ITA 2008 has mandated that body corporates handling sensitive personal data need to follow “Reasonable Security Practices” (RSP), under section 43A, failing which they will be liable for paying compensation to any person who suffers a loss. Similarly, under Section 79, there is a need for “Intermediaries” to follow “Due Diligence”.
Though “Due Diligence” cannot be prescribed and has to be left to be decided on a case to case basis, in case there exists a standard security practice, it could be a starting point to bench mark the requirements under due diligence.ITA 2008 additionally is expected to prescribe certain data retention norms under section 67C which should be considered part of the “Reasonable Security Practices”.
The requirements of all the above three aspects can be met with adoption of a security frameworkÂ referred to as Indian Information Security Framework (IISF-309), which is built under the following principles. Â [P.S: This is not a standard prescribed by the Government of India but is only a suggested framework from Naavi as part of an academic excercise].
Â a) The framework is flexible enough for users in different user segment with different operational sizes to adopt practices which are appropriate and affordable. It does not mandate any specific security standard such as ISO 27001 or any other.
b) It incorporates the best practices in current usage but makes fine changes as required by ITA 2008.
c) It gives value for “Disclosure” and “Accountability”. Accordingly, it recommends a security policy to be announced by the organization and that a “Compliance officer” to be designated.
d) It banks on a “Client Consent” which makes framework legally binding on the prospective victim and hence meets the first of the three criteria suggested by Section 43A under explanation(ii)
The IISF-309 follows the same 21 step specifications that is used by LIPS-1008.Â (A standard developed for LPOs in India) . Since LIPS-2008 was developed for Legal Process Outsourcing firms, it naturally addresses the needs of other data processing agencies as well.
It is however possible to define different specifications for different segments such as say “Banking”, “Share Broking”, “Call Centers”, “KPOs”, Matrimonial/Job websites, e-commerce websites, etc. Even here, depending on the size of the organization, different levels may be defined. In case new security threats and remedies become relevant, additional levels can be defined hardening the security further.
More details will be available at www.naavi.org.