Data Security Council of India A Self Regulatory Organization Paper for industry consultation and comments Prepared by: Dr. Kamlesh Bajaj CEO, Data Security Council of India A NASSCOM® Initiative DSCI as SRO Background OECD, EU and APEC Privacy Principles form the basis of many privacy laws throughout the world and are widely accepted. The OECD Principles were first announced in 1980. The EU Data Protection Directive mandating Member States to promulgate laws in compliance with the Directive was issued in 1995. The United States, on the other hand, created Fair Information Practices that were formulated by the US Department of Housing, Education and Welfare (HEW) in 1973. Later in 1980, OECD’s Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data came into existence. The OECD Privacy Guidelines set out eight key principles for the protection of personal information. The APEC Privacy Framework is relatively more recent endorsed by APEC Ministers and Leaders in 2004; it promotes the use of nine privacy principles Although there are commonalities between various privacy frameworks and guidelines, the way consumer privacy is perceived is different. For example, the European Union addresses privacy of personal information through the Data Protection Directive 95/46 that stipulates the establishment of independent data protection authorities by the Member States – privacy is a fundamental right. The Directive sets forth potential derogations such as consent and model contracts, to facilitate trans-border data flows to countries that are not deemed “adequate” by the EU. These derogations have been extended to include Binding Corporate Rules (BCRs). The United States addresses consumer privacy through sector specific and state laws on privacy of customer data that are administered by a variety of agencies. These include laws for protecting health information (HIPAA, HITECH), and financial information (GLBA) among others. These laws are further supplemented by a variety of self-regulatory mechanisms and organizations. The European Union and the United States have signed the Safe Harbor Agreement to enable the US companies to receive the data of European citizens through the use of self-regulation, with enforcement for non-compliance through the FTC. It is based on seven privacy principles. The APEC privacy Framework is based on the Accountability Principle under which the data protection obligations flow along with data in trans-border data flows. APEC enables economies to use both regulatory and self-regulatory elements to fashion a privacy approach that is credible while being consistent with a variety of cultures and legal frameworks. In order to accommodate different privacy laws in various countries, APEC has placed emphasis on the practical aspects of data flows, the manner of interface between various players including companies, regulators, and governments. Cross-Border Privacy Rules (CBPRs) that are under development, along with information sharing, investigation and enforcement across borders among regulators will form an integral part of the APEC Privacy Framework. It can be seen that the following eight principles cut across all geographies: Notice, Consent, Collection Limitation, Use Limitation, Access & Corrections, Security/Safeguards, Data Quality and Openness. APEC, EU, and Canada include two more principles namely, Accountability and Enforcement. It is against this global privacy landscape that DSCI proposes its self-regulatory approach for the IT/BPO industry. DSCI invites suggestion and comments on the paper. Please send in your feedback to info@dsci.in with a subject line “Feedback- DSCI as SRO” Public Consultation Page i DSCI as SRO Contents Background ...................................................................................................................................................... i 1. Safe Harbor: an instrument of self-regulation at the global level ..............................................................2 2. Privacy and Self-Regulation ........................................................................................................................2 2.1. Privacy Codes .......................................................................................................................................3 2.2 Privacy Standards ..................................................................................................................................4 2.3 Privacy Seals ..........................................................................................................................................5 3. Self-Regulation by e-commerce companies ...............................................................................................6 4. Self-Regulation by industry associations, and the role of contracts...........................................................7 5. Self-Regulation by DSCI – promoted by industry association NASSCOM ...................................................8 5.1. DSCI as SRO: ....................................................................................................................................9 Conclusion .....................................................................................................................................................12 Public Consultation Page 1 DSCI as SRO DSCI as a Self–Regulatory Organization 1. Safe Harbor: an instrument of self-regulation at the global level Privacy protection has been at the core of several legislations around the world – whether in the form of explicit Privacy Acts or in the form