Data Protection & Privacy - Global Best Practices
Objectives
Create a reference source of globally adopted principles and practices for data privacy and protection (DPP) in e-government services;
Present recommendations for eGov and eGov partners (including state governments) to adopt in order to better align with global best practices
Audience: Internal - ExCo, especially CTO, COO, and Head of Product/External - data policy & privacy researchers, senior bureaucrats.
Introduction
A. Why is this document needed?
Create a succinct evidentiary-based research depository of globally adopted principles, requirements and practices for data privacy and protection (DPP) in e-government services
It is a base to advise state governments and local bodies to adopt principles and practices for DPP.
Requirement for DPG Certification.
Assess eGov’s readiness for adopting such principles, requirements and practices ( checklist questions in Table 2 can be used as a readiness/ assessment checklist as well)
B. How is privacy perceived globally?
Privacy, like the freedom of speech, is a fundamental human right that is recognized in the (Gritzalis, 2004). Historically in Europe and North America, and based on the Fourth Amendment of the US Constitution, the right to privacy is seen as a defence against any “unreasonable” physical intrusion upon one’s private home, private papers, personal belongings and one’s body. Over the years, the legal and societal definition of the concept has broadened to encompass various types of information that could be available about an individual. These types of information include behavioural, financial, medical, biometric, consumer, and biographical. Additionally, privacy also constitutes information that is derived from the analysis. This means that privacy interests are also linked to the gathering, control, protection, and use of information about individuals and the deliberate invasion of those .
In the absence of a single globally accepted definition of privacy, principles play an important role. A principle is a shared value upon which regulations, rules, and standards can be built for the protection and . In many jurisdictions, laws have been shaped around such privacy principles.
C. How does India perceive privacy?
The three pillars of India i.e. the Legislature, Judiciary and the Executive have had their own journeys in discovering the role of privacy in India.
Legislature:
The legal-making body of India is in the process of bringing the data protection law. With the absence of a clear standalone law for data protection, the Information Technology Act of 2000 along with the IT Rules and Regulations are read into as baseline legal compliances to provide for data protection. Laws such as the Right to Information,2000; Indian Registration Act,1908; the Aadhaar Act,2016; Telecom Regulatory Authority of India Act,1997; among others are relied on for protecting the privacy of Indian residents/citizens.
Judiciary:
The Supreme Court through the J.Puttaswamy v. Union Of India declared the right to privacy as a fundamental right for the citizens of India. The popular judgement serves as a detailed guideline for the executive and legislature to create a data protection regime in India on the basis of legality, legitimate state aim and proportionality.
Executive:
The Central government along with the State governments through various executive orders/circulars issued under the power given by the Constitution read with the IT Act, Aadhaar Act, TRAI Act, and Credit Information Companies Regulation Act (among others) have provided for data protection, security and the right to privacy for citizens.
D. What is E-Government & why is DPP needed in e-government services?
E‐government is defined as the use of information technology (IT), especially the Internet, to deliver government services and information to citizens, businesses, and other . One of the benefits of internet use for service delivery is the possibility to easily collect, store, process, and disseminate citizens' personal information accurately and in real time. Personal information is information that makes specific .
Government organizations rely on such information to increase the efficiency and effectiveness of , enhance transparency and accountability in service delivery, and empower innovation. Although government organizations gain benefits from extended collection, storage, and dissemination of personal information, these activities often raise users' concerns about . As information technology advances, are getting bigger as more data are collected and used for various purposes including more in‐depth analyses and to make services more efficient.
shows that ensuring the privacy of citizens' information and addressing their privacy concerns are crucial for the adoption of e‐government, as it influences users' trust and willingness to use e‐government services. To fully unleash the potential and benefits of e‐government, government organizations and third parties participating in the e-government ecosystem (such as eGov Foundation) need to adopt information privacy protection (IPP) practices to ensure citizens that their personal information is protected. In developed countries, are reflected in national and international regulations and are commonly used to protect users' privacy.
2. Informational Privacy Principles
Information privacy principles concern conditions and/or guidelines for developing and have been identified as an essential baseline for assessing such practices. There exist numerous sets of such principles with different scopes. On a review of assessing IPP practices in different countries and regions, we found that the most commonly used sets of principles are:
(1) the Organization for Economic Co‐operation and Development (OECD) principles,
(2) the Fair Information Practice Principles(FIPP),
(3) The developed by ISO,
(4) the General Accepted Privacy principles by the Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants (GAPP), and
(5) the European General Data Protection Regulation (GDPR).
