Have you ever thought that your simple act of paying a restaurant bill with your credit card, or sharing personal information (for a surprise gift) such as your date of birth, anniversary and home address could become a catalyst for financial fraud? This is possible because the concept of privacy is still vague and immature among most Indian organizations.
Step 1: Understand the significance of privacy, convey it to management
When we are talking about privacy, we are talking about the private lives of people. Leakage or loss of this information can directly affect an individual’s personal life, hence its protection becomes crucial. On this front, organizations can start by getting the top management on board with the concept of data privacy; this can be done by organizing a workshop on data privacy. The executive and senior management is made aware of concerns regarding the protection of personal information (and the impact thereof on the organization). The regulatory environment plays an important role in these initiatives, and a favorable environment in this matter can act as a catalyst in promoting privacy across the corporate sector.
For this reason, we believe Section 43 (A) under the IT Amendment Act 2008 is a welcome change. This section necessitates that a corporate body possessing, dealing with or handling any sensitive personal data (or information) in a computer resource has to protect this information by implementing reasonable security practices.
Step 2: Conduct data flow analysis from privacy angle
The organization will have to re-look at the data classification and data flow across the organization. Today, most businesses classify data into types such as confidential, internal and public. Now, they will have to also consider whether the data contains any personal information.
In this context, you need to understand the kind of personal information that your organization handles. In US parlance, the protection of non-public personal information (NPPI) is very crucial. For example, while an individual’s name is public personal information, his date of birth is NPPI. Thus, wherever an organization handles NPPI, it needs to deploy additional controls and establish a proper access system.
Processes will have to be fine-tuned to ensure the protection of personal information. For instance, the database administrator (DBA) may currently have access to all the personal and financial information of an individual. This may be due to the current database design. If data privacy has to be implemented, it’s essential to control such access to the database (even access provided to the DBA). Mechanisms have to be installed to prevent the DBA from viewing this information, while at the same time allowing him to perform his duties. Granular classification of data (or process) with regard to privacy will become the key factor (as opposed to the present focus on confidentiality, integrity and availability).
Step 3: Deploy the right security controls
The main differentiator between privacy and information security is that private data is usually historic and not dynamic. Therefore, even if compromised such data cannot be changed. So deploy more stringent controls to ensure that it is very difficult to compromise private data.
Personal information should be masked and available to only those individuals who have a business requirement to access the same. For example, certain individuals in the HR department may require an individual’s year of birth for determining his retirement date, but the individual’s manager does not require this information. Technologies such as data masking, along with processes that maintain role-based access, will go a long way in supporting such objectives to protect personal information. Information rights management (IRM) and document rights management (DRM) technologies can ensure that only authorized individuals have access to documents, and that personal information is not openly available.
Step 4: Be prepared for the challenges
A cultural shift is required to make initiatives for protection of personal information a success. Merely framing policies to protect personal information won’t help. People and process leaders also need to be made aware of privacy concerns and the impact of privacy measures. So impart extensive awareness and training in this regard.
The key best practice for the protection of personal information is the old proverb: ‘prevention is better than cure.’ In other words, don’t share any more information than you need to.
About the author: Faraz Ahmad is the CISO of Reliance Life Insurance, and has keen interest in the area of privacy protection.
(As told to Dhwani Pandya)
This was first published in September 2010