The 67 page draft of the recently released Personal Data Protection Bill, 2018 (PDP18) has outlined some much needed critical steps to create a framework for privacy and protecting personal data of individuals in India. While there are references to similarities with the European Union’s General Data Protection Regulation, the bill is very relevant in India due to the almost free flow and availability of citizens’ data.
There are several examples of this that have been seen in the past, whether such data was vested with companies or in semi-controlled social media environments. In light of this, the bill has identified several stakeholders that have been defined along with their obligations in collecting, managing, and processing of data. What is intriguing to note is that one would need to seek consent from the individual prior to processing his/her personal data.
In principle, these are very welcome steps and obligations. All of us have received pesky calls at some point of time in our life where callers appear to have significant amounts of information about us and have used that to sell a product or service. Most of us would not recall permitting anyone to use our data for the purposes of unsolicited calls. [While the telecom ministry and TRAI have a Do Not Disturb (DND) registry, many people haven’t signed up for it because the DND also stops essential banking transactions from going through by blocking OTP and other messages].
While this bill may finally allow individuals right to own and manage their data and its use, it is likely to pose a challenge for organisations attempting to manage the risk of fraud through risk assessments, investigations of non-compliance/misconduct and on legal proceedings, whether criminal or civil where an individual’s data may have been reviewed for the purpose of such initiatives.
Most such activities are kept confidential, and at times the individual suspect is also not aware of the investigation taking place in the background. This often helps in keeping the knowledge of the entire activity restricted to less than a handful of people. Imagine a scenario where a person is informed that they are under investigation and the person is found to be innocent at the end of the exercise; the knowledge that they are being investigated could result in loss of morale and even trust and faith in the organisation.
In our experience, the Information Technology policies of most companies do permit ‘limited/reasonable’ personal use of company-provided electronic devices by individual users and employees. And these users often do receive items that could be considered personal identifiers, and in some cases, sensitive personal information on these machines such as bank statements, credit card bills, insurance documentation, etc. In addition, there would be financial information in the form of payslips, Form 16s, etc. that are issued by and shared through the official email addresses of such users. Therefore the likelihood of personal data residing on a computer used by an individual employee is extremely high.
Consent, therefore, becomes a critical point here if one were to attempt to access individual data as part of a routine fraud risk management activity. Whether an individual storing his personal data on a computer system provided by his company, without informing the employer, would carry the same set of obligations for the firm is currently unclear. In addition, if the employer is not sure whether there is personal data on the computer, would they still need to seek consent and thereby disclose that there is an investigation underway or do they wait till potentially relevant data is discovered on such a system? And further, what recourse is there in case the employee refuses to provide consent even though the data resides on a computer that was given to the employee for other reasons? Would the company then need to demonstrate that they are acting on a suspicion or whistleblower tip by filing an official complaint with the police?
A further question could be whether it would be reasonable for companies to prohibit employees from using provided assets for storing any personal data at all.
Use of digital forensics techniques is key to any form of compliance, fraud or regulatory investigation across the globe. In most western countries, electronic discovery is a legal obligation in civil litigation or in regulator driven investigations. The premise of these is that there is a digital footprint and evidence created due to the pervasive nature of technology in most interactions which need to be uncovered and used in proceedings.
Many companies in India rely on digital forensics to verify allegations or suspicions of fraud. This typically involves analysis of computers or other electronic devices that are provided by the company to identify whether such allegations may be true. Digital forensics is usually performed by external parties, however, some companies do employ internal resources for such work.
Currently, many organisations are toying with the idea of seeking a blanket consent from employees on access to data on company provided assets. While this may be suitable for some organisations, others may find it limiting to seek such consent from employees, especially in cases where a Bring Your Own Device (BYOD) culture is encouraged and the lines between official work and personal work are blurred. Perhaps the bill needs to address this. Until then organisations would need to find an approach that strikes a fine balance between seeking data and maintaining employee trust.
(Author is Partner, Deloitte India)
Updated Date: Aug 07, 2018 17:56 PM