Comments Sought on Data Protection Law Components

The government of India is seeking comments on a draft of ideas for the components of a data protection law.
A 10-member government-appointed committee has drafted a white paper that includes recommendations for components of the law and outlines experiences in other countries. Feedback on the report will be accepted through Dec. 31 at the Ministry of Electronics and Information Technology.
See Also: Ransomware: The Look at Future Trends
“On the basis of the responses received, we will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject,” according to a statement from the committee.
The committee is seeking insights on, for example, how best to gain consumers’ consent to use their data and how to define personal data that must be protected.
“This is an interesting development and it will be worth putting in our comments,” says Sriram Natarajan, chief risk officer at Quattro, a global services company. “This is a very welcome step that will turbocharge India’s digital revolution.”
Key Principles
The white paper lists seven key principles of data protection law:
Technology agnosticism;
Holistic application;
Informed consent;
Data minimization;
Controller accountability;
Structured enforcement; and
Deterrent penalties.
One issue under consideration is whether India should use the concept of a data controller as spelled out in the EU’s General Data Protection Regulation, which will be enforced starting in May.
Under GDPR, organizations that handle European’s data must designate a data controller, who determines the purposes and means of processing data, plus a data processor who processes data on behalf of the controller.
The white paper seeks to clearly define the roles and responsibilities of people involved in data collection.
“If an entity handles personal information in any manner, it is expected to be accountable for it, irrespective of how they process the information or with whom they share it,” says Shivangi Nadkarni, CEO at Arka Consulting, an advisory firm on data security. “Therefore, this entity taking accountability has to be clearly defined. The usual definition for this is that of a data controller – and hence, I would say, it makes sense to go with the accepted definition.”
But because data travels through multiple layers, it’s not always in control of a data controller, says C.N. Shashidhar, founder SecurIT Consultancy Services. “And hence, it is important to get data processors and third parties under the ambit of the law too,” he says.
The Issue of Consent
The committee is seeking suggestions on how to make the process of gaining consumer’s consent to use their personal data more effective and whether different standards of consent must be followed for different practices.
“Different standards for different transactions would result in added complexity and dilution in implementation,” Shashidhar says. “It is recommended that one single standard be adopted for all types of transactions.”
The issue of consent is particularly tricky in India, where so many individuals lack the ability to read and comprehend the implications of granting consent.

“In this case, a different type of instrument/mechanism may be required to be looked at,” Nadkarni says. “A while ago, in one of its papers, the RBI had proposed a rights-based approach – where some basic rights for certain personal information should be embedded in the law itself, independent of an individual’s consent. Hence, in a country like ours, a balance between notice and consent and a rights-based approach would be the appropriate way to go forward.”
Definition of Personal Data
The definition of personal information or personal data is a critical element that determines the zone of informational privacy guaranteed by data protection legislation, the committee states.
So the panel is seeking input on what components under personal data should be termed sensitive and whether it should be categorized under personal data or personal information.
In 2011, the government identified the following for protection as sensitive personal data:
Passwords;
Financial information, such as bank account, credit card, debit card or other payment instrument details;
Physical, physiological and mental health condition;
Sexual orientation;
CyberSecurity Law Introduction 网络安全法宣传视频系列
Medical records and history; and
Biometric information.
“I think we must use personal data as it [is] a wider term than personal information,” Natarajan says. “Information is really static variables – date of birth, sex, place of birth, account number, among other things, while data is a much wider term including your card spend, your preferences, your social media history, etc.”
Some practitioners say the committee should take into account the definition of sensitive personal information used in other countries.
截取HTTP会话或Cookie这类比较繁琐的操作,会像ARP攻击工具一样,越来越普及,也越来越容易被黑客和脚本小孩用来发动攻击。
“Usually, around the world, there is quite a bit of convergence around what constitutes sensitive personal data,” Nadkarni says. “It would make sense to go with the same kind of categorization while adding/deleting what may/may not make sense from the Indian context.”
公司应该根据设备功能及软件应用等性质设立物理安全保护区域,采取必要的预防、检测和恢复控制措施。重要保护区域前应设置交付或过渡区域,重要设备或主要部件应进行固定并设置明显的标记。

猜您喜欢

训练很虐,你要的恢复指南在这里!
《旅游突发事件应急手册》以及海外差旅安全
Cyber Security Law 网络安全法宣传视频系列001
因为这个新区的崛起 中国“腰板”挺直了
TMVERITE FFLAWOFFICE
安全意识电子邮件期刊