DSCI Assessment Framework - Privacy (DAF-P©)

In 2012, the DSCI Assessment Framework-Privacy (DAF-P©) was published to help organizations provide assurance to external stakeholders on the implementation of a privacy program based on DPF©. These frameworks have been utilized and referred by many organizations across industry sectors.

It consists of two parts, with each focusing on distinct aspects of privacy implementation – one focuses on Assessment of Organizational Competence in Privacy based on practice areas defined in DPF© while the other – Privacy Principles based Assessment focuses on implementation of global privacy principles. The first part is based on the nine practice areas listed under DPF© and the assessment questionnaire is thus designed to help organizations assess and mature their privacy program. The questionnaire is based on the practices defined in DPF©, with suggestive guidance parameters to aid the assessors when conducting assessments. The assessment could be conducted in either modes: Self-Assessment or External Assessment. The external assessment through DSCI empanelled auditors could help organizations attain DSCI Certification.

The second part is intended to help organizations assess and improve maturity in the implementation of global privacy principles across all the organizational processes that deal with personal information and in the process optimize their efforts while implementing privacy principles across global operations. To address the specific needs of the organizations having operations in India, this part of the (DAF-P)© also contains an assessment questionnaire that has been designed to help assess compliance against the privacy principles prescribed under section 43A of the IT (Amendment) Act, 2008. This part of the (DAF-P)© is intended for self-assessment only and, for now, will not entitle to any sort of DSCI Privacy Certification.

Privacy Principles based Assessment: (DAF-P)

DSCI pioneered the DSCI Privacy Framework (DPF©) which promotes best privacy practices in nine areas. DSCI has been encouraging its adoption by the Indian industry since the publication of DPF© in 2010. The framework has received good response from the industry and it has been adopted by some large enterprises to establish their privacy programs. As part of DPF©, DSCI has also developed DSCI Privacy Principles which are based on the study and analysis of global privacy principles including those of FIPPs, OECD, EU, APEC, etc. DSCI Assessment Framework for Privacy (DAF-P)© is the logical progression of DPF© and can be used as the much required instrument to provide privacy assurance to external and internal stakeholders.

The privacy principles represent the core of privacy protection, and privacy concerns, till date, have more or less been addressed through use of privacy principles. There exist a lot of commonalities in existing data protection regimes, in how they use privacy principles as a tool to address privacy concerns. DSCI has identified nine fundamental Privacy Principles which are derived from globally accepted principles of privacy. These nine principles form a superset of privacy principles. Concepts such as data minimization, privacy by design, privacy enhancing technologies, individual control etc. can be subsumed under these privacy principles. These principles are intended to provide the baseline level of privacy protection to all individual data subjects and end users. These principles reflect the need for an assurance level that an organization should create in its transactions with the consumers and in its practices to keep intact privacy requirements.

The questionnaire has been divided into ten areas, corresponding to nine principles, with consent & choice having separate set of questions. Questions in each of these areas have been designed in a manner that ensures that the objective of each principle is met in implementation. In designing the questions, lot of emphasis was put on identifying all the possible perspectives / aspects related to the implementation of each privacy principle. These principles were mapped to different scenarios and the different levels (process or organizational) at which they can be implemented, in order to give more meaning and practicality to the assessment questions. To keep the assessment questionnaire contemporary, evolving issues, trends, approaches and practices were also taken into consideration by referring to latest discussions, new privacy approaches and principles, proposed revisions of privacy regulations and issues in the implementation of privacy principles. This approach, based on global privacy principles, is relevant for organizations having global operations. The assessment questionnaire is primarily intended to be used as a self-assessment tool. We have also designed an assessment questionnaire for helping organizations assess compliance against the privacy principles prescribed under section 43A of the IT (Amendment) Act, 2008 that can be used by the companies having operations in India.

For further details on this framework, please write to assessment@dsci.in