DSCI Privacy Framework (DPF©)

The concept of ‘Privacy’, which traditionally meant intrusion in one’s physical space, has become much larger in the cyberspace. Data Privacy is evolving as a basic right of consumers. In certain countries, it is recognized as a fundamental right, guaranteed by the constitution and supporting legal framework. While various countries share the goal of enhancing privacy protection of their citizens. Majorly, all the countries generally take a different approach to privacy.

To protect privacy of personal information from unauthorized use, disclosure, modification or misuse, DSCI has conceptualized its approach towards privacy in the DSCI Privacy Framework (DPF©) which is based on the global privacy best practices and frameworks.

The nine areas as described are organized in three layers

  • Privacy Strategy and Processes: This layer aids in establishing the strategic and tactical elements for privacy. Creating a visibility over the personal data helps understand how the data is handled by an organization. The central privacy organization should track the personal information processed by an organization’s processes, functions, projects and operations. It should establish sound relationships with different entities of an organization for coordinating and collaborating on privacy. The privacy policy should guide and provide direction for the privacy implementation. It should be supported by appropriate processes that promise consistency in effectiveness of privacy measures. Regulatory compliance intelligence, along with contract management for privacy, ensures alignment of the privacy initiatives to changing regularity requirements and proportionality of the measures to the liability exposure.
  • Information Usage, Access, Monitoring and Training: This layer ensures that adequate level of awareness exists in an organization. A significant level of measures is deployed to limit information usage and access. And, a mechanism is deployed for privacy monitoring and managing incidents that may compromise privacy.
  • Personal Information Security: This layer derives strength from an organization’s security initiatives. However, it demands a focus on data security. DSCI has developed its Security Framework (DSF©), which can be leveraged for ensuring security of the personal information.

Data Protection: Organization Roles

To understand the implication of privacy requirements or regulations, there is a need to evaluate what role an organization is performing in respect of handling the personal information. An interface with the end customer or user or consumer for collecting the personal data is one of the factors for identifying the role of an organization from the perspective of data protection. If an organization collects the data directly from the end customer, for the purpose of providing the business services offered, it is called as the data controller. Since the domestic industry segments in India like Banks, Telecom, E-Commerce, and E-Governance collect personal information directly, they can be classified as data controllers.

If an organization receives the personal information from any another organization for processing, as a part of services offered, it becomes the data processor. The IT services and BPO industry fall under this category. An organization, which collects the personal information of its employee, also falls under the category of the ‘data controller’. The individual whose personal information is collected – be it the end customer, consumer, or even an employee, is referred as the ‘data subject’.

The understandings about the role that an organization in a particular data transaction helps establish the applicability of the privacy principles. These principles are advocated by different frameworks and data protection legislations across the globe.

The data controller, who is the owner of the personal data being collected, should adhere to the privacy practices to provide an assurance to the end customer, and be in compliance with the applicable regulations. However, business realities such as outsourcing change the data protection dynamics. The data controller, who avails of external services, extends the liabilities to, and shares the same with the service providers. A service provider, termed as a data processor, thus, should also have the privacy initiatives to comply with data protection requirements of its clients.

The data processor, however, may not be required to adopt all privacy principles that the controller has adopted. Principles such as Notice to the end customer, Collection limitation and Consent of the data subject may not be applicable to the data processor. However, for identifying the role of an organization from the perspective of privacy, there requires a careful study of the nature of its business and its relations with the end customers, clients and service providers.

Growing data protection regimes are raising the liabilities of an organization for improved data protection. An organization, which collects the personal information of its employees, also comes under the purview of these regulations. This provides a reason for an organization to extend the scope of the privacy initiatives to cover the personal data of its employees as well. DSCI Privacy Framework (DPF©) takes a careful note of the business ecosystem, the role of different entities with respect to the transactions in personal data, and the liabilities of these entities hitherto. The Privacy Best Practices provide an approach and detailed guidance that will help establish a mature privacy function.

DSCI Privacy Best Practices

To know more about DSCI Privacy Best Practices, mail us at: assessment@dsci.in

  • Visibility over Personal Information (VPI)
  • Privacy Organization and Relationship (POR)
  • Privacy Policy and Processes (PPP)
  • Regulatory Compliance Intelligence (RCI)
  • Privacy Contract Management (PCM)
  • Privacy Monitoring and Incident Management (MIM)
  • Information Usage and Access (IUA)
  • Privacy Awareness and Training (PAT)
  • Personal Information Security (PIS)