of sector-specific or omnibus Acts. In the first category fall the Data Protection Acts in the European Union, mandated by the EU Data Protection Directive 95/46. In the United States, on the other hand privacy is protected through sector-specific Laws such as the HIPAA. Article 25 of the Directive mandates assessment of a legal framework of Privacy Protection, in countries outside of the EU, to decide on “adequacy” of data protection. In the absence of a law, in accordance with the EU Directive, the US is deemed not to have “adequate data protection”. In order to ensure unrestricted flow of data of European citizens to the US, an agreement called “Safe Harbor” (SFH) was negotiated between the European Union and the United States, Department of Commerce. SFH is an instrument of co-regulation that incorporates self-regulation at the global level. The agreement is based on the following: i. ii. iii. iv. Seven Privacy Principles: Notice, Choice, Onward transfer, Security, Data integrity, Access and Enforcement. The US organization self–certifies to the Department of Commerce or a designated organization, its adherence to these Privacy Principles. With this step, it can accept international data flows from the EU, while an organization in the European Union can transfer such data. The enforcement mechanism is embodied in the requirement that any public misrepresentation concerning adherence to the Safe Harbor Principles may be actionable by the Federal Trade Commission (FTC) which has statutory responsibility to monitor “unfair and deceptive trade practices”. The act of self–declaration to the Safe Harbor Principles also binds the organization to a set of legal requirements. The SFH agreement is described as a co-regulatory instrument. 2. Privacy and Self-Regulation Most organizations have used voluntary disclosure of privacy policy to reach out to the people that their Personally Identifiable Information (PII) is secure with them. Such statements merely reflect organizations’ commitments to a set of Privacy Principles. It was in 1981 that OECD Guidelines on the Protection of Privacy and Transborder flows of Personal Data, in close coordination with the Council of Europe, were issued. In 1985, OECD issued another declaration on trans-border data flows that dealt with data flows within transnational corporations, trade barriers, and related aspects of data protection, and envisioned better cooperation and harmonization. However, such commitments in the form “Codes” or “Guidelines” would indicate a self–regulatory function. The organization showed to the people that it had considered privacy protection at some level; and that it was declaring its intent to abide by a set of Public Consultation Page 2 DSCI as SRO commitments. Privacy commitments may inform data subject about certain rights to access and correction, to opt–out of disclosures, and so on. Over a period of time, privacy codes of practice evolved, which were usually operating in absence of a regulatory framework. Some of these privacy codes graduated to the level of privacy standards, and ultimately resulted in the establishment of privacy laws. The first such code was the Canadian Model Code for the protection of Personal Information in September 1995, which was subsequently approved as a “National Standard of Canada” by the Standards Council of Canada in March 1996. The standard was organized around 10 Privacy Principles. Its development was led by the Canadian Standards Association (CSA) with very active participation of the industry; it was known as the CSA Model Code. Same course of events took place in Australia where the standard was based on the CSA Model around a set of National Privacy Principles in 1988. This was superseded by a Privacy Act later. In 1999, the Japanese Standards Association released JIS Q 15001, which adapted the Environmental Management Standard, ISO 14001 to personal data protection. This again led to the establishment of a Privacy Act in 2005. Privacy codes of practice are administered in these countries by the industry bodies in the co-regulation model. They also perform crucial function within the framework of statutory data protection regimes in countries like Netherlands, New Zealand, Ireland and UK. It is worth pointing out that Article 27 of the EU Directive requires the European Commission and Members States to “encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors”. The Article also calls up on Member States to provide for review of the draft national codes drawn up by trade associations, by national authorities. 2.1. Privacy Codes Codes of practice have long operated in various countries, as part of self–regulation, in the absence of any regulatory framework. Five kinds of privacy codes, according to the scope of application, have existed: the organizational code, the sectoral code, the functional code, the technological code and the professional code. i. The organizational code applies to one corporation or agency which is bounded by clear organizational structure. This category includes high profile organizations such as the multinational organizations that are under the scrutiny from the media or privacy advocates, or who may have received a large number of consumer complaints. ii. The sectoral code is developed by trade associations for adoption by their memberships. These instruments were developed more extensively, in the absence of a law, in Canada. The model codes were adopted from the OECD Guidelines or the CSA Model Code. The Model Codes of the Canadian Bankers Association, the Canadian Health and Health Insurance Association, the