Submitted Proposals

Organization: Data Security Council of India
Title :
70. Self Regulatory Approach to Data Security and Privacy in India
Provide a concise formulation for the proposed workshop theme including its importance and relevance to the IGF.

It is well known that different countries have different enactments to deal with Data Protection and Data Privacy. Moreover, every society has its own privacy culture though commercial transactions require that the information privacy and security obligations be determined by point of origination of data. Irrespective of where the data is processed in a globally networked environment, the businesses that originally collected the data are required to meet the originating privacy obligations regardless of where the data flows. Particular expectations for privacy are thus truly local while data flows are global. However, it is difficult to govern cross-border data flows under any one country’s laws or legal frameworks. The challenge, therefore, is for IT and BPO companies to meet privacy and information security obligations when national laws differ. NASSCOM – the national association of software and services companies – the industry association of IT and BPO companies recognized that cultural notions and laws on privacy are diverse, but that there is widespread agreement around international data protection and information security principles; prominent among these are the OECD Privacy Principles, the OECD Security Guidelines for the Security of Information Systems and Networks, and the APEC Privacy Principles. These principles anticipate cross-border data flows on the premise that data processing must be global to reap benefits of a digital economy. A corporation’s enterprise-wide data handling rules, grounded upon the APEC and OECD principles as a foundation, can achieve basic compliance with substantive requirements that might be found in any country. Likewise, an IT or BPO service provider is expected to design its operations in the same way. NASSCOM decided to take the route of self regulation – it has established the Data Security Council of India (DSCI) as a self regulatory organization (SRO). DSCI will serve as a trust agent for data privacy and security accountability in outsourcing. The concept of DSCI as a SRO would be preferable to a statutory regulator for a number of reasons. A statutory regulator may not have the flexibility to keep pace with rapid technological changes which the IT Sector is experiencing and thereby not facilitate the adoption of new technology. In addition, outsourcing involves working in an environment requiring compliance with multiple laws of different countries which a statutory regulator (created by domestic laws) may not be able to deal with in an effective manner. DSCI will create awareness through Education and outreach programs, Engage with all concerned to promote best practices on security and privacy, encourage service providers to engage in self checks, submit them to verification by independent authorized auditors on their claims as a part of Enforcement and grant membership to them. Membership of DSCI will provide an assurance that the company to which work is being outsourced is following the requirements of data security and privacy and could be trusted. DSCI can assess its adherence to common data management principles, as also against the specifics such as EU requirements for health, financial sector, or other personally identifiable information. An SRO can verify a service provider’s voluntary compliance with the APEC/OECD Privacy Principles and the customer company’s own promises and obligations. It is against this background that DSCI’s mission as an SRO has been prepared. The mission specifically focuses on DSCI’s self-regulatory role in promoting privacy accountability in outsourcing. Security and privacy being global concerns in global data flows, the concept of SRO has universal appeal in this connected world.

Provide the names and affiliations of the panellists you are planning to invite. Describe the main actors in the field and whether you have you approached them about their willingness to participate in proposed workshop.

We have approached two panelists: Mr. Jerry Rao, Chairman, Steering Committee, DSCI; and Mr. Vakul Sharma, Supreme Court Advocate (cyber crimes, security and privacy expert).

Provide the name of the organizer(s) of the workshop and their affiliation to various stakeholder groups. Describe how you will take steps to adhere to the multi-stakeholder principle, including geographical diversity.

DSCI will organize the workshop with Mr. Shyamal Ghosh, Chairman, DSCI in the chair. The theme will be presented by Dr. Kamlesh Bajaj, CEO, DSCI. A few other papers already submitted to IGF will be included in this workshop. The geographical diversity will be addressed through rationalization of cross-border data flows irrespective of the multiple privacy regimes around the world. This is contained in the abstract above

Does the proposed workshop provide different perspectives on the issues under discussion?
Yes, it does. Different privacy regimes and approaches in the form of regions such as the EU and APEC will be discussed.

Please explain how the workshop will address issues relating to Internet governance and describe how the workshop conforms with the Tunis Agenda in terms of substance and the mandate of the IGF.

Security and Privacy of data are of utmost concern to all stakeholders of IGF. For the Internet to emerge as a tool for global data flows, these have to be addressed. The SRO approach as proposed by DSCI takes security and privacy to governance levels.

List similar events you and/or any other IGF workshops you have organized in the past.

DSCI organized a Conference of Security and Privacy in London for stakeholders in the UK;  the SRO Framework of DSCI is proposed for a Meet of Privacy Commissioners proposed in October. DSCI will also participate in the Privacy Commissioners Conference in Germany in October. Presenting  the DSCI SRO Framework  in the APEC Privacy Seminar in Lima, Brussels in August. In addition, security and privacy concerns in the context of Internet-mediated  global data flows have been presented in a number of national seminars and conferences in India. In the Annual Security Summit in Hyderbad in December, 2008 it will form an important theme.

Were you part of organizing a workshop last year? Which one? Did you submit a workshop report?