Data Security Council of India

Transcription

1 A Comparison of the APEC CBPR and DSCI Privacy Assessment Systems Josh Harris Future of Privacy Forum - On Behalf of - Data Security Council of India A NASSCOM Initiative

2 About DSCI Established by The National Association of Software and Services Companies (NASSCOM) as a non-profit, self-regulatory organization Vision: Harness data protection as a lever for economic development of India through global integration of practices and standards conforming to various legal regimes. Mission: To create trustworthiness of Indian companies as global sourcing service providers, and to assure clients worldwide that India is a secure destination for outsourcing where privacy and protection of customer data are enshrined in the global best practices followed by the industry.

3 DSCI Principles 1) Notice ) Choice/Consent 3) Collection Limitation 4) Use Limitation 5) Access and Correction 6) Security 7) Disclosure to Third Parties 8) Openness 9) Accountability APEC Privacy Principles 1) Notice ) Choice 3) Collection Limitation 4) Use of Personal Information 5) Integrity of Personal Information 6) Security Safeguards 7) Access and Correction 8) Accountability 9) Preventing of Harm

4 DPF Privacy Practices PIS: Personal Information Security IUA: Information Usage and Access PIS IUA MIM: Monitoring and Incident Management PAT: Privacy Awareness and Training VPI: Visibility Over Personal Information MIM POR PAT RCI POR: Privacy Organization and Relations PPP: Privacy Policy and Process VPI PPP PCM RCI: Regulatory Compliance Intelligence PCM: Privacy Contract Management

5 DPF Areas and CBPR : Illustrative Mapping* *Suggestive mapping to give an idea that organizational competences as described in DPF can support implementation of privacy principles. DPF practice areas are distinct from organizational competency, though the two are interlinked DPF Privacy Practices 1) VPI: Visibility Over Personal Information APEC Privacy Principles 1) Collection/Security/Access/Accountability ) POR: Privacy Organization and Relations ) Accountability 3) PPP: Privacy Policy and Process 3) Notice/Choice/Accountability 4) RCI: Regulatory Compliance Intelligence 4) Accountability 5) PCM: Privacy Contract Management 5) Accountability 6) MIM: Monitoring and Incident Management 6) Security Safeguards 7) IUA: Information Usage and Access 7) Collection/Use/Integrity 8) PAT: Privacy Awareness and Training 8) Accountability 9) PIS: Personal Information Security 9) Security Safeguards

6 CBPR Program Requirements and DSCI Assessment Framework (DAF) - Privacy Principles based Assessment CBPR Program Requirements Total Questions Substantially similar Surmountable difference Referenced from different principle Some conflict or otherwise incompatible Not of practical importance Notice 4 4 Collection Limitation 3 3 Uses of Personal Information 6 4 Choice Integrity of Personal Information 5 3 Security Safeguards Access and Correction 3 1 Accountability 1 7 1

7 Components APEC CBPR DAF-P (DPF / Competence based) Assessment Criteria Applicability Intake Questionnaire(Based on Principles) Companies subject to laws of one or more participating APEC economies Assessment Questionnaire(Based on Practice Areas) Open for all Voluntary Yes Yes Empanelment of Third Party Auditors Accountability Agents; Recognized at organizational level only Assessment Organizations; Recognized at organizational level only but training & certification of employees of AOs as well Self Assessment Yes Yes Assessment Scope Categories of PI Categories of PI; enterprise wide, process/function /location specific Free flow of personal information APEC Economies No Restriction Legal Enforcement Does not displace domestic laws Does not displace domestic laws Non Compliance Termination of Certification Termination of Certification Validation 1 Year 3 Years (Surveillance Assessment every Year) Monetary Penalty Depending on Jurisdiction No

8 Potential Enforcement Theories DSCI 1) IT (Amendment) Act: Adjudicating Officer in each state; quasi-judicial authority to address privacy complaints related to sensitive personal information as defined in sec 43A of the IT Act ) Currently developing comprehensive privacy law based on the recommendations of Justice A P Shah committee, including codes of practice by sector enforced by a proposed privacy commissioner APEC 1) Enforceable through a variety of means as demonstrated through Economy application to join CBR system ) Identified enforcement entity must be a CPEA participant