Insurance Bureau of Canada, Stentor and the Canadian Cable Television Council fall in this category. Sectoral Codes have emerged within industries that operate on a global scale, such as those of the International Air Traffic Association (IATA) and the Federation of Direct Marketing Association (FEDMA). Public Consultation Page 3 DSCI as SRO The major defining feature of the Sectoral Code is that there is a broad consonance of economic interest and function, and by extension a similarity in the kinds of personal information collected and processed. Sectoral codes permit, therefore, a more refined set of rules tailored to the issues within each industry. The idea of the Sectoral Code was taken one step further in Japan when the Ministry of Trade and Industry published guidelines on the content and substance of industry codes of practice, and on procedures for development and implementation. iii. The functional codes are defined by the practice in which the organization is engaged, e.g. direct– mail and telemarketing. iv. The technological code can be defined not by function, but by technology. As new potentially intrusive technologies have entered society, codes have been developed to deal with the specific problems associated with their application and distribution. For example, the code of practice on Closed Circuit Television Cameras (CCTV) in Britain. In 1992, the Canadian Banks developed a code for the governance of Electronic Funds Transfer. This code attempted to regulate the issuance of debit and personal identification numbers, the content of agreements between the issuer of the card and the card holder, and so on. Smart card technology is also amenable to specific regulation through privacy codes of practice. v. Professionals’ codes developed by professional societies such as for information processing professionals, for survey researchers, for market researchers and for a range of health and welfare– related professionals. Privacy codes of practice go beyond mere privacy commitments - they embody a set of rules for employees, members or member organizations to follow. They also provide important guidance about correct procedure and behavior based on the information privacy principles. Procedures for implementation, complaint resolution, and communication are stated, though they may vary substantially. Their success, therefore, is unpredictable and variable. What are the sanctions for noncompliance that an industry association can impose upon a member? This is a critical measure of success of the privacy code. 2.2 Privacy Standards A Privacy Standard extends the self–regulatory code of practice in important ways. Standard means a common code and conformity assessment procedure that might assess whether an organization conforms to its stated privacy policy and the code. It will validate that the organization “says what it does, and does what it says”. In the realm of security, technological standards such as ISO 27001 describe a code of practice for computer security, as well as a standard specification for security management systems and their assessment. Can there be a privacy standard with a code and assessment procedure similar to security? Idea of a more general privacy standard was first attempted in Canada in 1995 – based on the OECD Guidelines. This was known as the CSA Model Code. Public Consultation Page 4 DSCI as SRO Its implementation was envisaged through contracts, whereby two organizations could require each other to register to the same privacy standard. The same would apply to the international contracts and the trans-border flow of data. It is possible that European data protection agencies could enforce Article 25 of the EU Directive by requiring any recipient of European data in Canada to agree to the CSA Model Code. The General Council of ISO attempted an international privacy standard in 1996–97, but because of political problems, the group was disbanded in June 1999. However, CEN – responsible for negotiation of standards within Europe – has begun to study the feasibility of an international privacy standard, supported by the Article 29 Working Party which is responsible for overseeing the implementation of the European Data Protection Directive. Standardization activities were started along the following three paths: i. A general data protection standard which would set out practical operational steps to be taken by an organization, in order to comply with relevant data protection legislation, mostly the EU Directive. ii. A series of sector-specific initiatives in key areas such as health information and human resources management. iii. Task specific initiatives mainly related to the online environment. An international standard has the potential of having a number of advantages over national models. It would carry far greater weight and credibility both in the EU and in the US. It would also provide a more reliable mechanism for the implementation of Article 25 of the EU Data Protection Directive because of the following: i. The scrutiny of laws and contracts provides no assurance to EU data protection agencies that data protection rules are complied with in the receiving jurisdiction. ii. Required registration to a standard, which would oblige independent and regular auditing, would provide a greater certainty that “adequate” data protection is being practiced by the receiving organization, wherever it is located. To make this work, there will be a need to harmonize systems of conformity assessment and accredit auditors, in addition to bilateral and multilateral mutual recognition agreements to ensure that domestic conformity assessment programs are commonly respected. SROs in various countries could accredit auditors, and certify organizations based on conformity assessment reports – more like a ‘privacy seal’. 