of Data Audit, a Data Audit for compliance, one for Data Breach, one for Harm and for one for a Business Associate such as a Data Processor or some other sub-contractor of the data fiduciary may be created.
Privacy by Design Policy
Every DF needs to submit this policy to the DPA for certification, to be published on the data Fiduciary & DPA’s website. The DPA, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements
Apart from the Notice, Privacy by Design policy may contain:
- practices & tech systems designed to ‘anticipate, identify and avoid harm’ to the Data Principal
- obligations of Data Fiduciary;
- tech used is as per accepted/certified standards;
- Legit business interests do not compromise privacy interests;
- protection of privacy thru the P-by-D lifecycle;
- processing is transparent;
- interest of DP accounted for all through processing
Generally, it is accepted that Privacy by Design may imbibe the following:
- Proactive not Reactive: Preventative not Remedial.
- Privacy as the Default Setting: No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
- Privacy Embedded into Design: Privacy by Design is embedded into the design and architecture of IT systems and business practices and therefore Privacy is integral to the system.
- Full Functionality – Positive-Sum, not Zero-Sum. Privacy by Design avoids the pretence of false anomalies such as privacy vs. security, demonstrating that it is possible to have both.
- End-to-End Security – Full Lifecycle Protection. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
- Visibility and Transparency – Keep it Open. Remember, trust but verify.
- Respect for User Privacy – Keep it User-Centric.
TRANSPARENCY AND ACCOUNTABILITY MEASURES
Additionally, data fiduciary may include the following in the privacy by design policy,
(a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;
(b) the obligations of data fiduciaries;
(c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
(e) the protection of privacy throughout processing from the point of collection to deletion of personal data;
(f) the processing of personal data in a transparent manner; and
(g) the interest of the data principal is accounted for at every stage of processing
of personal data.
Data Protection Authority: The PDPB2018 has proposed setting up of a Data Protection Authority DPA, which may
-take steps to protect the interests of individuals,
-prevent misuse of personal data, and
-ensure compliance with the Bill
The DPA will have to keep track of data protection regulations all over the world and prepare to establish a working relationship with each of them.
The DPA will consist of a maximum of seven members, including a chairperson and six members, each with at least 10 years’ expertise in the field of data protection, law and information technology. Any order of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
The Bill indicates that the DPA might make provisions such as conducting data impact assessment, maintenance of records, implementation of audit policies and appointment of a DPO, applicable to other instances where the risks of harm are significant.
Data Protection Impact Assessment’ (DPIA) has to be carried out by the Significant Data Fiduciary. To contain a description of the proposed processing operation, nature of data being processed, the purpose of processing, assessment of potential harms that may be caused to a Data Principal by this processing, measures to manage/minimize/mitigate/remove these harms.
DPA to specify when a DPIA needs to be carried out (suggested annual) and needs to be done by a Data Auditor. DPIA to be reviewed by your DPO and submitted to the DPA. DPA has the power to stop/ put conditions on the processing operations subject to the DPIA.
By Sameer Mathur, Founder & CEO, SM Consulting
President, Delhi-NCR Chapter of the Foundation of Data Protection Professionals in India
With inputs from Mr Vijayashankar Nagaraj Rao