In developing Privacy Controls it is important to distinguish between “Data Breach” and “Data Disclosure” and adopt appropriate policies for “Data Breach Notification” and “Data Disclosure”.
The essential difference between Data Breach and Data Disclosure is that a “Data Breach” represents an unauthorized access to information where as Data Disclosure represents a release of information under the authority of an authorized custodian.
(P.S: In case of privacy control, we are restricting our focus on “Personal” information where as under conventional data security we are considering all information whether it is “Personal” or not).
The Personal Information Collection Contract (PICC) should define how the “Personal” information is used and disclosed between the data provider and data collector. (Or the Data owner and Data Processor in the Outsourcing scenario). “Usage” also defines how the information is accessed.
When information is accessed or used in a manner other than what the policy permits, the event should be recognized by the Incident Management system a “Potential Breach”. The incident report needs to be further analysed to confirm if the incident qualifies to be classified as a “Breach” or not.
On the other hand, “Disclosure” is not a “Breach”. It is a voluntary disclosure of an information based on a valid request from the data subject or a demand from a regulator or a law enforcement authority or in any other circumstance where the disclosure is justified for public good.
In all these instances of “Disclosure”, some body within the data processing organization should take the call on whether the requested disclosure falls within the permitted disclosures under the policy or not.
If an organization does not have a proper “Data Disclosure Policy”, it would be difficult to identify an accidental unauthorized disclosure which becomes a “Data Breach”.
A Data Breach normally requires a “Disclosure” to the data subject if data is collected directly by the processor from the data subject subject to any contract to the contrary in the PICC.
If the PICC is silent about “Data Breach Notification to the Data Subject” as is normally the case in India, then one has to look at any law that defines a mandatory disclosure of a data breach.
In India, since there is no Privacy Law to guide us, we need to look at Information Technology Act as regards personal information in electronic form.
Under Section 79 of ITA 2000/8, the rules require that an “Intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team”. Hence it is mandatory for an intermediary to report the data breach incidents. Reporting of breaches to the data supplier depends on the underlying contract. Fortunately for the organizations, there is no mandate on public disclosure of a breach or even to the data subject.
In case of data breaches coming under Section 43A of ITA 2000/8 where the data processor is not the “Intermediary” but is a “Direct Collector and user of personal information”, the PICC should take care of all data breach notification requirements. In case of Banks, there is a mandatory disclosure of breaches to the RBI and CERT had once indicated through a draft circular that it would like the data breach incidents to be reported to them as a mandatory requirement. But some uncertainty may exist in this respect.
Data Disclosures arise when the law enforcement authorities such as the Police or a Court demands the information. Certain agencies have also been empowered by ITA 2000/8 to seek information from any IT user under Sections 69B or 70B. In such cases disclosure is mandatory.
When an organization opts for Cyber Insurance, probably the Insurance company may prescribe a mandatory data breach/incident reports to be sent to them.
In all cases of “Disclosures”, the employee authorized to disclose should be clearly made available a corporate policy which defines when which data can be disclosed and to whom. Additionally, procedures should be defined on how to identify a “Valid Request” from a “Phishing Request”, the “Disclosure Approval Process”, the “Disclosure Documentation” etc. Even the process of how the data breach has to be disclosed and what has to be done with the back up information needs to be defined in the policy.
The twin policies of “Data Breach Notification” and “Data Disclosure” should therefore be part of any Privacy or Data Protection or Information Security policy that any organization adopts.
The “Privacy Notice” given to the data subject or data supplier should indicate the Data Disclosure and Data Breach Notification policies of the organization.
At present it is not clear if many companies in India have an adequate Data Disclosure and Data Breach Notification policies. I hope they would start working on this.