2.3 Privacy Seals The application of a standard against which an organization is successfully certified or registered is publicized through a mark, symbol or a seal. In the online world, a number of such schemes in the form of privacy marks or seals for privacy protection have proliferated. Most notable among them are the seals developed by the TRUSTe organization, the Better Business Bureau (BBB) OnLine, and by the Japanese Information Processing Development Centre (JIPDC). TRUSTe “trustmark” is awarded to the businesses that adhere to privacy principles and agree to comply with ongoing TRUSTe oversight and dispute resolution procedures. Ernest & Young proposed an enhanced certification system through third–party front–end audit, especially for those businesses that process more sensitive forms of personal data. Public Consultation Page 5 DSCI as SRO Online services displaying a BBBOnLine privacy seal have also pre-committed to their dispute resolution process and are subject to an independent and random audit of information security practices. Privacy Protection Mark (PPM) is a seal program that was devised in Japan in 1998. The system was conceived to apply to any organization, not just those operating on the Internet. JIPDEC serves as the granting organization. A Privacy Mark System Committee (PMSC) consisting of public and private experts, representatives of business groups, representatives of consumers, lawyers and so on and is responsible for oversight of the regime. The system also allows for designated organizations, such as trade associations, to oversee the application of the PPM within its own sphere of competence. A designated organization is responsible for establishing guidelines for the industry to which the business group belongs. Additionally, an enterprise must have a compliance program complying with Ministry of Industry’s “Guidelines for Protection of Personal Information related to Computer Processing in the Private Sector”. Front–end audits are not a precondition of certification, but they may be required during the application process, or as a result of consumer complaints. 3. Self-Regulation by e-commerce companies The growth of e-commerce over the Internet has brought about increasing need for integration within the global economy, which has made privacy self–governance instruments outgrow their territorial origin and compete for worldwide adoption. TRUSTe or BBBOnLine are examples of this. JIPDEC has entered into a mutual Privacy Seal recognition Program with BBOnLine program. Some of the self–regulation efforts have been developed on a global scale, the most prominent being the Global Business Dialogue on electronic commerce’s (GBDe) Guidelines for “consumer confidence”, and the International Commerce Exchange’s “Global Code of Conduct”. Other global efforts in this direction include IATA and the Federations of Direct Marketers. Online services may also involve trans-border data flows. The services offered through such online sites cut across industries – these are not sector-specific. The providers of such services may still be affiliated to their respective industry segments, e.g. online hotel reservation websites may be affiliated to hospitality industry, and/or to e-commerce companies; retailing websites may be members of retail industry association; sites providing financial services may be affiliated to their corresponding business industry association. Yet, they may all go for TRUSTe, BBBOnLine trustmarks. There is no single association that is responsible for enforcing the privacy code or the privacy standard which they claim to have accepted through declaration of their privacy policies and the trustmarks that they may display on their websites. It is this segment that is causing distrust among the consumers about the inefficiency of self-regulation, and rightly so. Criticism of self – regulation has been the highest in case of online business. The privacy policy declared on the website, even with privacy seals of TRUSTe or BBBOnLine, is not seen to be a guarantee of adherence to privacy principles. In fact, a recent report of Electronic Privacy Information Center (epic.org) has made a strong case that the FTC can protect privacy better than the industry can with self– regulation. Examples and breaches have been provided in the case of telemarketing, and do–not– call– registry. It states that its reports prepared in 1997 and 2000, point to worsening of the situation with the development of new privacy–intrusive technologies such as the cookie, third party cookie, web bugs, Public Consultation Page 6 DSCI as SRO Google’s G-mail content extraction, and Spyware which are highly intrusive and have encroached upon the privacy rights of consumers. Complaints against many of them have resulted in higher compliance with the declared privacy policies. At the same time, an interesting trend is discernible from the use of privacy marks of TRUSTe and BBBOnLine: global companies that are aiming for international markets have the highest percentage of such international seals. 