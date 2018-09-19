The Data Protection Bill proposed by the Justice Srikrishna Committee specifies several conditions and requirements for individual and corporate data handling, storage and so on.

Jayant Saran Partner, Deloitte India spoke to Moneycontrol about how the bill would affect the data forensics industry.

Considering most organisations allow for reasonable use of company issued computers and other IT assets for personal use, it is likely that a significant amount of personal data resides on these assets. This may pose a challenge while seeking assets for investigations or other proactive fraud detection measures undertaken by the organisation, and that is where data forensics professionals are likely to face challenges.

Edited Excerpts:

Q: What does the Bill mean in its current form for the data forensics industry?

A: The proposed Bill does not directly refer to data or digital forensics processes specifically; however we believe that the implications are multifarious.

Most forensic cases involve extensive analysis of electronically stored information such as work emails as well as other business documents. In addition, for specific matters, documents such as HR files, performance reviews, expense statements, reimbursement slips, etc may contain indicators or evidence.

To investigate these sources of data, the Bill mandatorily calls for prior consent to be taken from the individual, to access any such material since they may contain personal information.

In addition, should third parties be carrying out these activities on behalf of

the organisation, the consent letter must specifically mention the purpose of data collection, the types of data required and the party requesting for data.

This, without prior intimation, can have a detrimental impact on the investigation especially since there is no recourse provided in the bill in case the employee refuses to provide consent (even though the source of data may be residing on a company owned device/asset).

Some companies that proactively monitor indicators of fraud or conflict of interest may get impacted. For example, the data points that can be utilised for procurement fraud analytics get affected as these may include PAN, TAN numbers, payee bank account numbers and the fact that a data principal is not just limited to an individual, but could be an association, firm or company.

Further, the clauses pertaining to data localisation could impact Indian companies with operations outside India; especially such companies that face litigation or regulatory enquiries in non-Indian jurisdictions.

Q: How will data localisation impact the work you do?

A: Restrictions on cross border transfer of data and requirements of approval from data authorities are likely to deter organisations from requesting data to be moved out of India.

A plain reading of the Bill in its current form indicates that cross border litigation will require more processing work to be done within India as opposed to traditional cases wherein data would be forensically collected in India and then processed by the overseas parent company.

Reviewers such as external counsel and client personnel may have to deploy teams within India or engage local experts to set up remote reviewing platforms for the duration of such a litigation to ensure that the data is processed and reviewed here itself thereby complying with the terms of the Bill.

Our collaboration therefore with such reviewers is likely to increase over the upcoming months.

Q: Where do you think could the committee drafting the Bill have done more consultation? Would you be making recommendations for changes in the Bill since the government is looking for feedback until the end of September?

A: In our experience and from client feedback, some aspects that require discussion are -- if an employer (data fiduciary) is not sure whether there is personal data on an asset/device/computer, would they still need to seek consent of the employee that the device is allocated to (data principal)?

Would the employer need to disclose that there is an investigation underway or do they wait until potentially relevant data is discovered on such a system? What are the possible options for a company in case the employee refuses to provide consent even though the data resides on a company asset provided for official purposes?

Another question is the impact of the Bill on Indian citizens working out of India, eg EU, and for EU citizens working within India? Does the Bill get precedence over other data privacy regulations such as General Data Protection Regulation (GDPR) in EU or Personal Data Protection Act (PDPA) in Singapore?

Q: What kind of changes do you foresee organisations making in their IT policies if the Bill were to be passed in its current form?

A: In order to comply with the Bill, a company can consider a few options whilst updating its IT policy such as storing of personal data may be blocked on company owned assets, which may be inconvenient for employees, but will limit the liability of a company.

Another change could be case the company permits employees to use company assets for reasonable personal use, the company may choose to seek consent to access any personal data stored on a company owned device/ server at the time of hiring the employee.

This can be done through a contractual sign off or acceptance of the IT policy. The only challenge here could be on how a company would specify any third party they may engage, in order to process data on such systems.