India: India Finally Gets Serious About Data Privacy

According to Gartner, the market research firm, the size of the global Business Process Outsourcing market by 2007 will be $173bn, of which $24.23bn will be outsourced to offshore suppliers. India is currently the leading offshore destination for business process outsourcing (BPO). However, in the wake of some well publicized data protection and security lapses in recent times, foreign companies had begun to doubt whether India is a safe place for their customers’ data. In order to resolve these concerns the Indian Government, working in collaboration with industry representative body the National Association of Software and Service Companies (NASSCOM), is now in the process of amending the current Indian Data Protection law, as well as setting up a self-regulatory body to establish security guidelines and monitor any data protection breaches.

Recent Data Protection Leaks in India¹

In April 2005 three employees of Mphasis, a Bangalore-based outsourcing company, were arrested for allegedly stealing $350,000 from Citibank account holders in New York, by acquiring passwords to the holders’ bank accounts. In June 2005 an IT employee in Delhi was reported by a UK newspaper, The Sun, to be prepared to sell confidential information on 1,000 banking customers to one of its reporters. In August 2005 the Australian current affairs program, "Four Corners," reported that one of its journalists had been offered personal data about 1,000 Australians.

Changing the Law²

When the European Union Data Protection Directive came into force in 1998, doubts were raised as to whether India met the requirements regarding the Article 25 prohibition on the transfer of personal data from the EU to a country outside the EU with a less stringent data protection than the EU. The U.S. met this prohibition by negotiating the Safe Harbor agreement. The Indian government, despite being lobbied by NASSCOM to update its data protections laws, did not act, in the hope that the problem would go away. However the Indian government reversed this policy with the announcement of Prime Minister Manmohan Singh that he had directed the Department of Information Technology to revise the current data protection laws. In late August 2005, the Ministry’s Expert Committee issued its recommendations. Rather than enact a new law, the Expert Committee has proposed amending the existing Indian Information Technology Act 2000. The amended Act will require BPO firms to implement and maintain reasonable security practices and appropriate procedures to protect sensitive personal data. Any BPO contractor who negligently fails to comply with the above will be liable to pay compensation of up to 10 million rupees (approximately £100,000 at current rates) to any person who suffers harm as a result. The amended Act will also render liable employees who dishonestly remove data without permission from a database to imprisonment for up to one year and/or a fine of up to 200,000 rupees (approximately £2,000). Existing provisions of the Act provide that persons who remove data from databases without permission are liable to pay compensation of up to ten million rupees to those persons harmed by such removal.

Self-Regulation by the Indian BPO Industry³

In June 2004, NASSCOM officials launched a ‘Trusted Sourcing Initiative.’ Further to this initiative, NASSCOM released a survey benchmarking Indian corporate security practices with their counterparts in the UK and U.S. The survey showed that levels of data security in Indian companies compare favorably with their foreign counterparts. In July 2004, the industry reported a 40% increase in network and employee security spending from 2003. In August 2004, NASSCOM announced that it had engaged Ernst &Young and PricewaterhouseCoopers to perform an industry-wide security audit of its 860 member companies, especially those processing banking, credit card, insurance and health information. Furthermore, companies are working together to compile a national database of employees in the outsourcing industry to help them monitor their BPO workforce. In addition, NASSCOM has provided training for Indian police officers in cyber crime fighting tactics.

NASSCOM is initiating an employee registry program, the National Skills Registry, to compile a national database of employees in the outsourcing industry. It is administered by a third party through a professional reference checking company who conducts background checks on workers, rendering referral checks more stringent, and assisting major BPO companies to monitor their workforce⁴. NASSCOM states that this registry currently contains 70% of the IT workforce. Furthermore, NASSCOM has announced its intention to set up a code of conduct and an independent regulatory body, modeled on the Irish Institute of Chartered Accountants, to establish security guidelines and monitor any breaches. This independent body will receive initial funding of $300,000, thereafter membership dues will cover its ongoing operating costs, and ensure its independence. It will be run by a CEO, whom NASSCOM hopes to hire within the next 6 months, and a board of members from across the industry. Sunil Mehta, vice-president of NASSCOM, said that the independent body would have the unique mandate to audit its members as well as to punish those not compliant with regulations. Such punishments will include expelling members, or law enforcement⁵. Currently, some 1,050 companies (representing 98% of the Indian IT industry) have agreed to become members of the new independent body⁶.

In the light of the current discrepancies between the EU Data Protection Directive and the India Information Technology Act, and India’s recent data protection leaks and breaches, the news that India is making efforts to put their data privacy "house" in order will interest those organizations who have offshored or may now be contemplating offshoring. India is coming under increasing competition from up and coming locations, such as China, Eastern Europe and the Philippines. As the offshoring landscape changes, India can ill afford to rest on its laurels and give ammunition to its critics. The steps India is now taking to become "data secure" will help it remain at the forefront of offshoring locations for some time to come.

Privacy & American Business, Electronic Newsletter, Volume 12, Number 9, September, 2005

The Economic Times Online, Saturday April 16, 2005

Silicon.com, Tuesday 9 May, 2006

1. Privacy & American Business, Electronic Newsletter, Volume 12, Number 9, September 2005, http://www.pandab.org/vol12no9ok.pdf, and The Economic Times Online, Saturday April 16, 2005, http://economictimes.indiatimes.com/articleshow/1079511.cms

2. Privacy & American Business, Electronic Newsletter, Volume 12, Number 9, September 2005, http://www.pandab.org/vol12no9ok.pdf

3. Privacy & American Business, Electronic Newsletter, Volume 12, Number 9, September, 2005, http://www.pandab.org/vol12no9ok.pdf, and The Economic Times Online, Saturday April 16, 2005, http://economictimes.indiatimes.com/articleshow/1079511.cms

4. The Economic Times Online, Saturday April 16, 2005, http://economictimes.indiatimes.com/articleshow/1079511.cms

5. Silicon.com, Tuesday 9 May, 2006, http://services.silicon.com/offshoring/0,3800004877,39158774,00.htm

6. The Financial Times Limited, Monday May 8, 2006

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.