News
Digital economy: Bill to give more security for personal data
Those messages you receive flogging products or services you never asked for from companies you have no dealings with: That is one sign that your personal data have been sold without your permission.
Personal information in the digital economy–where business is conducted through markets based on the internet and worldwide web–is the new money.
Sri Lanka is at least five years too late introducing a law to protect the personal data of its citizens.
This has stymied the growth of its software and services export sector because clients are mostly based in the West and demand stringent data protection laws compatible with their own conutries. They do not want data channelled to a jurisdiction which cannot guarantee through legislation that it is not abused or misused.
A Digital Infrastructure Ministry committee has now released a draft framework for a Personal Data Protection Bill, a law it is hoping to push through by October this year. Among other things, it will give someone the right to know who holds his or her personal information, from supermarket loyalty programmes to other private companies and Government bodies.
A citizen will also be able to withdraw consent to have his or her data processed; demand that inaccurate personal data is rectified; and hold a right to erasure of data on prescribed grounds. An eight-member team has been working on the draft, said Jayantha Fernando, Chair and Convenor of the Data Protection Drafting Committee.
The framework is being independently reviewed by a panel headed by Retired Supreme Court Judge K T Chitrasiri and including other experts. Interest groups are meeting the committee and submitting comments. Next week, it will hold discussions with bank Chief Information Officers and Chief Executive Officers to ascertain whether the draft addresses challenges in their sectors.
Among those who have given input are foreign companies such as Facebook, Salesforce and Microsoft. “Based on the comments, modifications to this framework will be made during the next two weeks,” said Mr Fernando. “The Legal Draftsman’s Department will edit the draft accordingly and we will hopefully have a Cabinet-ready version by the end of July.”
The software and services export sector is evolving into a US$ 1.2 billion revenue stream for the country, according to the Sri Lanka Association of Software and Service Companies (SLASSCOM). “One of their main concerns is that companies that want to send information for processing here want data protection norms consolidated in the form of law with a clear, transparent, implementation governance regime,” Mr Fernando said.
One of the affected sectors is business process management (BPM) which focuses on improving corporate performance by managing business processes. Many Western nations now outsource this and Sri Lanka already has around 15,000 employees in the industry. But, SLASSCOM Council Member Srikanthan Jayarajah says it can be so much more.
“Most of my clients are from Europe and the United States and we are bound by various regulations,” said Mr Jayarajah. “A recent implication was the General Data Protection Regulation (of the EU). This brought about a paradigm shift in the way we run our business as an offshore company.”
“The BPM sector is working with a lot of data which include customer and client information,” he continued. “Among these are invoices being processed, customer credit card information, and organisation information and so on.”
“And it’s not a clear back-and-forth story, because we work with a lot of virtual data which can travel from point A to point B to point C, which is not visible, and come back,” he explained. “European and US companies are more comfortable running businesses with a country which has regulations in terms of data privacy.”
A large number of Sri Lankan entities also hold personal information. For instance, a digital health project launched by the Information and Communication Technology Agency (ICTA) in 2009 is now running in a large number of hospitals. “Patients can go back with a bar-coded sheet which is scanned and their entire history appears on a computer,” Mr Fernando said.
Under the e-Sri Lanka programme, millions of records of people who have died were digitised. Birth records, too, are in digital form. Those born after 2012 have their information collected in an electronic database at the Registrar General’s Department under the e-Population initiative. There is also a repository for marriage data. The 1968 Registration of Persons Act created another database of personal information that results in the creation of a national identity card (NIC).
Additionally, banks, hospitals, insurance companies and multiple entities like educational institutions and associations collect personal data. The possibilities are now endless. “The necessity for the law arose because all this information is in databases,” said Mr Fernando. “The problem arises when they share it with third parties without the data subject’s consent or knowledge.”
For instance, professional bodies have been known to sell their data to education institutes for marketing purposes. “It’s about personal information,” said Sanduni Wickramasinghe, a drafting committee member. “Say a private hospital shares my personal information with my insurance provider without me knowing it. That could affect me when I apply for insurance cover. My premium is decided on information I wanted to be held confidential but the hospital would have monetised it and gained a profit without me knowing it.”
The framework intends to give the right back to individuals to decide how which information they share, to what extent and for them to have a say in how it is being used,” Ms Wickramasinghe said. She said the dangers were illustrated, for instance, the Cambridge Analytica case where the British political consultancy firm bought private information of more than 50m Facebook users.
The Central Bank of Sri Lanka (CBSL), particularly, has been advocating for a data protection law. Digital banking is seeing information transferred from one place to another through a common switch like LankaClear (Pvt) Ltd and there must be a mechanism to provide a better comfort zone for customers on such a platform.
The Financial Action Task Force (FATF), an intergovernmental organisation that combats global money laundering, is also particular about data protection laws, Mr Fernando said, citing another reason for CBSL’s enthusiasm.
“We are moving towards the digital economy without the safeguards,” Ms Wickramasinghe said. “The new law will apply to any personal information processed within Sri Lankan territorial limits including its foreign missions. Secondly, there is a wide definition of processing which includes collection, storage, dissemination and deletion”
Entities that can be “controllers” of information under the law include legal person such as a company, a natural person, a Government or private sector entity, non-Governmental organisations, and associations.
“If it’s a controller who is in Sri Lanka, yes, they are caught up in the framework,” Ms Wickramasinghe said. “Even if you are a company set up abroad and providing services specifically to Sri Lankans, or monitoring the behaviour of persons in Sri Lanka, you are also caught up. That is how companies like Facebook or Google are implicated because we have seen how they play around with Sri Lankan personal information.”
The law will require a change of behaviour and practice to ensure customer confidentiality and security of information. “Sometimes hospitals find it cheaper to store their information on a freely available cloud, but you cannot do that under this law because there’s a requirement that ministries, departments and statutory bodies cannot send their data outside Sri Lanka,” Ms Wickramasinghe said.