Data Privacy (SDG 16)

2019-20 will be remembered as a world unified by its fight against a pandemic, which impacted every aspect of daily life of every person and organization around the world. Virtualization and cloud were adapted on war footing by organizations to get back to regular operations. As the workplace landscape changed, companies had to adapt to remote working and virtual collaboration making data protection/confidentiality imminent. The year also saw significant developments in FinTech and Healthcare companies.

Organizations had to demonstrate that they had in place a governance framework and monitoring structure, in line with the existing data privacy regulations and that confidentiality would not be compromised with remote working. As a step towards demonstrating sufficiency of data privacy, there are currently two assurance certifications:

ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines¹
BIS IS 17428: Part 1: 2020 Data Privacy Assurance Part 1 Engineering and Management Requirements and IS 17428: Part 2: 2020 Data Privacy Assurance Part 2 Engineering and Management Guidelines²

One such instance is of Infosys which in its Annual Report for the year 2019-20 has disclosed that it is among the first few organizations, to have its framework certified with accreditation, for the recently released ISO 27701 privacy information management standard.

¹https://www.iso.org/standard/71670.html

²https://standardsbis.bsbedge.com/BIS_SearchStandard.aspx?Standard_Number=17428&id=0

³http://www.niti.gov.in/niti/sites/default/files/2020-09/DEPA-Book.pdf

⁴https://ndhm.gov.in/health_management_policy

⁵Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Introduction of FinTech, Blockchain and AI in the financial sector with an objective to seamlessly exchange data and facilitate faster transactions also opens up possibilities of data breach. This requires systems designed with integrated data protection. Towards this end, in September 2020, Niti Aayog published draft framework of “Data Empowerment And Protection Architecture - A Secure Consent-Based Data Sharing Framework To Accelerate Financial Inclusion” for discussion by concerned stakeholders.³ The draft framework works on the premise that any digital data which can benefit individuals can be shared with third party institutions, but the use of such data should be consent based. The framework initially is set to cover financial sector especially FinTech companies. The framework will augment RBI’s guidelines to regulate data in the financial sector. We found that financial companies and IT companies that were part of the study have reported that they have Information management and data security systems to ensure safety of consumer data.

The year also saw a sharp rise in the health-related data, raising concerns about safeguarding data collected and processed by multiple third parties like pharmaceutical companies, Insurance companies, Healthcare organizations to name a few. To combat the pandemic, health-related data had to be shared amongst multiple third-party institutions. To expeditiously deploy health initiatives, multiple applications were developed, and existing social media platforms were leveraged to spread awareness around the country. The vaccination of Indian populace is considered as one the biggest drives in the world and the sheer volume of data generated required a guideline for protecting data privacy. Ministry of Health and Family Welfare under the aegis of GOI has approved Health Data Management Policy to regulate person’s digital health data.⁴ We found that 100% of healthcare companies in the study have disclosed provisions of data privacy in their operations.

Enactment of “The Personal Data Protection Bill, 2019”, will provide comprehensive regulation of data privacy, but till then The Information Technology Act, 2000 (amended in 2008) and Information Technology⁵ Rules, 2011 will continue to regulate data privacy.

We found that amongst the Indian companies that we studied, around 86% of the companies have clauses on customer data privacy, either as a separate policy or as part of their code of conduct.

Customer data privacy

« Governance Quality of Reporting »

Cookie	Description
__cfduid	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.
cookielawinfo-checkbox-non-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Non-Necessary'.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location

Cookie	Description
_gat	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
YSC	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Description
_gauges_cookie
_gauges_unique
_gauges_unique_day
_gauges_unique_hour
_gauges_unique_month
_gauges_unique_year
bscookie
li_sugr
u
UserMatchHistory

Cookie	Description
bcookie	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc	This cookie is set by LinkedIn and used for routing.

Services for Your Future-Ready Experience

Climate Leadership Report

India’s Top Companies for Sustainability and CSR

Responsible Business Rankings

India’s Top Companies for
Sustainability and CSR 2021

Data Privacy (SDG 16)

Customer data privacy

Responsible Business Rankings

India’s Top Companies for Sustainability and CSR 2021

Data Privacy (SDG 16)

Customer data privacy

India’s Top Companies for
Sustainability and CSR 2021