These five sets of principles are widely recognized. In particular, globalization has increased the importance of shared principles and led to the GDPR, affecting most organizations in the world as it sets mandatory principles for not only the EU but for every organization doing any business with the EU. Each set is applied and considered important in a certain context or region.
Based on when considering which data privacy principles may be the most important to address in any standards or procedures, the twelve that occur the most frequently include: notice, use restriction, quality, retention, minimization, security, enforcement, access, consent, participation, transparency, and disclosure. Those that occur infrequently include information flow, context, identifiability, consolidation, sensitivity, confidentiality, breach, and accountability. The specific application of data privacy principles will vary given the context and goals of an individual country, jurisdiction, industry, or organization. However, by basing these applications upon an agreed acceptance of principles, the privacy rights of the individual can be acknowledged.
Analysis
The above ‘sets’ of principles when analyzed together have 7 individual principles commonly running across them. The most frequently occurring, important principles are enlisted in the Table below ( Table 1)
They are:
Notice and awareness
Differentiated Access
User Control
Storage limitation
Safeguard, accuracy and security
Enforcement
Accountability
Column 2 of the table contains the broadly accepted meaning of each of the corresponding principles. Detailed definitions of all these principles are provided in Appendix A.
To Note: In some cases, elements of one principle could be included in more than one category. For example, elements of, openness, transparency, and notice were categorized into notice and awareness as well as accountability. Also, the category of notice and awareness includes all elements concerning notifying users (data subject, here citizens) about activities related to the collection, use, or extended use of their information, together with an explanation of why the information is used. Notice and awareness includes elements of principles notice and collection present in principle number 2 of the GAPP principles, purpose specification, individual participation and openness of principle number 3,6, and 7 of the OECD principles, openness, transparency, and notice in principle number 7 of ISO, and notice and awareness of principle number 1 of FIPP ( all of the principles can be read in Appendix A).
In this way, we formulated a new set comprising seven principles presented in Table 1 which eGov could refer to as common principles table for DPP references.
Appendix B consists of a checklist for entities such as eGov Foundation as well as other e-government service-providing organisations/government departments to assess their readiness/compliance with the common data privacy and protection principles ( including the 7 we defined in Table 1 ). The checklist consists of questions one can ask to assess the presence or absence of common practices in the data privacy and protection space.
References used in Table 1:
Entities - local governing bodies providing e-government services, third-party egovernment service providers (including eGov Foundation) and implementing partners (e.g.- EY and KPMG in Punjab)
Individuals - citizens, data subjects, users of e-government services ( can be individuals or groups). The term user and citizen is interchangeably used.
Abbreviations used below:
GAPP: General Accepted Privacy;
OECD: Organization for Economic Co‐operation and Development;
ISO: International Standards Organization; FIP: Fair Information Practice;
GDPR: General Data Protection Regulation
Table 1- Informational Privacy Principles & Practices - Definition & Practices
Principle | Definition | Practices/Examples |
---|---|---|
For eg - Study of Utrecht (emphasised the importance of transparency and awareness of citizen towards information held by local body of Utrecht) | Any entity using an individual’s data should publish and inform such an individual in a clear and easy to understand manner - why and how they are using that data and the potential uses of such data. |
|
Any entity should -:
Commonly held datasets by . This principle should be read along with 'User control '. |
| |
Example of PRE_EGOV Framework (suggests a PRE_EGOV framework after conducting a gap analysis on the privacy frameworks of the , ,, and , which ranked the highest in the for their performance. It concluded that all of the above frameworks lacked a feature of ownership rights management, enabling the user to have control over their data, lack of considering cultural, political and social factors into consideration when framing the privacy frameworks for their respective e-governments.) | Entity should give individual’s control on how their information is used, shared, viewed, and changed to provide ownership of data to individuals. A choice to allow or disallow use of their data must be given to the users. Users should be able to access their information to be able to review and verify it or to ask for deletion of the information from the entities systems. |
|
The entity should retain data in a safe manner ( de-identified/anonymised) and only till the data serves a defined/laid down purpose. |
| |
The entity should keep the data accurate, complete, up-to-date, adequate, and relevant for the purpose of a defined use. The entity should ensure that the data is protected and secured from any unauthorized access or change | Accuracy - Define a policy for frequency and quality of updation of data and checks and balances for updation
Safeguard -
| |
The entity must comply with all the above principles as well as the legal obligations established nationally, followed by partners in other countries and internal policies to avoid non-compliance and penalties. The entity must provide a legal basis for actions taken on data collected and used to maintain legality and fairness. |
| |
The entity should be held accountable to comply with data protection and privacy measures ( follow all the principles and measures mentioned above) , to gain the trust of users . |
|
Appendix A
DEFINITION OF PRIVACY PRINCIPLES
A1.
