Data Security Council of India

advertisement
Data Security Council of India
A Self Regulatory Organization
Paper for industry consultation and comments
Prepared by:
Dr. Kamlesh Bajaj
CEO, Data Security Council of India
A NASSCOM® Initiative
DSCI as SRO
Background
OECD, EU and APEC Privacy Principles form the basis of many privacy laws throughout the world and are
widely accepted. The OECD Principles were first announced in 1980. The EU Data Protection Directive
mandating Member States to promulgate laws in compliance with the Directive was issued in 1995. The
United States, on the other hand, created Fair Information Practices that were formulated by the US
Department of Housing, Education and Welfare (HEW) in 1973. Later in 1980, OECD’s Guidelines on the
Protection of Privacy and Trans-border Flows of Personal Data came into existence. The OECD Privacy
Guidelines set out eight key principles for the protection of personal information. The APEC Privacy
Framework is relatively more recent endorsed by APEC Ministers and Leaders in 2004; it promotes the
use of nine privacy principles
Although there are commonalities between various privacy frameworks and guidelines, the way
consumer privacy is perceived is different. For example, the European Union addresses privacy of
personal information through the Data Protection Directive 95/46 that stipulates the establishment of
independent data protection authorities by the Member States – privacy is a fundamental right. The
Directive sets forth potential derogations such as consent and model contracts, to facilitate trans-border
data flows to countries that are not deemed “adequate” by the EU. These derogations have been
extended to include Binding Corporate Rules (BCRs).
The United States addresses consumer privacy through sector specific and state laws on privacy of
customer data that are administered by a variety of agencies. These include laws for protecting health
information (HIPAA, HITECH), and financial information (GLBA) among others. These laws are further
supplemented by a variety of self-regulatory mechanisms and organizations.
The European Union and the United States have signed the Safe Harbor Agreement to enable the US
companies to receive the data of European citizens through the use of self-regulation, with enforcement
for non-compliance through the FTC. It is based on seven privacy principles.
The APEC privacy Framework is based on the Accountability Principle under which the data protection
obligations flow along with data in trans-border data flows. APEC enables economies to use both
regulatory and self-regulatory elements to fashion a privacy approach that is credible while being
consistent with a variety of cultures and legal frameworks.
In order to accommodate different privacy laws in various countries, APEC has placed emphasis on the
practical aspects of data flows, the manner of interface between various players including companies,
regulators, and governments. Cross-Border Privacy Rules (CBPRs) that are under development, along with
information sharing, investigation and enforcement across borders among regulators will form an
integral part of the APEC Privacy Framework.
It can be seen that the following eight principles cut across all geographies: Notice, Consent, Collection
Limitation, Use Limitation, Access & Corrections, Security/Safeguards, Data Quality and Openness. APEC,
EU, and Canada include two more principles namely, Accountability and Enforcement.
It is against this global privacy landscape that DSCI proposes its self-regulatory approach for the IT/BPO
industry.
DSCI invites suggestion and comments on the paper. Please send in your feedback to info@dsci.in with
a subject line “Feedback- DSCI as SRO”
Public Consultation
Page i
DSCI as SRO
Contents
Background ...................................................................................................................................................... i
1. Safe Harbor: an instrument of self-regulation at the global level ..............................................................2
2. Privacy and Self-Regulation ........................................................................................................................2
2.1. Privacy Codes .......................................................................................................................................3
2.2 Privacy Standards ..................................................................................................................................4
2.3 Privacy Seals ..........................................................................................................................................5
3. Self-Regulation by e-commerce companies ...............................................................................................6
4. Self-Regulation by industry associations, and the role of contracts...........................................................7
5. Self-Regulation by DSCI – promoted by industry association NASSCOM ...................................................8
5.1.
DSCI as SRO: ....................................................................................................................................9
Conclusion .....................................................................................................................................................12
Public Consultation
Page 1
DSCI as SRO
DSCI as a Self–Regulatory Organization
1. Safe Harbor: an instrument of self-regulation at the global level
Privacy protection has been at the core of several legislations around the world – whether in the form of
explicit Privacy Acts or in the form of sector-specific or omnibus Acts. In the first category fall the Data
Protection Acts in the European Union, mandated by the EU Data Protection Directive 95/46. In the
United States, on the other hand privacy is protected through sector-specific Laws such as the HIPAA.