4. Self-Regulation by industry associations, and the role of contracts The form of self-regulation led by industry associations has to be differentiated from that of e-commerce that is not led by any association. The OECD Guidelines not only apply to Europe but also to North America, and the Asian developed countries. However, they are completely voluntary, and do not constitute international law. Its regulation is weak. On the other hand, the EU Data Protection Directive is stronger and applicable to Europe only. It is the national data protection laws, even if harmonized to the EU Directive, which are the most precise legal regulations that are enforced by Supervisory Authorities. Their reach is, however, limited to that country. Thus, the more binding the regulatory instrument, the shorter its reach. The regulatory regime of SFH consists of several layers: i. ii. iii. iv. v. vi. The EU sets the substantive data protection standards The companies voluntarily commit to them It limits the scope of privacy adequacy ratings from whole countries to individual companies Private or public bodies provide arbitration service Public enforcement is carried out by a US agency The EU Commission has the last word and can terminate the whole agreement if compliance or public supervision in the US is not working Thus, the SFH arrangement relies on transactional self–regulation by a company. This is coupled with public regulation or oversight by a state agency to produce a complex, multi-layered regime. This is a special agreement that is not available to other countries. They have to consider other alternatives. In the privacy led by business associations, the Industry Associations are playing an increasing role in educating their members about privacy based practices, through specialized seminars, training services, and newsletters. This form of self–regulation more closely resembles the “managed compliance” approach than the enforcement approach. But if trade associations have mandatory membership, it can act as a strong support for self–regulatory privacy protection instruments. The inherent problem of self– regulation is that the certification providers are depending on fund of their members and customers. Can a self-regulatory organization (SRO) take tough measures against those who violate the rules? Functionally, it is the contracts that are used as a substitute for missing privacy legislation on a case–by– case. This has turned out to be the most versatile instrument in trans–border data flows. In France, the use of privacy contracts has been quite popular since the early days of data protection regulation, but other European states have also relied on contract to ensure that personal data export to other countries is handled according to the legislation enforced in the country of origin. After the implementation of the Public Consultation Page 7 DSCI as SRO data protection directive in 1999, the EU came up with standard contractual clauses to ensure the adequate level of protection for trans–border data flows to third countries. These contracts are also used to raise the data protection level within the country. If organizations, either voluntarily, or due to public pressure want to mandate high data protection for their contractors, they can insist on incorporating standard data protection clauses into their business agreements. This privacy data protection law of contracts has proven to be a useful instrument, especially in extending the EU’s data protection standards to countries where national legislation is lacking or not deemed adequate. In the absence of an international standard of privacy, a more practical approach to “set a common privacy terminology, define privacy principles when processing PI information, categorize privacy features and relate all described privacy aspects to existing security guidelines” was started within ISO in 2006. Standard contract clauses for business–to–business data transfers first emerged in the EU as a means of data exports to countries that lacked adequate legislation (as being not in conformance with the EU Data Protection Directive); these were developed in close cooperation with the International Chamber of Commerce, which now recommends their use to corporations all over the globe. A homogenous regime for the self–governance of privacy is not yet within sight. While there is a global consensus on basic principles (more or less the 1980 OECD Guidelines), the instruments differ in scope, reach, precision, and enforcement mechanisms. But they are gradually making their way through the global network of private business governance structures, becoming more and more interlinked with each other. The 1995 EU Directive also contains an option for the certification of private self–governance instruments by public authorities. Example is the Safe Harbor agreement. The basic idea is to let business associations develop privacy codes of conduct, embed them in a legal framework and have them certified by public authorities. Several adoptions of this certified self–regulation have been developed at the national level. For example, trade associations can submit their codes of conduct to the data protection authorities, which check these against compliance with data protection laws – Germany, Australia, and Canada. 