Do India need Stringent Privacy Laws or Industry self-regulation is enough?
Data Security Council of India (www.dsci.in) is celebrating under its umbrella, Data Privacy Day on January 28, 2011. While they propagate through their efforts with India’s central ministries to come up with framework on Data Privacy Laws for India, I just came across an incident which calls for the urgent attention for the lawmakers to frame the Privacy Law for India.
Personally speaking, I had a good admiration to the DSCI Privacy Framework (DPF), which is as now considered as only structured framework being defined by any Indian organisation, the recent incident related to Dominos Pizza had forced me to relook to my admiration of the DPF. For those who don’t know DPF and DSCI, I can assure you that it is a body promoted by NASSCOM and would have very high influence in India Privacy Laws, in case there would be any such law enacted.
I am apart from technology savvy is also a great pizza lover and thus when I got an update that Dominos Pizza have come up with the Online ordering, like other pizza lover, I too had checked that out. Recently few days before, I received a communication from the Mr. Dev Amritesh (VP-Marketing, Jublient Foods) that dominos pizza website has been hacked and someone has run scripts to manged to extract some information of the customers (to be precise , customer phone number, email id, delivery address). I was sad for them, but was not much worried as such hacking event takes place very frequently.
However, the next line in the mail was shock to me and probably to very basis of industry self-regulation, which is promoted in DPF. It read as “…. although this data is not classified information about our customer, still as a responsible corporate we thought it’s important to inform you about this.” This is the most selfish approach I have seen and can only be expected by the Indian Corporates. How can my mobile number, my landline number, my email ID, my residence or office address is not a classified information for you. This means that tomorrow you will sell these information to any sales call centre or spam mailer.
And thus this is the exact incident, which forced me to rethink on my admiration to industry self-regulation for privacy laws in india and now I believe, we desperately need stringent privacy laws to teach industry what’s a minimum threshold of self-regulation?
I just drawn following inferences from the incident
- Laws are always required for affixing minimum threshold of the self-regulation in any industry
- Laws can be bottle neck or doorway to corruption or additional cost, but they are necessary as people have tendency to use everything for their benefit
- A marketing team should not be given task of communicating critical security incidents to public domain
For those who are lucky for not loosing ‘not classified information’ during dominos website hacking, attached is letter from them, happy reading the crap…