After not addressing the flak for years from Governments across the globe, the Department of Information Technology (DIT), Government of India (GoI) has introduced new rules earlier this year. Coined as the Information Technology (IT) Rules, 2011, the notification is available to download from the DIT website (http://www.mit.gov.in/content/notifications). With more than handful new additions; I believe this is a step in the right direction to address long pending issues.
So what’s in it that the IT/ITes vendor strategists as well the CIO and the sourcing professionals need to look out for?
- Data Protection Act likely to put few BPOs out of business; help address data privacy concerns of cloud users
I was impressed to read through the broad list of information the act included as part of sensitive data. The DIT has also been mindful to include the clause on access of data being only restricted to what is “freely available or accessible in public domain or furnished under the Right to Information Act, 2005".
This is a brilliant move to curb illegal trafficking of data in the BPOs (both domestic and international). Given the nonchalant attitude towards data protection by many Indian BPOs and the nature of business being based on the loop holes that have traditionally existed, I believe (in theory) the rule on data protection can be limiting for many and few might even go out of business. This will particularly be true for the BPOs catering to the domestic business in India. This rule will also provide additional confidence to those enterprises willing to use cloud offerings but have had concerns around data privacy.
That said, I would like to call out the need for stringent enforcement policies – something that has been a sticky issue in India – to ensure Indian citizens can make the most from this.
- There are real reasons for the organisations to join
While DIT has not mandated organisations to adopt the ISO 27001, it has made it increasingly difficult for them to survive without it. As the clause has been designed, if an organisation is found guilty of any wrong doing and does not have an ISO certification, it is liable to be prosecuted heavily. I believe DIT’s efforts to promote adoption of ISO 27001 will not only ensure that organisations are made accountable for the information security procedures they follow internally, but will also help establish its credibility with clients who understand (and respect) this certification. However, for the large Indian IT service providers who have already adopted range of ISO certifications years ago, this might not be a prominent point.
- Censorship or Regulation?
An excerpt from the notification:
"websites shall inform users not to publish any material that is “blasphemous, would incite hatred, is ethnically objectionable, would infringe on patents, or threaten India’s unity or public order."
The internet community has termed it as ‘censorship of internet’ in the country but I’m afraid I disagree. The above clause is justified in light of the likely issues triggered by any irresponsible commentary – and particularly for a country with so much of cultural diversity! The move, I believe, is largely inclined towards self-regulation, and to ensure the website owner is ethically responsible for the content it hosts.
- Definitions are still not crystallised, details still missing
The notification stresses on websites owners to remove content if reported objectionable by any user. While this is a step in the right direction, it does poorly while offering depth on what can be exactly defined as objectionable. By plain definition, it can also include end-user reviews that many of us usually post on multiple websites. And, if the government was to get serious on this, use of tools like Twitter can also be put under strict scrutiny!
The author is Senior Analyst at Forrester Research.
Updated Date: Feb 02, 2017 23:19:44 IST