2.3.3 Information Security
One of the key requirements for the competitiveness of the Indian IT and BPO industry is assurance of information security, which is a sensitive concern of all customers. By virtue of its adherence to the WTO TRIPS Agreement India is committed to the introduction of world class intellectual property laws and it is widely recognised that these laws are now in position. Of particular relevance to the IT and BPO sector are the Indian Copyright Act, as under the Indian law computer programmes have copyright protection, not patent protection. While the law is considered adequate, it is the area of enforcement that needs considerable improvement. Conviction percentage is low, cases take a long time to get decided and the organised nature of piracy is not addressed in the enforcement strategy. The awareness of the criminal justice system needs to be raised, followed by skill development, process standardisation and use of scientific evidence.
The Information Technology Act, 2000 provides inter alia for data protection and privacy of information held in the computer systems or networks. Section 43 provides for civil liability to pay damages if a person accesses data stored in a computer system without authorisation. Section 66 provides for prosecution of a person who commits hacking of a computer system and section 72 provides for penalties for breach of confidentiality and privacy by a person, who having secured the data lawfully discloses the data without consent of the person concerned. These specific laws are supported by the provisions in the general laws of the country, including the Indian Contract Act and the Indian Penal Code. Most urban police units in the country have acquired the basic understanding of cyber crimes, but need to progress to the next level, of acquiring specialised forensic equipment and using it to solve more complicated cases.
The framework of laws established by the Government has been buttressed by the firm level and industry wide initiatives. Tier 1 companies have dedicated security teams and conduct periodic review and audit of security policies and practices. Most companies have documented security policies. Both tier 1 and 2 companies sign confidentiality and non-disclosure agreements, and undertake background screening of their employees. In addition NASSCOM has established the National Skills Registry, an online database containing third party verified personal, qualification and career-related information of IT-BPO professionals. NASSCOM has further taken the Self Regulatory Organisation (SRO) initiative, a self-certification scheme for Indian companies to audit themselves against benchmarks and adhere to standards set by the SRO. The Data Security Council of India (DSCI) has been established to focus attention on awareness generation, capacity creation and dissemination of best practices in data protection.
The Central Government is proposing further strengthening of the laws for data protection and privacy. In the Bill for amending the IT Act, 2000 it is proposed to insert a new section 43A fixing responsibility on the body corporate and companies for any negligence in maintaining reasonable security practices regarding personal data or information. Further a new section 72A will extend the scope of section 72 to cover breach of confidentiality by an intermediary and service provider, who has secured any material or information from a user, and make such intermediaries or service providers liable for passing such material or information, without the consent of the person concerned and or in breach of the contract. A new section 84 A is also being introduced empowering the Central Government to prescribe the modes or methods of encryption for secure use of the electronic medium and for promotion of e-governance and e-commerce. Putting the onus of protecting data on the companies processing the data will have salutary effect in preventing data breaches, but the enactment should be followed by an effective campaign to introduce a culture of respecting privacy of individual data and promoting security.
The adequacy of laws in the country for personal privacy protection is an issue on which views in the country are not unanimous. The larger players in the industry as well as the IT Ministry are agreed that the proposed amendment of the IT Act, 2000 will be sufficient for the purposes of data protection and information security. Their view is that enactment of a comprehensive law on personal privacy protection needs to be considered primarily in the context of the needs of the citizens of India rather than of the clientele of IT and BPO residing in other countries. However, others are of the view that India’s inability to meet the requirements pertaining to transfer of sensitive data under the EU’s Safe Harbour Decision continues to be a problem. The European Commission prohibits the transfer of personal data to non-European nations where legislation does not meet its standards for privacy protection, in contrast to the approach used in the US, which requires a mix of legislation and self-regulation by companies. It is not that the concern for data security is any less in the US but that showing compliance with data security in dealing with US companies is based largely on self-regulation. At present EU companies outsourcing to India rely upon contractual obligations and the internal security measures taken by the Indian service providers for protecting non-public information. In their Service Level Agreements (SLAs), companies need to sign data confidentiality, IP and other protection clauses when entering into agreements involving live data work in India for EU companies. The larger companies take the fulfilment of these contractual obligations in their stride but the additional costs incurred reduce the competitiveness of smaller and mid-size companies. Additionally they are exposed to the uncertainties of arbitration in the event of disputes.
Dostları ilə paylaş: |