Article 25 of the Directive mandates assessment of a legal framework of Privacy Protection, in countries
outside of the EU, to decide on “adequacy” of data protection. In the absence of a law, in accordance
with the EU Directive, the US is deemed not to have “adequate data protection”. In order to ensure
unrestricted flow of data of European citizens to the US, an agreement called “Safe Harbor” (SFH) was
negotiated between the European Union and the United States, Department of Commerce. SFH is an
instrument of co-regulation that incorporates self-regulation at the global level.
The agreement is based on the following:
i.
ii.
iii.
iv.
Seven Privacy Principles: Notice, Choice, Onward transfer, Security, Data integrity, Access and
Enforcement.
The US organization self–certifies to the Department of Commerce or a designated organization,
its adherence to these Privacy Principles. With this step, it can accept international data flows
from the EU, while an organization in the European Union can transfer such data.
The enforcement mechanism is embodied in the requirement that any public misrepresentation
concerning adherence to the Safe Harbor Principles may be actionable by the Federal Trade
Commission (FTC) which has statutory responsibility to monitor “unfair and deceptive trade
practices”.
The act of self–declaration to the Safe Harbor Principles also binds the organization to a set of
legal requirements.
The SFH agreement is described as a co-regulatory instrument.
2. Privacy and Self-Regulation
Most organizations have used voluntary disclosure of privacy policy to reach out to the people that their
Personally Identifiable Information (PII) is secure with them. Such statements merely reflect
organizations’ commitments to a set of Privacy Principles. It was in 1981 that OECD Guidelines on the
Protection of Privacy and Transborder flows of Personal Data, in close coordination with the Council of
Europe, were issued. In 1985, OECD issued another declaration on trans-border data flows that dealt
with data flows within transnational corporations, trade barriers, and related aspects of data protection,
and envisioned better cooperation and harmonization. However, such commitments in the form “Codes”
or “Guidelines” would indicate a self–regulatory function. The organization showed to the people that it
had considered privacy protection at some level; and that it was declaring its intent to abide by a set of
Public Consultation
Page 2
DSCI as SRO
commitments. Privacy commitments may inform data subject about certain rights to access and
correction, to opt–out of disclosures, and so on.
Over a period of time, privacy codes of practice evolved, which were usually operating in absence of a
regulatory framework. Some of these privacy codes graduated to the level of privacy standards, and
ultimately resulted in the establishment of privacy laws. The first such code was the Canadian Model
Code for the protection of Personal Information in September 1995, which was subsequently approved
as a “National Standard of Canada” by the Standards Council of Canada in March 1996. The standard was
organized around 10 Privacy Principles. Its development was led by the Canadian Standards Association
(CSA) with very active participation of the industry; it was known as the CSA Model Code.
Same course of events took place in Australia where the standard was based on the CSA Model around a
set of National Privacy Principles in 1988. This was superseded by a Privacy Act later.
In 1999, the Japanese Standards Association released JIS Q 15001, which adapted the Environmental
Management Standard, ISO 14001 to personal data protection. This again led to the establishment of a
Privacy Act in 2005.
Privacy codes of practice are administered in these countries by the industry bodies in the co-regulation
model. They also perform crucial function within the framework of statutory data protection regimes in
countries like Netherlands, New Zealand, Ireland and UK. It is worth pointing out that Article 27 of the EU
Directive requires the European Commission and Members States to “encourage the drawing up of codes
of conduct intended to contribute to the proper implementation of the national provisions adopted by
the Member States pursuant to this Directive, taking account of the specific features of the various
sectors”. The Article also calls up on Member States to provide for review of the draft national codes
drawn up by trade associations, by national authorities.
2.1. Privacy Codes
Codes of practice have long operated in various countries, as part of self–regulation, in the absence of
any regulatory framework. Five kinds of privacy codes, according to the scope of application, have
existed: the organizational code, the sectoral code, the functional code, the technological code and the
professional code.
i.
The organizational code applies to one corporation or agency which is bounded by clear
organizational structure. This category includes high profile organizations such as the multinational
organizations that are under the scrutiny from the media or privacy advocates, or who may have
received a large number of consumer complaints.
ii.
The sectoral code is developed by trade associations for adoption by their memberships. These
instruments were developed more extensively, in the absence of a law, in Canada. The model codes
were adopted from the OECD Guidelines or the CSA Model Code. The Model Codes of the Canadian
Bankers Association, the Canadian Health and Health Insurance Association, the Insurance Bureau of
Canada, Stentor and the Canadian Cable Television Council fall in this category. Sectoral Codes have
emerged within industries that operate on a global scale, such as those of the International Air
Traffic Association (IATA) and the Federation of Direct Marketing Association (FEDMA).
