The Bureau of Indian Standards, Department of Consumer Affairs (‘BIS‘) issued new standards on Data Privacy Assurance IS 17428 (‘the Standard‘). The BIS is the National Standard Body of India established under the Bureau of Indian Standards Act, 2016, for regulating the standardization, marking and quality certification of goods and other related matters.
NEED FOR THE STANDARD:
Organizations possessing personal information as a part of their in-house business activities or customer solution offering; need to provide privacy assurance to those customers whose data they store and process. The Standard seeks to serve as a privacy assurance framework for these Organizations.
Implementation of Part I of this Standard and Part II, i.e., the Management Guidelines (‘the Guidelines’) do not seek to substitute the regulatory compliance. Various data protection regulations and other related laws may be applicable to an Organization depending on the applicable jurisdiction, nature of business and type of personal information that is being stored and processed by the Organization. This Standard will assist organizations in creating a better understanding of such privacy needs, incorporating them into design, and maintaining privacy assurance; in addition to offering a certain level of assurance to consumers on Data Privacy.
An Organization’s decision to implement a Privacy Standard is influenced by the Organization’s business goals, types of personal information processing involved, the regulatory environment it is exposed to, complexity, structure, and size.
The IS 17428 is divided into 2 parts:
1. Part I: Part I deals with Engineering and Management Requirements or IS Requirements which are mandatory in nature. This part of the Standard provides for specific requirements for both management and engineering for establishing, implementing, maintaining and continually improving a Data Privacy Management System.
Part I is applicable in cases where personal information is obtained by Organizations from individuals either for the purpose determined by the Organization or on behalf of any other entity under a contractual obligation. This Part is applicable for industry domains such as banking, retail, logistics, telecommunications, entertainment, healthcare, etc., where individuals in business associations such as customers, employees, prospects provide their personal information. It is applicable to Organizations processing personal data but not to Organizations processing personal data only in a non-electronic form.
2. Part II: Part II deals with Engineering and Management Guidelines or IS Guidelines. These Guidelines provide the guidelines for the implementation of Part I and intend to serve good practices for the implementation of various Data Privacy controls. It provides the significance of each control element which would help an Organization in choosing the right control.
SALIENT FEATURES OF THE IS 17428
- While formulating this Standard, assistance has been derived from two international Standards:
- IS/ISO/IEC 29100: 2011 Information Technology — Security Techniques — Privacy framework
- IS/ISO/IEC 27001: 2013 Information Technologies — Security Techniques — Information Security Management Systems — Requirements
- Part I of this Standard provides for important definitions such as Data Controller, Consent, Data Portability, Data Processor, Data Subject, Personal and Sensitive Personal Information, Omnibus Law, Opt-in, Opt-out, Privacy Incidents, and Data Breaches, Privacy Controls, Privacy Risk Assessment, Processing, Profiling, etc. These definitions aid the Organization in assessing its role and responsibilities.
- With regard to Privacy Engineering, the Organization is required to incorporate certain engineering and design requirements at the time of the development lifecycle of any product, service, or solution that involves the processing of personal data. The Organization is required to:
- Determine the Data Privacy Requirements relevant for the product, solution or service with due consideration to the applicable jurisdiction, regulatory, statutory and contractual requirements, privacy and security control from the Organization’s own business needs, privacy and security policies and processes.
- Design privacy principles based on considerations such as personal data collection and limitation, privacy notice, choice and consent, limitations, data accuracy, security, disclosure and transfer, personal data storage limitation, Right to Personal Data Portability, Right to Object to Profiling and Automated Decision and Right to Object to Processing, etc.
- Ensure that the applicable data privacy controls are verified and tested as applicable, before the deployment of a solution or product at regular intervals as per the stipulated procedures.
- The Organization is also required to establish certain Privacy Management functions/processes. As per these functions, the Organization is required to:
- Determine and define Data Privacy Objectives with due regard to considerations such as nature of business, nature of business operations involving processing of personal information, nature of personal information involved, the business objective of the Organization, etc.
- Create Data Privacy Functions and identify a qualified and competent person to be accountable for data privacy for the Organization, its products services or solutions.
- Establish a Data Privacy Management System (‘DPMS‘) that would act as a baseline and reference point for determining the Organization’s Data Privacy Requirement and include criteria for classifying personal information, inventory of personal information, triggers for updating the DPMS, etc.
- Implement Privacy Rules, as well as other processes and guidelines that complement the degree of details involved, exceptions or deviations from processing, and accountability accounting for every activity in the Organization.
- Maintain records of the processing activities in order to demonstrate its commitment to Data Privacy Compliance. To do this, the Organization must design and implement procedures that aid in the identification of various records as well as their retention periods.
- Conduct Privacy Impact Assessment for changes that may arise from time to time which may have an impact on an individual’s Data Privacy. The Organization needs to establish a Privacy Impact Assessment methodology for ensuring consistency and rigor in carrying out the process and capture its outcome.
- Define and document how the Data Processors are evaluated, determined to be suitable, and made accountable so as to reduce the risk of Personal Data Breach or any Data Privacy Incident.
- Establish and document Privacy Risk Management methodology defining how the risks with respect to Data Privacy are managed and ensure that residual risks are kept at an acceptable level at all times.
- Establish and document mechanisms for managing Data Privacy Incidents and Personal Data Breaches.
- Establish and document mechanisms such as means to verify the details and data of an individual, means to update a data subject’s data, etc. providing access to the information of the data subject to respond and serve to an individual on request.
- Implement and document a Grievance Redressal Mechanism including identification and publication of the Grievance Officer’s contact information, provisions for escalating an appeal, setting timelines for grievance redressal, etc., for prompt redressal of grievance.
- Ensuring competence of the staff and contractors in handling personal information, upskilling them and establishing their accountability for any actions relating to personal information.
- Incorporate mechanisms in place that would allow management to monitor and review compliance with DPMS with the applicable regulations periodically and ensure that the privacy features and controls built into products and solutions are updated with the changing privacy regulations.
- Conduct periodic audits (at least once a year) for the DPMS and allocate resources and authority to the Audit Group. The audit should be conducted by an independent group of auditors competent in data privacy.
- Implement a documented process for measurement and continuous improvement of DPMS.
- Organizations must comply with all of the requirements set forth in the IS Requirements to ensure compliance with the Standard unless such Organizations can establish that particular sub-clauses do not apply to them based on an evaluation, which must be documented.
- The IS Guidelines provide extensive and detailed guidance regarding the best practices and procedures for accomplishing compliance with the IS Requirements with respect to each and every aspect of privacy engineering and privacy management.
- Further, the Guidelines also provide special security and privacy considerations for cloud infrastructure.
On the other hand, the draft Personal Data Protection Bill was introduced in Lok Sabha, in 2019 which aims to increase the accountability and transparency of the country’s information ecosystem, while also addressing loopholes and severe data security problems. However, the Personal Data Protection Bill is still tabled.
In light of the aforementioned, the IS 17428 is a comprehensive Standard developed by the Information Systems Security and Privacy Sectional Committee and approved by the BIS’s Electronics and Information Technology Divisional Council. Implementation of Part I of the Standard will help organizations in providing privacy assurance to customers and workers, as well as achieving and maintaining privacy compliance with regulatory and contractual requirements, especially in accordance with the Rules.
Further, the Guidelines will help Organizations choose effective Data Privacy Controls among best practices thereby helping an Organization to give Data Privacy Assurance to the individuals whose data it processes, in the light of a fast-changing technological and legislative world.
For any query or feedback, please feel free to connect with email@example.com or firstname.lastname@example.org