The yesteryears were simple when it came to protecting our information: we made copies and put them away in a safe place. So, we made copies of our banking details, driving licence, IT returns, insurance copies and the like. As the digital world enmeshed into our lives, I hoped and tried to make regular backup of information stored in my laptop. I had to ensure that, if my current working digital copy was lost or damaged, I had a backup to recreate the required information. In IT parlance, what I am doing is putting systems in place to ensure ?disaster preparedness?. Since it is my information, the onus lies with me to ensure that I safeguard the information, or else face the consequences.
If an individual is so concerned about the personal data that he has access to, how about data that has to do with the individuals and is with third parties ? banks, insurers, government authorities like income tax department, local administration bodies and so on? How safe and secure is it? And if disaster strikes, will ?my? personal data still be available? Let?s find out.
The banking industry is perhaps at the forefront of using IT: almost all large and several small banks have deployed IT applications for core banking to offer customer services where the customer is no longer tied to the branch he/she opened the account with. RBI mandates that banks must implement a disaster recovery and business continuity plan. Further, banks have to demonstrate compliance to RBI?s mandate once in six months. Most banks have a primary location where their IT applications run and they also have an alternate site, like another city where they have the capability to bring up their IT applications if the primary site crashes. Data that includes customer account details are replicated from the primary site to the alternative site regularly.
Closely linked is the securities market. If you buy or sell shares, you have a Dmat account. Stock exchanges are sustained and driven by IT. The Securities and Exchange Board of India (Sebi) regulations require depositories who participate in the market to demonstrate their risk management system, including disaster recovery (DR) capabilities of IT applications. In today?s ?connected? world of online trading platforms, the same DR need is highlighted.
The need for close adherence to DR norms is acutely felt in all activities that require an IT intervention: anything that allows us to transact our business or seek/share information online should have a strong recovery system in place so that the information shared can be retrieved when needed. Insurance and ecommerce are some of the other activities where a lot of personal data is kept online and the possible risk of losing it is the maximum.
The government holds a lot of personal data; most of it is on paper, but there are a number of e-governance projects that are moving us from the paper to the digital world. The finance minister has already announced an increased thrust on IT in taxation departments to ensure the least human intervention and faster movement of cases. Today, online filing of IT returns is a reality and mandatory in some cases. It is indicated that paper filing of returns will be phased out shortly.
Again, there are several complex projects that have the potential to change the way we get our work done with the government. Some of them are the National Citizen Database-UID project, passport, immigration, income tax, e-courts, land records, etc. While the detailed scope and requirement of citizen data is not available, I am eager to understand the kind of information recovery metrics these projects are aiming to deploy.
There are two important metrics that dictate how soon data and an IT application will be made available if they go down: the recovery point and recovery time. The recovery point is a measure on how much information can be lost without adversely impacting the service. If the bank ATM application you are transacting with, you hope no information is lost; else your bank account may not be accurate. In this case, the recovery point for the ATM application is zero. Consider the land records application. If the application becomes unavailable, citizens may be willing to wait up to two hours for the application to be available again. In this case, the recovery time for the application is two hours.
These two together ensure that disaster recovery parameters are met. A closer look at the disaster recovery preparedness of the banking industry throws up interesting facts. The most important is that compliance issues really direct the DR space. Regulation in banking has gone a long way in ensuring that banks have disaster recovery plans that protect integrity and security of customer information.
Similarly, the need is now for regulation of e-governance projects. Such regulation must mandate recovery metrics based on the nature of information and sensitivity of the services provided. Along the lines of the Right to Information Act, we also need the right to have the citizen?s information protected and available in a timely manner.
The regulation must require the government agency to demonstrate the ability to continue business within specified recovery metrics after a disaster strikes. As we gradually move to an e-governance model, it is imperative that we have regulation that forces government agencies to consider building secure information protection and recovery technology solutions and processes to ensure the citizen?s rights and expectations.
There is a strong and urgent case for a regulator who will ensure that various agencies that hold citizens? information meet their obligations of protecting the information and making it available to the customer within a reasonable amount of time and within an acceptable loss of information if a disaster strikes. Only then can an individual sleep soundly, secure in the knowledge that his personal information is safe and available just in time.
The writer is co-founder & vice-president ? products, Sanovi Technologies