Public Consultation
Page 3
DSCI as SRO
The major defining feature of the Sectoral Code is that there is a broad consonance of economic
interest and function, and by extension a similarity in the kinds of personal information collected
and processed. Sectoral codes permit, therefore, a more refined set of rules tailored to the issues
within each industry.
The idea of the Sectoral Code was taken one step further in Japan when the Ministry of Trade and
Industry published guidelines on the content and substance of industry codes of practice, and on
procedures for development and implementation.
iii.
The functional codes are defined by the practice in which the organization is engaged, e.g. direct–
mail and telemarketing.
iv.
The technological code can be defined not by function, but by technology. As new potentially
intrusive technologies have entered society, codes have been developed to deal with the specific
problems associated with their application and distribution. For example, the code of practice on
Closed Circuit Television Cameras (CCTV) in Britain. In 1992, the Canadian Banks developed a code
for the governance of Electronic Funds Transfer. This code attempted to regulate the issuance of
debit and personal identification numbers, the content of agreements between the issuer of the
card and the card holder, and so on. Smart card technology is also amenable to specific regulation
through privacy codes of practice.
v.
Professionals’ codes developed by professional societies such as for information processing
professionals, for survey researchers, for market researchers and for a range of health and welfare–
related professionals.
Privacy codes of practice go beyond mere privacy commitments - they embody a set of rules for
employees, members or member organizations to follow. They also provide important guidance about
correct procedure and behavior based on the information privacy principles. Procedures for
implementation, complaint resolution, and communication are stated, though they may vary
substantially. Their success, therefore, is unpredictable and variable. What are the sanctions for noncompliance that an industry association can impose upon a member? This is a critical measure of
success of the privacy code.
2.2 Privacy Standards
A Privacy Standard extends the self–regulatory code of practice in important ways. Standard means a
common code and conformity assessment procedure that might assess whether an organization
conforms to its stated privacy policy and the code. It will validate that the organization “says what it
does, and does what it says”. In the realm of security, technological standards such as ISO 27001
describe a code of practice for computer security, as well as a standard specification for security
management systems and their assessment. Can there be a privacy standard with a code and assessment
procedure similar to security?
Idea of a more general privacy standard was first attempted in Canada in 1995 – based on the OECD
Guidelines. This was known as the CSA Model Code.
Public Consultation
Page 4
DSCI as SRO
Its implementation was envisaged through contracts, whereby two organizations could require each
other to register to the same privacy standard. The same would apply to the international contracts and
the trans-border flow of data. It is possible that European data protection agencies could enforce Article
25 of the EU Directive by requiring any recipient of European data in Canada to agree to the CSA Model
Code.
The General Council of ISO attempted an international privacy standard in 1996–97, but because of
political problems, the group was disbanded in June 1999. However, CEN – responsible for negotiation of
standards within Europe – has begun to study the feasibility of an international privacy standard,
supported by the Article 29 Working Party which is responsible for overseeing the implementation of the
European Data Protection Directive. Standardization activities were started along the following three
paths:
i.
A general data protection standard which would set out practical operational steps to be taken
by an organization, in order to comply with relevant data protection legislation, mostly the EU
Directive.
ii.
A series of sector-specific initiatives in key areas such as health information and human resources
management.
iii.
Task specific initiatives mainly related to the online environment.
An international standard has the potential of having a number of advantages over national models. It
would carry far greater weight and credibility both in the EU and in the US. It would also provide a more
reliable mechanism for the implementation of Article 25 of the EU Data Protection Directive because of
the following:
i.
The scrutiny of laws and contracts provides no assurance to EU data protection agencies that
data protection rules are complied with in the receiving jurisdiction.
ii.
Required registration to a standard, which would oblige independent and regular auditing, would
provide a greater certainty that “adequate” data protection is being practiced by the receiving
organization, wherever it is located.
To make this work, there will be a need to harmonize systems of conformity assessment and accredit
auditors, in addition to bilateral and multilateral mutual recognition agreements to ensure that domestic
conformity assessment programs are commonly respected. SROs in various countries could accredit
auditors, and certify organizations based on conformity assessment reports – more like a ‘privacy seal’.