Fair Information Practice Principles (FIPP) principles In 1973, the USA Department of Health, Education, and Welfare conducted a study, which brought out a set of privacy principles known as the FIPP. Later, the FIPPs became the core of the US Privacy Act of 1974. Currently, it is mirrored in the laws of many states of the United States, as well as many other nations and international organizations. FIPP is the most comprehensive privacy principle that was sufficiently influential to propagate governmental, private sector, and self‐regulatory approaches to privacy policymaking in the United States. The FIPPs include:
1. Notice or awareness: Data collectors must alert individuals of the potential for capture, processing, and use of their information.
2. Choice or consent: The individual must be allowed options to control how their information is used. They must also be allowed to make the final decision before the collection and use of their information.
3. Access or participation: Individuals must be allowed to view the collected information and verify and contest its accuracy. This access must be inexpensive and timely in order to be useful to the consumer.
4. Integrity or security: Information collectors should ensure that the data they collect are accurate and secure.
5. Enforcement or redress: The data controller must identify enforcement measures and policies and adhere to those policies while processing and collecting users' information
A2. Organization for Economic Co‐operation and Development
The OECD presented a set of privacy guidelines in 1980, revised in 2013. The first attempt of OECD principles was to protect information privacy at the global level. OECD set is composed of eight principles defined as follows:
1) Principle of collection limitation: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2) Principle of data quality: Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up‐to‐date.
3) Principle of purpose specification: the purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4) Principle of use limitation: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with (principle 3) except: with the consent of the data subject or (b) by the authority of law.
5) Principle of security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
6) Principle of openness: There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data and the main purposes of their use as well as the identity and usual residence of the data controller.
7) Principle of individual participation: An individual should have the right (a) to obtain from a data controller or otherwise, confirmation of whether or not the data controller has data relating to him, (b) to have the data relating to him communicated to him (c) to be given reasons if a request made under subparagraphs (a) and is denied, and to be able to challenge such denial, and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amend.
8) Principle of accountability: a data controller should be accountable for complying with measures, which give effect to the principles stated above
A3.
The American Institute of Certified Public Accountants, Inc. and the Canadian Institute of Chartered Accountants introduced 10 information principles, known as the General Accepted Privacy Principles (GAPP). GAPP was first published in 2003 and revised in 2004 and in 2006.
Although GAPP was developed to address information privacy protection on a global level, it is commonly used in the United States and Canada (Dayarathna, 2013). The 10 GAPP principles are:
1) Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
2) Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
3) Choice and consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4) Collection: The entity collects personal information only for the purposes identified in the notice. 5) Use, retention, and disposal: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
6) Access: The entity provides individuals with access to their personal information for review and update.
7) Disclosure to third parties: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8) Security for privacy: The entity protects personal information against unauthorized access (both physical and logical).
9) Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10) Monitoring and enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
A4.
In December 2011, the ISO published an international standard for privacy principles. The principles were derived from existing principles developed by various states, countries, and international organizations (ISO, 2011). Those privacy principles are:
1) Consent and choice: presenting to the personal information subject, the choice of whether or not to allow the processing of her personal information.
2) Purpose legitimacy and specification: ensuring that the purpose(s) complies with applicable law.
3) Collection limitation: limiting the collection of personal information to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s).
4) Data minimization: minimizing the personal information, which is processed and the number of privacy stakeholders and people to whom personal information is disclosed or who have access to it. 5) Use, retention, and disclosure limitation: limiting the use, retention, and disclosure (including transfer) of personal information to that which is necessary in order to fulfil specific, explicit, and legitimate purposes.
6) Accuracy and quality: ensuring that the personal process is accurate, complete, up‐to‐date (unless there is a legitimate basis for keeping outdated data), adequate, and relevant for the purpose of use.