5. Self-Regulation by DSCI – promoted by industry association NASSCOM The position of industry associations which are homogeneous, and confine to a particular line of business such as banking, insurance, health services, pharmaceuticals, IT/BPO services is different. All of these industries involve trans-border data flows, but all of those who are not selling any product or services over the Internet directly to the consumers have no need to obtain trustmarks of the kind that are offered by TRUSTe and BBBOnLine are PTM. In particular, an industry association such as NASSCOM that has members only from IT/BPO companies, all share the same concerns about service delivery, regulations in client countries, SLAs, visa issues, taxation matters, and so on. This aptly fulfills the requirement of an industry association aiming to be a Self-Regulatory Organization (SRO), namely it is fully homogenous, and can subscribe to a set of privacy principles, have these vetted by major clients and regulators in the United States, the European Union and other countries; and have a process of certification that will establish that the industry members are being regulated effectively through selfregulation. Public Consultation Page 8 DSCI as SRO 5.1. DSCI as SRO: NASSCOM has established DSCI as not-for-profit, independent entity – a Section 25 Company, that is governed by corporate laws, with an independent Board of Directors. It is a SRO. DSCI’s Charter & Mission are as follows: Public Advocacy on data protection and cyber security, both in India and abroad: Engage with governments, law enforcement agencies and judiciary for a strong and credible data protection regime through appropriate policy instruments. Capacity Building through security and privacy awareness seminars, workshops, trainings, and conferences Thought Leadership: Develop, Promote and Implement Best Practices and Standards for Data Security and Data Privacy Independent Oversight as a credible and committed body that would oversee data security and privacy implementations and evolve a mechanism to provide independent assurance over service provider’s preparedness. Establish a Dispute Resolution Mechanism based on Alternative Dispute Resolution Procedures acceptable to clients and service providers Cyber Crimes Speedier Trials through training of law enforcement agencies and judiciary in cyber forensics DSCI has established a privacy framework which comprises 9 privacy principles that are as follows: 1. Notice 2. Choice and Consent 3. Collection Limitation 4. Use Limitation 5. Access and Correction 6. Security 7. Disclosure to third parties 8. Openness 9. Accountability The implementation of these privacy principles in IT/BPO companies is ensured through the DSCI Privacy Framework (DPF) that comprises 9 best practices which are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Visibility Over Personal Information Regulatory Compliance Intelligence Information Usage & Access Privacy Organization & Relations Privacy Contract Management Privacy Awareness & Training Privacy Policy & Processes Privacy Monitoring & Incident Management Personal Information Security Public Consultation Page 9 DSCI as SRO The best practices ensure that in trans-border data flows from a client in any country, to the service provider in India, there is focus on information visibility, and at each stage of data flow within the organization, risks associated with privacy and security of data are identified and mitigated through the best practices of DPF. Data security, which is one of the privacy principles is ensured through an independent framework DSCI Security Framework (DSF), that comprises 16 best practices. Article 27 of the EU Data Protection Directive asks Member States to review, and accept the privacy codes submitted by such homogeneous industry associations, whereas the SFH requires US companies to self-certify adherence to the 7 privacy principles agreed upon between the US and EU. The proposed DSCI Data Protection Framework, comprising DPF and DSF, is a hybrid in which the industry association acts as a regulator, based on its 9 privacy principles and the privacy best practices, with the industry accepting to be regulated by DSCI under the same. It is proposed that the frameworks will be vetted by the Department of Information Technology, Ministry of Communication and Information Technology as part of the IT (Amendment) Act 2008. DSCI will create complete infrastructure for the following: i. ii. iii. iv. v. vi. vii. Creating awareness and providing training on DPF and DSF with clear linkages to the 9 privacy principles that address the global requirements around information privacy. Train IT/BPO companies to develop privacy policies and carry out privacy impact assessment: supported by DPF to take appropriate steps to identify risks using DSCI Data-Centric Methodology, and mitigate the identified risks using DPF and DSF. Empanel a set of auditors to audit the implementation of privacy. Constitute appropriate Committee comprising experts from the public and private sector, including lawyers to review the reports submitted by the auditors before grant of certification or rating. Establish a procedure to receive complaints from clients of service providers in different geographies. Establish a mechanism for complaint redressal based on Alternative Dispute Resolution (ADR) procedures using arbitration. Develop sanctions for non-compliance. The entire process would be in line with the experience of Canada, Australia, Japan and the United States where privacy codes, privacy standards and privacy seals have been developed and implemented. Some of these countries’ programs have graduated to the level of becoming part of the privacy laws that have got created. However, all of them see the role of self-regulation as an important element in ensuring privacy. The experience supports the conclusion that the voluntary approaches are not something to be ignored, but rather an integral part of privacy. The criticism of self-regulation is that the self-regulatory codes and rules will not be applied forcefully. It is argued that the incentive to breach privacy rules in particular to collect, process and disclose personal information without