2.3 Privacy Seals
The application of a standard against which an organization is successfully certified or registered is
publicized through a mark, symbol or a seal. In the online world, a number of such schemes in the form
of privacy marks or seals for privacy protection have proliferated. Most notable among them are the
seals developed by the TRUSTe organization, the Better Business Bureau (BBB) OnLine, and by the
Japanese Information Processing Development Centre (JIPDC). TRUSTe “trustmark” is awarded to the
businesses that adhere to privacy principles and agree to comply with ongoing TRUSTe oversight and
dispute resolution procedures. Ernest & Young proposed an enhanced certification system through
third–party front–end audit, especially for those businesses that process more sensitive forms of
personal data.
Public Consultation
Page 5
DSCI as SRO
Online services displaying a BBBOnLine privacy seal have also pre-committed to their dispute resolution
process and are subject to an independent and random audit of information security practices.
Privacy Protection Mark (PPM) is a seal program that was devised in Japan in 1998. The system was
conceived to apply to any organization, not just those operating on the Internet. JIPDEC serves as the
granting organization. A Privacy Mark System Committee (PMSC) consisting of public and private
experts, representatives of business groups, representatives of consumers, lawyers and so on and is
responsible for oversight of the regime. The system also allows for designated organizations, such as
trade associations, to oversee the application of the PPM within its own sphere of competence. A
designated organization is responsible for establishing guidelines for the industry to which the business
group belongs. Additionally, an enterprise must have a compliance program complying with Ministry of
Industry’s “Guidelines for Protection of Personal Information related to Computer Processing in the
Private Sector”. Front–end audits are not a precondition of certification, but they may be required during
the application process, or as a result of consumer complaints.
3. Self-Regulation by e-commerce companies
The growth of e-commerce over the Internet has brought about increasing need for integration within
the global economy, which has made privacy self–governance instruments outgrow their territorial origin
and compete for worldwide adoption. TRUSTe or BBBOnLine are examples of this. JIPDEC has entered
into a mutual Privacy Seal recognition Program with BBOnLine program.
Some of the self–regulation efforts have been developed on a global scale, the most prominent being the
Global Business Dialogue on electronic commerce’s (GBDe) Guidelines for “consumer confidence”, and
the International Commerce Exchange’s “Global Code of Conduct”. Other global efforts in this direction
include IATA and the Federations of Direct Marketers.
Online services may also involve trans-border data flows. The services offered through such online sites
cut across industries – these are not sector-specific. The providers of such services may still be affiliated
to their respective industry segments, e.g. online hotel reservation websites may be affiliated to
hospitality industry, and/or to e-commerce companies; retailing websites may be members of retail
industry association; sites providing financial services may be affiliated to their corresponding business
industry association. Yet, they may all go for TRUSTe, BBBOnLine trustmarks. There is no single
association that is responsible for enforcing the privacy code or the privacy standard which they claim to
have accepted through declaration of their privacy policies and the trustmarks that they may display on
their websites. It is this segment that is causing distrust among the consumers about the inefficiency of
self-regulation, and rightly so.
Criticism of self – regulation has been the highest in case of online business. The privacy policy declared
on the website, even with privacy seals of TRUSTe or BBBOnLine, is not seen to be a guarantee of
adherence to privacy principles. In fact, a recent report of Electronic Privacy Information Center
(epic.org) has made a strong case that the FTC can protect privacy better than the industry can with self–
regulation. Examples and breaches have been provided in the case of telemarketing, and do–not– call–
registry. It states that its reports prepared in 1997 and 2000, point to worsening of the situation with the
development of new privacy–intrusive technologies such as the cookie, third party cookie, web bugs,
Public Consultation
Page 6
DSCI as SRO
Google’s G-mail content extraction, and Spyware which are highly intrusive and have encroached upon
the privacy rights of consumers. Complaints against many of them have resulted in higher compliance
with the declared privacy policies. At the same time, an interesting trend is discernible from the use of
privacy marks of TRUSTe and BBBOnLine: global companies that are aiming for international markets
have the highest percentage of such international seals.
4. Self-Regulation by industry associations, and the role of contracts
The form of self-regulation led by industry associations has to be differentiated from that of e-commerce
that is not led by any association.
