Tuesday, February 8, 2011

Personal Data Privacy Lacking in Indian Banking Sector

A survey done by the Data Security Council of India and KPMG, under the aegis of CERT-In (Computer Emergency Response Team), the cyber security wing of the ministry of information technology found banks to be lax in the security of card transactions and customer data privacy protection.
 In an earlier blog, I wrote about privacy being a key issue due to the lack of a regulatory and legal framework that penalized Indian enterprise for non compliance. It is therefore not surprising that the survey found “concrete systems for customers' privacy protection are yet to be implemented by many banks”. Almost 80 per cent of the banks surveyed did not have a separate privacy function. The survey recommended “banks to align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information.” On a positive note the survey results revealed that the understanding of data privacy in the banking sector is growing with over half of the respondents being aware of privacy principles and roles and entities for data protection.
Another area which needs attention is the collection of proofs such as income statements by third party agents while processing information for loans and credit cards. This data in particular can be misused to commit banking fraud or passed on to mafia involved in extortion.

The survey found that security and privacy was not constrained due to availability of budget and technical skills. In order to build a sustainable privacy protection program, the bank should institute a top down approach whereby the executive management conveys the importance of customer privacy.  This philosophy should be engrained into business process, employee awareness and into specific technological controls such as data encryption.

 India is a country where the 9% rate of growth.  The rapid expansion of banking institutions to meet demand results in a diminished attention to privacy and security. In addition, banks should put in place a comprehensive system to prevent disclosures such as the Swiss Bank revelations on Wikileaks.  It is not possible to provide a fully descriptive list of mandatory controls which banks must adhere too or be penalized. Therefore a process to motivate banks to adopt best practices through consumer action and publishing of results of statutory audits is needed.

The survey can be obtained from the DSCI website.

No comments:

Post a Comment