Data Privacy – An Introduction

Definition of Information Privacy

Wikipedia defines Information privacy as follows:
Information privacy, or data privacy (or data protection), is the relationship between collection and dissemination of datatechnology, the public expectation of privacy, and the legal and political issues surrounding them.


When companies and merchants use data or information that is provided or entrusted to them, this data should be used according to the agreed purposes.  Companies must ensure data privacy because the information is an asset to the company.

Privacy concerns exist wherever personally identifiable information or other sensitive information is collected and stored – in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. Data privacy issues can arise in response to information from a wide range of sources, such as:

  • Healthcare records
  • Criminal justiceinvestigations and proceedings
  • Financialinstitutions and transactions
  • Biologicaltraits, such as genetic material
  • Residenceand geographic records
  • Ethnicity
  • Privacy breach
  • Location-based service and geolocation

Data privacy, also called information privacy, is the aspect of information technology that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.

Privacy Rules

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 framed under Section 43-A of the IT Act 2011, describe reasonable security practices and procedures that companies are required to adopt.

The Privacy Rules set out obligations in respect of two classes of information: “Personal Information”, which includes any information that relates to a natural person, which directly or indirectly, is capable of identifying a person; and a smaller subset of Personal Information known as SPDI (Sensitive Personal Data or Information), which is information relating to passwords, financial information, health information, sexual orientation, medical records and biometric information This accounts to the sensitive data which needs to be protected.

For e.g. in a hospital, the patient records which is private information should be accessed only by the Doctor who is treating the patient and the Nurse who is on duty with the patient. Any other nurse or doctor in the hospital should not have access to those medical records.

Any collection, processing, storage, use or transfer of Personal Information or SPDI which takes place through a computer or computer network located in India would have to comply with the IT Act and Privacy Rules.

Data Protection – Organization Roles

If an organization collects the data directly from the end customer, for the purpose of providing the business services offered, it is called as the data controller. Since the domestic industry segments in India like Banks, Telecom, E-Commerce, and E-Governance collect personal information directly, they can be classified as data controllers.

If an organization receives the personal information from any another organization for processing, as a part of services offered, it becomes the data processor. The IT services and BPO industry fall under this category.

An organization, which collects the personal information of its employee, also falls under the category of the ‘data controller’. The individual whose personal information is collected – be it the end customer, consumer, or even an employee, is referred as the ‘data subject’.

The data controller, who is the owner of the personal data being collected, should adhere to the privacy practices to provide an assurance to the end customer, and be in compliance with the applicable regulations. However, business realities such as outsourcing change the data protection dynamics. The data controller, who avails of external services, extends the liabilities to, and shares the same with the service providers. A service provider, termed as a data processor, thus, should also have the privacy initiatives to comply with data protection requirements of its clients.

Principles that advocate user engagement

To protect privacy of personal information from unauthorized use, disclosure, modification or misuse, DSCI (Data Security Council of India) has conceptualized its approach towards privacy in the DSCI Privacy Framework (DPF©) which is based on the global privacy best practices and frameworks.

The nine areas are:

  1. VPI – Visibility Over Personal Information
  2. RCI – Regulatory Compliance Information
  3. IUA – Information Usage and Access
  4. POR – Privacy Organization & Relations
  5. PCM – Privacy Contract Management
  6. PAT – Privacy Awareness & Training
  7. PPP – Privacy Policy & Processes
  8. MIM – Privacy Monitoring and Incident Management
  9. PIS – Personal Information Security

Privacy Principles can be grouped into the following three areas:

The nine areas as described are organized in three layers:

  1. Privacy Strategy and Processes: This layer aids in establishing the strategic and tactical elements for privacy. Creating a visibility over the personal data helps understand how the data is handled by an organization. The central privacy organization (to be established by the data controller may be headed by a Chief Privacy Officer) should track the personal information processed by an organization’s processes, functions, projects and operations. It should establish sound relationships with different entities of an organization for coordinating and collaborating on privacy. The privacy policy should guide and provide direction for the privacy implementation. It should be supported by appropriate processes that promise consistency in effectiveness of privacy measures. Regulatory compliance intelligence, along with contract management for privacy, ensures alignment of the privacy initiatives to changing regularity requirements and proportionality of the measures to the liability exposure.
  1. Information Usage, Access, Monitoring and Training: This layer ensures that adequate level of awareness exists in an organization. A significant level of measures is deployed to limit information usage and access. And, a mechanism is deployed for privacy monitoring and managing incidents that may compromise privacy.
  1. Personal Information Security: This layer derives strength from an organization’s security initiatives. However, it demands a focus on data security. DSCI has developed its Security Framework (DSF©), which can be leveraged for ensuring security of the personal information.

Organizations need to protect the sensitive data.

The following needs to be done by organization (data controller) to protect the sensitive data from theft or loss

  1. The body corporate which collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data.
  2. The body corporate needs to get a written consent from its customers for collection and usage of information and purpose for which is deemed necessary.
  3. The body corporate shall not retain information for longer than the required purpose or otherwise as required by law in force.
  4. There is a grievance officer appointed to address any grievances.
  5. Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider.
  6. The body corporate or any person on its behalf shall not publish the sensitive personal data or information. The third party receiving it shall not disclose it further.
  7. Transfer of SPDI to any other entity requires same level of protection.

In order to protect sensitive data, amongst other initiatives organizations can implement the following initiatives

  1. Establish and implement reasonable security practices and Procedures.
  2. Encrypt all confidential information. Ensure that data processed or stored or transferred is encrypted.
  3. Have restricted zones where SPDI is processed.
  4. Password Policy needs to be implemented.
  5. Access control for all applications. This needs to be reviewed periodically
  6. Data classification should be implemented
  7. Ensure that security software is up to date. Updating software automatically is the best way to defend against latest threats and vulnerabilities
  8. Have a very good BCP in place.
  9. Ensure all employees have undergone awareness training on handling sensitive data
  10. Have an Incident Management Process in Place. Ensure there is a disciplinary process in case of a breach
  11. Ensure all mobile devices are encrypted and use a mobile device management system.
  12. Have Confidentiality agreements with employees, third parties and all vendors.
  13. Complete Background verification process for all employees, third parties and vendors working on SPDI
  14. Ensure Compliance with all regulatory laws, Organizational standards, policies and guidelines and compliance with global best practices, at all times.

A better and more structured manner to achieve the above has been enumerated well in the document Using COBIT 5 to Secure Sensitive Personal Data Information