The OECD Guidelines not only apply to Europe but also to North America, and the Asian developed
countries. However, they are completely voluntary, and do not constitute international law. Its
regulation is weak. On the other hand, the EU Data Protection Directive is stronger and applicable to
Europe only. It is the national data protection laws, even if harmonized to the EU Directive, which are the
most precise legal regulations that are enforced by Supervisory Authorities. Their reach is, however,
limited to that country. Thus, the more binding the regulatory instrument, the shorter its reach.
The regulatory regime of SFH consists of several layers:
i.
ii.
iii.
iv.
v.
vi.
The EU sets the substantive data protection standards
The companies voluntarily commit to them
It limits the scope of privacy adequacy ratings from whole countries to individual companies
Private or public bodies provide arbitration service
Public enforcement is carried out by a US agency
The EU Commission has the last word and can terminate the whole agreement if compliance or
public supervision in the US is not working
Thus, the SFH arrangement relies on transactional self–regulation by a company. This is coupled with
public regulation or oversight by a state agency to produce a complex, multi-layered regime. This is a
special agreement that is not available to other countries. They have to consider other alternatives.
In the privacy led by business associations, the Industry Associations are playing an increasing role in
educating their members about privacy based practices, through specialized seminars, training services,
and newsletters. This form of self–regulation more closely resembles the “managed compliance”
approach than the enforcement approach. But if trade associations have mandatory membership, it can
act as a strong support for self–regulatory privacy protection instruments. The inherent problem of self–
regulation is that the certification providers are depending on fund of their members and customers. Can
a self-regulatory organization (SRO) take tough measures against those who violate the rules?
Functionally, it is the contracts that are used as a substitute for missing privacy legislation on a case–by–
case. This has turned out to be the most versatile instrument in trans–border data flows. In France, the
use of privacy contracts has been quite popular since the early days of data protection regulation, but
other European states have also relied on contract to ensure that personal data export to other countries
is handled according to the legislation enforced in the country of origin. After the implementation of the
Public Consultation
Page 7
DSCI as SRO
data protection directive in 1999, the EU came up with standard contractual clauses to ensure the
adequate level of protection for trans–border data flows to third countries.
These contracts are also used to raise the data protection level within the country. If organizations,
either voluntarily, or due to public pressure want to mandate high data protection for their contractors,
they can insist on incorporating standard data protection clauses into their business agreements. This
privacy data protection law of contracts has proven to be a useful instrument, especially in extending the
EU’s data protection standards to countries where national legislation is lacking or not deemed adequate.
In the absence of an international standard of privacy, a more practical approach to “set a common
privacy terminology, define privacy principles when processing PI information, categorize privacy features
and relate all described privacy aspects to existing security guidelines” was started within ISO in 2006.
Standard contract clauses for business–to–business data transfers first emerged in the EU as a means of
data exports to countries that lacked adequate legislation (as being not in conformance with the EU Data
Protection Directive); these were developed in close cooperation with the International Chamber of
Commerce, which now recommends their use to corporations all over the globe. A homogenous regime
for the self–governance of privacy is not yet within sight. While there is a global consensus on basic
principles (more or less the 1980 OECD Guidelines), the instruments differ in scope, reach, precision, and
enforcement mechanisms. But they are gradually making their way through the global network of
private business governance structures, becoming more and more interlinked with each other.
The 1995 EU Directive also contains an option for the certification of private self–governance instruments
by public authorities. Example is the Safe Harbor agreement. The basic idea is to let business
associations develop privacy codes of conduct, embed them in a legal framework and have them certified
by public authorities. Several adoptions of this certified self–regulation have been developed at the
national level. For example, trade associations can submit their codes of conduct to the data protection
authorities, which check these against compliance with data protection laws – Germany, Australia, and
Canada.
5. Self-Regulation by DSCI – promoted by industry association NASSCOM
The position of industry associations which are homogeneous, and confine to a particular line of business
such as banking, insurance, health services, pharmaceuticals, IT/BPO services is different. All of these
industries involve trans-border data flows, but all of those who are not selling any product or services
over the Internet directly to the consumers have no need to obtain trustmarks of the kind that are
offered by TRUSTe and BBBOnLine are PTM. In particular, an industry association such as NASSCOM that
has members only from IT/BPO companies, all share the same concerns about service delivery,
regulations in client countries, SLAs, visa issues, taxation matters, and so on. This aptly fulfills the
requirement of an industry association aiming to be a Self-Regulatory Organization (SRO), namely it is
fully homogenous, and can subscribe to a set of privacy principles, have these vetted by major clients and
regulators in the United States, the European Union and other countries; and have a process of
certification that will establish that the industry members are being regulated effectively through selfregulation.