7) Openness, transparency, and notice: providing personal information principals with clear and easily accessible information about the personal information controller's policies, procedures, and practices with respect to the processing of personal information.
8) Individual participation and access: giving data subjects the ability to access and review their personal information, provided their identity is first authenticated.
9) Accountability: assigning to a specified individual within the organization the task of implementing the privacy‐related policies, procedures, and practices.
10) Information security: protecting personal information under an organization's control with appropriate controls at the operational, functional, and strategic level to ensure the integrity, confidentiality, and availability of the PII and to protect it against risks such as unauthorized access, destruction, use, modification, disclosure, or loss.
11) Privacy compliance: verifying and demonstrating that the processing meets data protection and privacy safeguards (legislation and/or regulation) by periodically conducting audits using internal or trusted third‐party auditors.
A5. General Data Protection Regulation (GDPR )
In 2016, the European Parliament and the European Council adopted the EU data protection framework in the form of a regulation, called GDPR. This framework replaced the EU Directive 95/45/EC which all member nations were required to implement national privacy legislation in compliance with. This new regulation can be applied in member nations without national regulations in regard to data protection. The GDPR entered into force on May 24, 2016, and took effect on May 25, 2018. This framework contains principles on the protection of persons with regard to the processing of personal information and the flow of such information. These principles mainly concern:
1) Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2) Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3) Data minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4) Accuracy: Personal data shall be accurate and, where necessary, kept up‐to‐date.
5) Storage limitation: Personal data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6) Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
7) Accountability: The controller shall be responsible for and be able to demonstrate compliance with the GDPR.
Appendix B
Table 2
Checklist for data privacy and protection assessment
Common requirements for the IPPs and questions to assess whether an organization meets these requirements are represented in Table 2 below.
Note
-The term ‘organization’ here can be interchanged for eGov Foundation ( any third-party service provider to the local government bodies for providing e-government services) or the local government body/municipal body itself.
-Grey boxes are not eGov relevant but stand relevant to local government bodies using e-government systems.
Table 2 (Requirement/ Practices for Principle implementation)
Requirements for principles | Questions to ask/ Practices to adopt | Does eGov/other entity satisfy this question/ perform this practice? ( Yes, No, Partially) | |
1. | 1. Principle of notice and awareness | ||
N1. | Organization has a privacy policy or any other policy/law/regulation that can be used on its behalf | Does the organization have privacy policies or other related regulations to regulate information privacy protection? If yes, which one? (please, enclose the copy) | |
N2. | Organization has a privacy notice | How is it communicated to users (citizens)? | |
N3. | Organization assesses the awareness of the privacy notice | How does the organization ensure that users are aware of the privacy notice? | |
N4. | Organization informs users about contact information collected and stored | Does the organization inform users about collected and stored contact information (email, phone, etc.)? If yes, How? What are the strategies/plan/instructions/procedures that address this task? | |
N5. | Organization informs users about computer information collected and stored | Does the organization informs users about computer information collected and stored (IP address, browser type, OS, etc)? If yes, how? What are the strategies/plan/instructions/procedures that address this task? | |
N6. | Organization informs users about interaction information stored and collected (historical search, browser behavior, etc | Does the organization inform users about interactive information stored and collected (historical search, browser behavior, etc)? If yes, how? What are the strategies/plan/instructions/procedures that address this task? | |
N7. | Organization informs users about sensitive information stored and collected (criminal record, health status, etc | Does the organization inform users about sensitive information collected and stored (health status, criminal records, etc)? If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy) | |
N8. | Organization informs users about geolocation information collected and stored | Does the organization inform users on geolocation information collected and stored? If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy) | |
N9. | Organization informs users about financial information stored and collected | Does the organization inform users about financial information collected and stored If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy) | |
N10. | Organization informs users about used cookies | Does the organization informs users about used cookies? If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy) | |
N11. | Organization informs users on personal information that would be used internally | Does the organization identify recipients of shared information for citizens? If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy) | |
N12. | Organization informs customers on personal information that would be shared for context specific | Does the organization inform users about personal information that would be shared for context specific (information would be shared in order to get the required service) If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy | |
N13 | Organization identifies recipients of shared information for users | Does the organization inform users about recipients of their shared information? If yes, how? What are the strategies/plan/instructions/procedures that address this task? (please enclose a copy) | |
2. | Principle of access | ||
A1. | Affiliates, subsidiaries, and third parties are bound with the same organization privacy policy | Who are the bodies bound by the organisations privacy policy? Please enlist | |
A2. | Organization has contracts with third parties establishing how closed data can be used (“closed data” means data can only be accessed by its subject, owner or holder) | Does the organization have a contract with parties establishing how closed data can be used (“closed data” means data can only be accessed by its subject, owner or holder) (if yes, enclose a copy) | |
A3. | Organization has identified which persons or employee categories who have access to a certain users' information | Has the organization identified the individuals or employee categories who have access to a certain users' information? If yes, how does it work? Provide examples (please enclose a copy of related document) | |
A4. | Organization depicts the flow of information within the organization | Does the organization depicts the flow of information within the organization? (ie, a scheme, which shows how information circulate inside the organization) If yes, how does it work? Provide examples (If yes, please enclose a copy of any related document) | |
A5. | Organization establishes users' consent (approval or preferences) mechanisms on sharing their information | Does the organization establishes users' consent (approval or preferences) mechanisms on sharing their information? If yes, what are those mechanisms? Please, enclose a copy of related documents. | |
3. | Principle of users' control | ||
C1. | Organization allows users to adjust privacy settings | Does the organization allow customers to adjust privacy settings? If yes, what are the strategies/plan/instructions/procedures that address this task? (please enclose a copy | |
C2. | Users are allowed to access personal information collected | Are citizens allowed to access personal information collected? If yes, how does it work? Provide a scenario as an example. What are the strategies/plan/instructions/procedures that address this task? (Please enclose a copy)? | |
C3. | Users request certain information to be deleted or anonymized | Can users/citizens request certain information to be deleted or anonymized? If yes, what are the strategies/plan/instructions/procedures that address this task? (please enclose the copy) | |
4. | Principle of safeguard, security, and accuracy | ||
S1. | Does the organization have procedures to ensure to users information accuracy | Does the organization has procedures to ensure to customers information accuracy? If yes, what are those procedures? (please enclose a copy) | |
S2. | Organization discloses protected users' information to comply with the law or prevent a crime | Can the organization discloses protected information to comply with the law or prevent a crime? If yes, in what circumstances? (provide examples) | |
S3. | Organization reserves right to disclose users' information to protect own rights | Does the organization reserves right to disclose personal information to protect own rights? | |
S4. | Organization uses privacy enhancing technologies (PETs | Does the organization identifies means of privacy enhancing technologies (eg,: encryption tool)? If yes, provide list of used tools. | |
5. | Principle of storage limitation | ||
SL1 | Organization has strategies regarding management of user's information when his/her account is closed) | Does the organization has strategies (policy) regarding personal information when account is closed? If yes, what are those procedures? (please enclose the copy) | |
SL2 | The organization states limit for data retention | Does the organization states limit time for data retention? If yes, what are the strategies/plan/instructions/procedures that address this task? (please enclose the copy | |
6. | Principle of enforcement | ||
E1. | Organization provides procedures for users' privacy concerns and complaints | Does the organization provides procedures for users' privacy concerns and complaints? If yes, how? What are those procedures? (please enclose the copy) | |
E2. | Organization provides disclaims for failure of privacy measures | Does the organization provides disclaims for failure of privacy measures? | |
E3. | Organization has a regulatory agency for users' privacy complaint | Does the organization has a regulatory agency for customers' complaint? If yes, what is that agency? Does the organization provides contact information for that agency? How does the organization works with that agency to comply with users' complaint? | |
E4. | Organization periodically assesses users' potential privacy concerns | Organizations periodically assess customers' potential privacy concerns (If yes, enclose a copy of an example) | |
7. | Principle of accountability | ||
AC1. | Organization has designated staff in charge of customers' privacy protection | Did the organization designate a personal in charge of customers' privacy protection? If yes, identify the position and its description.Has the designated staff been given clear authority to oversee the organization's information handling practices? | |
AC2. | Organization arranges staff trainings in regard of information privacy protection and awareness of relevant policies regarding users' privacy protection | Is the organization staff trained in the requirements for protecting personal information and aware of the relevant policies regarding user's privacy protection? | |
AC3. | The senior management committee is actively involved in establishing privacy protection measures within the organization | Is the senior management actively involved in establishing privacy protection measures within the organization? If yes, clearly describe their role. |
Last updated