consent, will tend to be driven by business considerations. However, this argument applies largely to online service providers. In the business process outsourcing, the Indian service providers, as data processors are not engaged in deciding on what data to collect, and for what purpose. Even the EU Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data – Explanatory Memorandum – para 13 on outsourcing of processing explicitly starts, “mere performance of the processing activities on behalf of the responsible person or entity will not require notification to the data subjects, so application of the openness principle will not be necessary in this case. Likewise, the decision to proceed to outsource the processing services, as a more entrepreneurial or organizational Public Consultation Page 10 DSCI as SRO decision, must not depend on consent by the data subjects” (version 2.3 – 24.2.2009 circulated by AEPD, Spanish Data Protection Authority). Thus the following privacy principles may not apply to the data processors: 1. Notice 2. Consent Hence, the privacy code developed by DSCI, and the procedure described above for its implementation, including certification and sanctions for non-compliance, and ADR mechanisms for dispute resolution present a complete self-regulatory data protection framework. That it will be got vetted by the DIT, MCIT will enhance its credibility, and make the certification acceptable throughout the world. Finally, it should be noted that the entire process is a hybrid of Safe Harbor agreement, self-regulation and the recommendations of the EU Article 27 Working Party. The SFH concept of limiting the scope of privacy adequacy rating from a whole country to individual companies in a country has been made part of the DSCI self-regulatory process. It is reiterated that contracts were used as an instrument - as a substitute for missing privacy legislation in trans-border data flows. Clients in the Unites States and the European Union could be encouraged to build the DSCI privacy standards as part of the contracts. DSCI believes that, a service provider in India should be able to demonstrate compliance with data protection requirements similar to those of the country where the client is located, and/or where the data is originating. This can be done by following the best security and privacy practices and standards – DSF and DPF. In order to achieve this, DSCI proposes to have a Certification Program in place, which would evaluate and certify the privacy practices of DSCI Members. In general, enforcement of the privacy principles will take place in India in accordance with Indian laws. DSCI self-regulation and enforcement based on ADR mechanism may be supplemented by government enforcement. Organizations opting for conformity assessment by DSCI accredited auditors will be asked to agree to the DSCI dispute resolution system that will investigate and resolve individual complaints and disputes and procedures for verifying compliance. DSCI’s ADR will make use of arbitration and mediation service that will be developed over the next few months along with the conformity assessment process. We need buy-in of clients, service providers and even regulators for this approach based on best practices and selfregulation. Public Consultation Page 11 DSCI as SRO Conclusion Safe Harbor is an instrument of co-regulation that incorporates self-regulation at the global level. A company declares itself to be compliant with safe harbor privacy principles, and submits itself to oversight and enforcement by FTC, a government watchdog. This is in pursuance of the EU Data Protection Directive, which provides for an option for the certification of private self–governance instruments by public authorities. The basic idea is to let business associations develop privacy codes of conduct, embed them in a legal framework and have them certified by public authorities. Several adoptions of this certified self–regulation have been developed at the national level. For example, trade associations can submit their codes of conduct to the data protection authorities, which check these against compliance with data protection laws – Germany, Australia, and Canada. The industry associations are playing an increasing role in educating their members about privacy based practices, through specialized seminars, training services, and newsletters. This form of self–regulation more closely resembles the “managed compliance” approach than the enforcement approach. It is both of the above reasons, coupled with clients’ requirement for service providers conformance to their regulations, that had prompted NASSCOM to establish DSCI as SRO. The DSCI Best Practices and frameworks – DPF and DSF – along with the DSCI Data-Centric methodology that helps identify risks associated with data-flows within an organization, that makes an organization carry out self-assessment and mitigate the identified risks. DSCI’s accredited auditors will conduct conformity assessment, and a duly constituted committee will recommend certification/rating. DSCI will conduct training of IT/BPO companies in DPF and DSF, and its Data-Centric methodology; create an ecosystem of consultants and auditors to promote their use for becoming an SRO in this industry segment. DSCI proposes to work with clients to see whether its privacy standard DPF can be built into the contractual clauses as a way of enhancing its acceptance and credibility. DSCI will also develop an ADR mechanism, based on arbitration and conciliation, to redress complaints of clients and service providers. Public Consultation Page 12