Public Consultation
Page 8
DSCI as SRO
5.1. DSCI as SRO:
NASSCOM has established DSCI as not-for-profit, independent entity – a Section 25 Company, that is
governed by corporate laws, with an independent Board of Directors. It is a SRO. DSCI’s Charter &
Mission are as follows:






Public Advocacy on data protection and cyber security, both in India and abroad: Engage with
governments, law enforcement agencies and judiciary for a strong and credible data protection
regime through appropriate policy instruments.
Capacity Building through security and privacy awareness seminars, workshops, trainings, and
conferences
Thought Leadership: Develop, Promote and Implement Best Practices and Standards for Data
Security and Data Privacy
Independent Oversight as a credible and committed body that would oversee data security and
privacy implementations and evolve a mechanism to provide independent assurance over service
provider’s preparedness.
Establish a Dispute Resolution Mechanism based on Alternative Dispute Resolution Procedures
acceptable to clients and service providers
Cyber Crimes Speedier Trials through training of law enforcement agencies and judiciary in cyber
forensics
DSCI has established a privacy framework which comprises 9 privacy principles that are as follows:
1. Notice
2. Choice and Consent
3. Collection Limitation
4. Use Limitation
5. Access and Correction
6. Security
7. Disclosure to third parties
8. Openness
9. Accountability
The implementation of these privacy principles in IT/BPO companies is ensured through the DSCI Privacy
Framework (DPF) that comprises 9 best practices which are as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Visibility Over Personal Information
Regulatory Compliance Intelligence
Information Usage & Access
Privacy Organization & Relations
Privacy Contract Management
Privacy Awareness & Training
Privacy Policy & Processes
Privacy Monitoring & Incident Management
Personal Information Security
Public Consultation
Page 9
DSCI as SRO
The best practices ensure that in trans-border data flows from a client in any country, to the service
provider in India, there is focus on information visibility, and at each stage of data flow within the
organization, risks associated with privacy and security of data are identified and mitigated through the
best practices of DPF. Data security, which is one of the privacy principles is ensured through an
independent framework DSCI Security Framework (DSF), that comprises 16 best practices.
Article 27 of the EU Data Protection Directive asks Member States to review, and accept the privacy
codes submitted by such homogeneous industry associations, whereas the SFH requires US companies to
self-certify adherence to the 7 privacy principles agreed upon between the US and EU. The proposed
DSCI Data Protection Framework, comprising DPF and DSF, is a hybrid in which the industry association
acts as a regulator, based on its 9 privacy principles and the privacy best practices, with the industry
accepting to be regulated by DSCI under the same. It is proposed that the frameworks will be vetted by
the Department of Information Technology, Ministry of Communication and Information Technology as
part of the IT (Amendment) Act 2008.
DSCI will create complete infrastructure for the following:
i.
ii.
iii.
iv.
v.
vi.
vii.
Creating awareness and providing training on DPF and DSF with clear linkages to the 9 privacy
principles that address the global requirements around information privacy.
Train IT/BPO companies to develop privacy policies and carry out privacy impact assessment:
supported by DPF to take appropriate steps to identify risks using DSCI Data-Centric
Methodology, and mitigate the identified risks using DPF and DSF.
Empanel a set of auditors to audit the implementation of privacy.
Constitute appropriate Committee comprising experts from the public and private sector,
including lawyers to review the reports submitted by the auditors before grant of certification or
rating.
Establish a procedure to receive complaints from clients of service providers in different
geographies.
Establish a mechanism for complaint redressal based on Alternative Dispute Resolution (ADR)
procedures using arbitration.
Develop sanctions for non-compliance.
