By Bhavana M.
The Bureau of Indian Standards (BIS) on November 20, 2020 established standards for personal data protection for businesses in India to adopt. The BIS is India’s national standards body. The Data Privacy Assurance standard — IS 17428 — was published to promote the standardization of practice in protecting personal data for businesses that deal with the collection and processing of individual information. The standard is available to download from BSB Edge; we are not linking to a copy as reproduction is prohibited.
Businesses have so far developed and adopted their own standards and practices to protect user data. The standards released by BIS seek to facilitate a consistent and approved practice of protecting personal data. Businesses might be interested in the standards given that BIS standards are generally accepted in other industries and are often used by the government to evaluate compliance. In formulating the requirements, experts from relevant industries, academia and the government have been consulted (see full list of entities below).
IS 17428 provides for requirements that a business must comply with in order to promote an effective Data Privacy Management System. However, it is only complementary to the regulatory framework applicable for personal data protection and does not apply to businesses that process Non Personal Data. Given that India’s Personal Data Protection Bill has not yet been passed by Parliament, this standard may well be the closest there is to a reference point for businesses. The standard can be adopted by both data processors and data controllers.
The BIS has also published in a separate document the guidance to IS17428 which provides additional details on how business can be compliant with the standards. However, businesses must comply with part 1 of the standard to be fully compliant with the BIS Standards.
Key features of the Data Privacy Assurance standard — IS 17428
The standard prescribes that businesses must develop their privacy requirements based on the product/service/solution they provide. Such privacy requirements must be developed in view of applicable laws and regulations. Further, the basis for collecting and processing data must be based on recognized privacy principles such as lawfulness, fairness, transparency, accuracy, purpose limitation, storage limitation and data minimization. Additionally the businesses must also ensure adequate security controls are adopted to ensure protection of the collected personal data and also imposes transfer restrictions.
The standard suggests that entities must enable a data privacy function (DPF). The DPF will be an independent structure within the business entity which will exercise oversight on how personal information is processed and privacy controls are managed. It also provides for a data privacy management system (DPMS) that will guide the business in implementing the privacy requirements. The DPMS will clearly lay out the criteria for classifying information, procedure to introduce processing of new personal data elements and such other requirements. The business must take reasonable measures in periodically evaluating and updating the DPMS.
The standard also provides for periodic privacy impact assessments that must be carried out by business. As and when the business perceives that a change in its practices could potentially affect privacy of the individuals, impact assessments must be carried out. Yet another significant requirement the standard prescribes is how data processors that process information on behalf of the data fiduciary must be periodically evaluated. The standard stipulates that data processors must be evaluated and any transfer of obligation can only take place contractually to mitigate risks of breach.
Businesses must specifically ensure that their staff and contractors are aware of the gravity of dealing with personal information and must be sensitized to adapt utmost care in dealing with the same. It must be ensured that there is adequate provision to trace and hold staff accountable in case there is breach of duty and care.
The standards might go a long way in charting out industry good practices for personal data protection at least until a regulatory framework is introduced. However, it remains to be seen if the standards will see widespread adoption in the absence of a regulatory mandate.
It is still a step in the right direction and definitely reassuring to see government agencies taking the issue of data protection seriously.
Who was consulted
The following organisations or people were consulted and involved in the development of the standards:
Ministry of Electronics & Information Technology; Bharat Electronics Limited; C-DAC; Centre for Internet & Society; Data Security Council of India; Department of Science and Technology; HCL; Indian Cellular & Electronics Association; Infosys; Dr. Gargi Keeni & Ms. Amutha Arunachalam; the Indian Statistical Institute; KCPIL; Larsen & Toubro; National Accreditation Board for Certification Bodies; Narnix Technolabs; NEC India Pvt Ltd; Oxygen Consulting Services Pvt Ltd; Patanjali Associates Pvt Ltd; Qualcomm India; ReBIT; Smart Chip Private Limited; Standardisation, Testing & Quality Certification (STQC); Tata Communications; Tata Consultancy Services; Telecommunication Engineering Centre (TEC), Department of Telecommunications; The Perspective (Rahul Sharma); the Unique Identification Authority of India; WYSE Biometrics Systems Pvt Ltd; BIS Directorate General; Reliance Jio, Genpact; and KPMG.
Bhavana M. is a Technology Law and Policy Fellow at Daksha Fellowship ’21.
- JPC Wants Until Monsoon Session To Submit Report On Data Protection Bill
- An Arduous Task Lies Ahead Of India’s Proposed Data Protection Regulator