Loading ...
Sorry, an error occurred while loading the content.
 

BPOs will Soon have Some Privacy

Expand Messages
  • Sameer Sachdeva
    BPOs will Soon have Some Privacy 16 December 2004, New Delhi Source: The Economic Times The Government proposes amendments to a handful of legislations ranging
    Message 1 of 1 , Dec 16, 2004
      BPOs will Soon have Some Privacy
      16 December 2004, New Delhi
      Source: The Economic Times

      The Government proposes amendments to a handful of legislations
      ranging from the Information Technology Act 2000, the Indian Penal
      Code, the Indian Contracts Act, Consumer Protection Act as well as
      the Specific Relief Act to incorporate data privacy and security
      laws. An expert group set up by the Department of Information
      Technology is sifting through domestic laws with a view to fine-
      tuning them. The exercise is aimed at enabling business process
      outsourcing and other IT enabled services to handle work from the US
      and EU with competitive advantage.

      The IT secretary KK Jaswal has said at a couple of public forums that
      the draft amendments to the IT Act will be ready soon. The attempt
      will be to bring in data privacy norms without increasing compliance
      costs for companies while allowing some leeway for contracts to
      address data security concerns. Meanwhile, stray cases of data
      compromise such as that of credit card misuse at Wipro Spectramind,
      IPR infringement at Geometric Software and so on have highlighted the
      lacunae in the Act.

      First, the IT Act does not have any direct, proactive provisions to
      protect data. Protection is through implication and therefore damages
      recoverable can only be through a laborious process of "demonstrating
      and proving" that there has been a breach. Says cyber law expert
      Pavan Duggal, "Specific provisions provide `incidental' protection to
      data. There is no law governing misuse such as deletion, leaking out
      information as well as threats to put out sensitive information on
      the internet."

      Also, the liability of any breach lies with the network service
      provider (Section 79)-in a BPO this will mean the Company - and not
      the employee whereas most data breaches are by `rogue' employees.
      Section 43 provides damages up to Rs 1 crore for various acts that
      could cause damage including access to computer, system or network -
      but then past instances have shown that damages easily runs up to
      crore of rupees. This section lists offences such as copying,
      downloading, extracting data or information; introduction of virus ;
      disruption and denial of access to authorised person; assistance to
      facilitate unauthorised access as well as "charges the services
      availed of by a person to the account of another person by tampering
      with or manipulating any computer, system, network..."

      However as Nasscom's vice president Sunil Mehta points out, there is
      no provision against dissemination of data without permission. This
      kind of offence is central to BPO operations where employees have
      access to sensitive data such as credit card numbers, insurance
      policies, personal medical history of clients as well as data
      processes of the BPO operation. Section 72 provides protection
      against disclosure of information but this applies only to the
      enforcement officials who access data under the powers vested under
      the Act. The Association along with its US counterpart Information
      Technology Association of America (ITAA) is organising an India-US
      Security summit in October to share best practices and plug
      loopholes.

      For instance, Section 65 addresses tampering with computer source
      documents which means computer programmes. Records on a computer
      system can still be modified with disastrous consequences. Mr Mehta
      also points out the loophole in Section 66 which covers hacking —
      unauthorised access to a computer "with intent to cause
      harm." "Theoretically, a hacker can access a system to download or
      copy data without it being termed an offence...so hacking with the
      intent to download or copy data has to be included," he says.
    Your message has been successfully submitted and would be delivered to recipients shortly.