In a connected world, there are several trillion digital records that get created every second. Such records can relate to governments, organisations, associations or individuals, and many of these would be sensitive or confidential in nature. While governments and organisations have been fairly active about protecting their data and information, citing legislation that covers state secrets, IP and information that could dilute competitive advantage, the same cannot be said about individuals.
The usage of data related to individuals has been central to government-run census and identity programmes, taxation, and for business-led activities that benefit from customer segmentation and targeted marketing. Big Data, a term that finds its way into almost every strategy document for consumer-oriented businesses, has its roots in the analysis of data pertaining to individuals, their demographics and behaviours. In recent times this includes, among others, individuals’ browsing history and social media activities.
In response to public outcry and criticism, governments are developing legislations to protect individuals’ personal data. While in many cases there have been regulations forming part of various laws, recently these are being presented as a separate set of laws that go into great detail on classification of data pertaining to individuals, defining roles and obligations, and fairly stringent penal provisions, like the General Data Protection Regulation (GDPR) in the EU.
In India, the Justice BN Srikrishna Committee has presented the Personal Data Protection Bill, 2018. It has delved into great detail, much on the lines of GDPR, with recommendations relating to obligations, penal provisions and on establishing an independent regulatory body for enforcing data protection laws. While it is not known whether the Bill will become law in its current form, it is likely it will impact organisations including on matters related to compliance, fraud risk management and potential fraud investigations.
An important aspect of forensics, i.e. electronic discovery and computer forensic procedures that have analysis of computer systems and data residing on these systems at their core, appear to be affected by the reading of the Bill. As most companies do not restrict their employees from storing personal data on office-provided laptops and other information assets, the Bill can apply to these being treated as stores of personal data and thereby requiring employees’ consent for forensic processing and analysis of these systems. In a scenario where an employee or a set of employees are being investigated for non-compliance or fraud, the organisation would be forced to seek consent prior to any forensic analysis being performed, in addition to disclosing the reason for such analysis.
It is unclear to what extent consent would be necessary and what items it may cover. Would consent be required for accessing items such as payslips, which are originated by the organisation yet can be categorised as sensitive personal information? How about copies of bank statements that an employee may have saved in office laptop without informing the company? Would they also come under scrutiny?
It is likely that in anticipation of finding personal information, companies may be forced to work with the assumption that such information may be present on the systems used by the target employee and, as a cautionary measure, seek consent. Considering that in most forensic investigations, evidence is discovered through digital forensic procedures, the fraud management efforts of a company could get severely impacted if the target of the investigations declines consent. Worse, such a target may continue to engage in malpractice, taking advantage of the consent clause in the Bill.
Another aspect is the use of data analytics by companies to detect and prevent fraud. For example, details provided by vendors may be analysed against details of employees to identify if there may be an underlying conflict of interest. The Bill suggests a need to seek consent from both parties as there is some guidance on data belonging to other categories that could be termed as personal information. In such a case, organisations may find it challenging to undertake proactive fraud risk management efforts, thereby running a risk of violating clauses under Companies Act 2013 (wherever applicable) that refer to fraud risk management.
While the Bill in its current form is a step in the right direction, some aspects may need to be considered for amendment prior to presenting it for enactment.
By- Jayant Saran, Partner, Deloitte India