Self Regulatory Approach to Data Security and Privacy in India

5 December 2008 - A Best Practice Forum on Security in Hyderabad, India


It is well known that different countries have different enactments to deal with Data Protection and Data Privacy. Moreover, every society has its own privacy culture though commercial transactions require that the information privacy and security obligations be determined by point of origination of data. Irrespective of where the data is processed in a globally networked environment, the businesses that originally collected the data are required to meet the originating privacy obligations regardless of where the data flows. Particular expectations for privacy are thus truly local while data flows are global. However, it is difficult to govern cross-border data flows under any one country’s laws or legal frameworks. The challenge, therefore, is for IT and BPO companies to meet privacy and information security obligations when national laws differ. NASSCOM – the national association of software and services companies – the industry association of IT and BPO companies recognized that cultural notions and laws on privacy are diverse, but that there is widespread agreement around international data protection and information security principles; prominent among these are the OECD Privacy Principles, the OECD Security Guidelines for the Security of Information Systems and Networks, and the APEC Privacy Principles. These principles anticipate cross-border data flows on the premise that data processing must be global to reap benefits of a digital economy. A corporation’s enterprise-wide data handling rules, grounded upon the APEC and OECD principles as a foundation, can achieve basic compliance with substantive requirements that might be found in any country. Likewise, an IT or BPO service provider is expected to design its operations in the same way. NASSCOM decided to take the route of self regulation – it has established the Data Security Council of India (DSCI) as a self regulatory organization (SRO). DSCI will serve as a trust agent for data privacy and security accountability in outsourcing. The concept of DSCI as a SRO would be preferable to a statutory regulator for a number of reasons. A statutory regulator may not have the flexibility to keep pace with rapid technological changes which the IT Sector is experiencing and thereby not facilitate the adoption of new technology. In addition, outsourcing involves working in an environment requiring compliance with multiple laws of different countries which a statutory regulator (created by domestic laws) may not be able to deal with in an effective manner. DSCI will create awareness through Education and outreach programs, Engage with all concerned to promote best practices on security and privacy, encourage service providers to engage in self checks, submit them to verification by independent authorized auditors on their claims as a part of Enforcement and grant membership to them. Membership of DSCI will provide an assurance that the company to which work is being outsourced is following the requirements of data security and privacy and could be trusted. DSCI can assess its adherence to common data management principles, as also against the specifics such as EU requirements for health, financial sector, or other personally identifiable information. An SRO can verify a service provider’s voluntary compliance with the APEC/OECD Privacy Principles and the customer company’s own promises and obligations. It is against this background that DSCI’s mission as an SRO has been prepared. The mission specifically focuses on DSCI’s self-regulatory role in promoting privacy accountability in outsourcing. Security and privacy being global concerns in global data flows, the concept of SRO has universal appeal in this connected world.