DSCI Privacy Best Practices

Privacy Principles

Different geographies across the globe have defined their privacy requirements, articulating the requirements for the protection of the personal data and preventing harm to an individual whose data is at stake. At a high level, Privacy Principles can be grouped in the following three areas:

  • Principles that advocate user engagement: The principles such as Notice, Consent, and Access & Correction involve the user transactions. They specify that a notice should be given to the user in case of a change in the privacy policies; user consent should be sought for processing of his/her information; access should be given to the user to view and correct his/her data
  • Principles that specify how information should be handled: Collection Limitation, Use Limitation, and Data Quality specify norms for ensuring privacy in the information collection stage and while the information is being used in transactions. It also asks for the data quality to be maintained throughout the operation
  • Principles that demand security safeguards and prevention of harm: Security and Safeguard, Enforcement falls under this category

DSCI Privacy Principles

  • Picture
  • Click to enlarge  Enlarge

DSCI recommends nine principles in the context of the Indian industry. The nine principles are derived from globally accepted principles of privacy. These principles reflect the need for an assurance level that an organization should create in its transactions with the end customers.

The principles such as ‘Notice’, ‘Choice and Consent’ and ‘Access and Correction’ are the user-centric elements which help an organization to provide comfort to the end customer (data subject) about their intent and policy in regard to the use of the personal information.

DSCI recommends that the data subject should be provided with ‘choices’ for trading off his/her personal information to avail the services. His/her ‘consent’ should be proactively obtained, stored and preserved for any future use. While data subject is provided with choices, he/she should have a complete idea of how an organization will use his/her information.

What is the privacy policy of an organization? These elements fall under the principle of ‘notice’. Organization should notify the data subject if there is a change in the privacy policy.

The principle ‘collection limitation’ demands that an organization while collecting the data, should collect only the required set of data elements. The data should be obtained by fair and lawful means, with the knowledge of the end user.

The principle, ‘use limitation’ specifies that the personal data should not be made available or otherwise used for any purpose other than what was agreed with the data subject at the time of data collection.

The principle ‘access and correction’ assures the data subject that his/her information is accurate, he/she is given access to the information that an organization has gathered and stored in its systems, and he/she has been provided with an opportunity to correct his/her data.

The principle ‘security’ stipulates the technical and organizational measures for securing the data. The focus of the measures should be security of the personal data. A comprehensive framework for security is required that is organized to achieve the end goal of data security.

To ensure privacy in the business ecosystem, that increasingly uses third parties, the principle ‘disclosure to third party’ demands that the principles of data protection should be upheld in these relationships.

The principle ‘openness’ recommends that an organization should have a general policy of openness about developments, practices and policies with respect to the personal data. The transparency of an organization with respect to the use of information increases the confidence level of the data subject.

The principle ‘accountability’ stipulates that the data controller is accountable for complying with the measures that give effect to the principles stated above.