The entire process would be in line with the experience of Canada, Australia, Japan and the United States
where privacy codes, privacy standards and privacy seals have been developed and implemented. Some
of these countries’ programs have graduated to the level of becoming part of the privacy laws that have
got created. However, all of them see the role of self-regulation as an important element in ensuring
privacy. The experience supports the conclusion that the voluntary approaches are not something to be
ignored, but rather an integral part of privacy. The criticism of self-regulation is that the self-regulatory
codes and rules will not be applied forcefully. It is argued that the incentive to breach privacy rules in
particular to collect, process and disclose personal information without consent, will tend to be driven by
business considerations. However, this argument applies largely to online service providers. In the
business process outsourcing, the Indian service providers, as data processors are not engaged in
deciding on what data to collect, and for what purpose. Even the EU Joint Proposal for a Draft of
International Standards on the Protection of Privacy with regard to the processing of Personal Data –
Explanatory Memorandum – para 13 on outsourcing of processing explicitly starts, “mere performance of
the processing activities on behalf of the responsible person or entity will not require notification to the
data subjects, so application of the openness principle will not be necessary in this case. Likewise, the
decision to proceed to outsource the processing services, as a more entrepreneurial or organizational
Public Consultation
Page 10
DSCI as SRO
decision, must not depend on consent by the data subjects” (version 2.3 – 24.2.2009 circulated by AEPD,
Spanish Data Protection Authority).
Thus the following privacy principles may not apply to the data processors:
1. Notice
2. Consent
Hence, the privacy code developed by DSCI, and the procedure described above for its implementation,
including certification and sanctions for non-compliance, and ADR mechanisms for dispute resolution
present a complete self-regulatory data protection framework. That it will be got vetted by the DIT, MCIT
will enhance its credibility, and make the certification acceptable throughout the world. Finally, it should
be noted that the entire process is a hybrid of Safe Harbor agreement, self-regulation and the
recommendations of the EU Article 27 Working Party. The SFH concept of limiting the scope of privacy
adequacy rating from a whole country to individual companies in a country has been made part of the
DSCI self-regulatory process. It is reiterated that contracts were used as an instrument - as a substitute for missing privacy legislation in trans-border data flows. Clients in the Unites States and the European
Union could be encouraged to build the DSCI privacy standards as part of the contracts.
DSCI believes that, a service provider in India should be able to demonstrate compliance with data
protection requirements similar to those of the country where the client is located, and/or where the
data is originating. This can be done by following the best security and privacy practices and standards –
DSF and DPF. In order to achieve this, DSCI proposes to have a Certification Program in place, which
would evaluate and certify the privacy practices of DSCI Members.
In general, enforcement of the privacy principles will take place in India in accordance with Indian laws.
DSCI self-regulation and enforcement based on ADR mechanism may be supplemented by government
enforcement.
Organizations opting for conformity assessment by DSCI accredited auditors will be asked to agree to the
DSCI dispute resolution system that will investigate and resolve individual complaints and disputes and
procedures for verifying compliance. DSCI’s ADR will make use of arbitration and mediation service that
will be developed over the next few months along with the conformity assessment process. We need
buy-in of clients, service providers and even regulators for this approach based on best practices and selfregulation.
Public Consultation
Page 11
DSCI as SRO
Conclusion
Safe Harbor is an instrument of co-regulation that incorporates self-regulation at the global level. A
company declares itself to be compliant with safe harbor privacy principles, and submits itself to
oversight and enforcement by FTC, a government watchdog.
This is in pursuance of the EU Data Protection Directive, which provides for an option for the certification
of private self–governance instruments by public authorities.
The basic idea is to let business
associations develop privacy codes of conduct, embed them in a legal framework and have them certified
by public authorities. Several adoptions of this certified self–regulation have been developed at the
national level. For example, trade associations can submit their codes of conduct to the data protection
authorities, which check these against compliance with data protection laws – Germany, Australia, and
Canada.
The industry associations are playing an increasing role in educating their members about privacy based
practices, through specialized seminars, training services, and newsletters. This form of self–regulation
more closely resembles the “managed compliance” approach than the enforcement approach.
It is both of the above reasons, coupled with clients’ requirement for service providers conformance to
their regulations, that had prompted NASSCOM to establish DSCI as SRO. The DSCI Best Practices and
frameworks – DPF and DSF – along with the DSCI Data-Centric methodology that helps identify risks
associated with data-flows within an organization, that makes an organization carry out self-assessment
and mitigate the identified risks. DSCI’s accredited auditors will conduct conformity assessment, and a
duly constituted committee will recommend certification/rating.
DSCI will conduct training of IT/BPO companies in DPF and DSF, and its Data-Centric methodology; create
an ecosystem of consultants and auditors to promote their use for becoming an SRO in this industry
segment.
DSCI proposes to work with clients to see whether its privacy standard DPF can be built into the
contractual clauses as a way of enhancing its acceptance and credibility.
DSCI will also develop an ADR mechanism, based on arbitration and conciliation, to redress complaints of
clients and service providers.
Public Consultation
Page 12
Download