Impact On Ict Development In Sri Lanka

Published Date: 02 Nov 2017

1. Introduction 3

2. Legislation Having an Impact on ICT Development in Sri Lanka 4

3. Data Protection Principles 5

4. An Elaboration from a Selected Organization 6

5. Current Issues and Problems 7

6. Proposed Suggestions 9

7. My Suggestions 10

8. Conclusion 13

List of Reference 14

Introduction

As technology becomes more complex day by day, the need of a legal protection to cover up the disputes has arisen. Further to provide the intellectual property rights, privacy of personal data, privacy of official data, protecting data from thieves, the same need is there. Simply the need to protect rights and privacy of individuals and to protect passing of information with our consent is essentially needed. Further the category of sensitive personal data which are subject to more stringent conditions on their processing than other personal data. Hence the Data protection Act was established. The United Kingdom has established the Data Protection Act in 1984, with the prime intention of protecting people from having information about themselves abused. It has imposed restrictions on what those holding personal information may do with it and to whom they may pass it. Afterward in year 2000 the Act became law. And it was established to harmonize the Data Protection environment in the European Union. The globalised world has much relied upon the information, mostly found digitally and hence frequent updates and add-on become essential.

Even though the Data Protection Act 1998 commenced on 1 March 2000, most of its provisions are effective from 24 October 2001, and in other words, in spite of its name it is intended to protect individual data and the data held in electronic formats, and also applies to manual data which are what the Act calls as relevant filing system. The Freedom of Information Act came into force, and the personal data in the Data Protection Act have been widely covered by the Freedom of Information Act 2000 in respect of public authorities like SOAS (Data Controller) in manual form. In 2003 the Privacy and Electronic Communications (EC Directive) Regulations has amended the consent requirement for most electronic marketing to positive consent, and the exemptions remains for the marketing of similar products to existing customers and enquirers, which can still be permitted as an opt out basis.

The Act provides a way for individuals to control information about themselves and Act does not apply to domestic use. If a person is holding personal data for other purposes he/she is legally obliged to comply with this Act, subject to some exemptions. The Act defines eight data protection principles which will be described later on this article.

With the advent of e-commerce, privacy and data protection issues affect business transactions that are performed over the internet. Countries such as Australia, USA and organizations such as the EU have implemented privacy regimes in order to enhance public confidence on commercial transactions and other activities online.

Legislation Having an Impact on ICT Development in Sri Lanka

In order to ensure the proper implementation of Information and communication Technology Policy. The Information and Communication Technology Act No.27 of 2003 was formulated. The Information and Communication Technology Agency of Sri Lanka (registered under the Companies Act, No. 17 of 1982) shall be the Executive Agency to assist the Task Force and the Committee to ensure smooth flow of function of the policy. As far as the present legal provisions are concerned, Sri Lanka is not second to any other developed or developing country in dealing with ICT related matters subject to few exceptions. However, there is no legislation for data protection or privacy policies to handle some ICT related issues efficiently.

As far as the experiences in other jurisdictions are concerned there can be a number of practical issues due to lack of laws in Sri Lanka. The main objective of these Acts is to provide for the admissibility of audiovisual recordings and information contained in statements produced by computers in civil and criminal proceedings and to provide for matters connected therewith or incidental thereto. By introducing the Electronic Transactions Act No. 19 of 2006, Parliament intended to recognise and facilitate the formation of contracts, the creation and exchange or data messages, electronic documents, electronic records and other communications in electronic form in Sri Lanka.

Data Protection Principles

Personal data shall be processed fairly and lawfully and not processed unless certain conditions are met and in the case of "sensitive" personal data further conditions are met. [processing includes collection]

Personal data shall be obtained for one or more specified and lawful purposes and must not be processed in any manner that is incompatible with that purpose or purposes.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data shall be accurate and, where necessary, kept up to date.

Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Personal data shall be processed in accordance with the rights of data subjects under the 1998 Act. [An individual shall be entitled at reasonable intervals and without undue delay or expense:  to be informed by any data user whether he holds personal data of which that individual is the subject; and to access to any such data held by a data user; and where appropriate:  to have such data corrected or, in some cases, destroyed. 

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Personal data shall not be transferred to a country outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

An Elaboration from a selected Organization

The data protection is essential for any business entity for an example the data stored in a Bank, may include transactions of the customer base, their credits, their savings and FD balances, and each day transactions. Hence proper system of recording is essential and protecting of individual data is much essential. For an example the HSBC Bank IT system.

An effective system should prevent access requests to find out what information is held about them, the purposes for which it will be used, and to whom it has been disclosed. Further it should prevent the processing of data which is likely to cause them substantial damage or substantial distress, processing for the purposes of direct marketing, prevent significant decisions that affect them from being made solely by automated processes. The system should facilitate to take action to require the rectification, blocking, erasure or destruction of inaccurate data.

The HSBC Bank system should cover up the rights of the customer; not passing any information about the customers transactions to any third party (an illegal act; passing of private information, bank balances, assets, or any other Bank related negotiations without the consent of the customer or by a Court Order.)

The HR Data Base which contents the entire details of the employee, such as work stations, personal information (family details, correspondence details, medical reports, medical insurance details, Employee Trust fund details, gratuity fund details, pension fund details, personal insurance), salary particulars, job related information, any specific requirements of employee. A propose a better Data Protection system which guarantee employee workplace privacy rights. Further each employee may have personal access to their own page / own e-mail at HSBC e-mail data base.

In Data Protection Act "sensitive personal data" means personal data consisting of information as to the racial or ethnic origin of the data subject, his /her political opinions, his/ her religious beliefs or other beliefs of a similar nature, whether he/she is a member of a trade union , his/her physical or mental health or condition, the commission or alleged commission by him /her of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Current Issues and Problems

Data protection Act 1998 has several outdated provisions with the introduction of emerging technology to the workplace. The flexibility of the Directive of the Data Protection Act make valid for today, and its effectiveness is undermined by the complexity of the cultural and national differences across which it must operate.

The access for Information Communication Technology has increased drastically and the unauthorised cyber users, hackers have increased. Further number of reporting cyber crimes has increased. Further the speedy process globalisation, the ongoing process of technological capability and the changing ways that personal data is used need to be addressed by the legislation.

Among its recommendations, it should proposes that the law should be clear about the outcomes it seeks; there should be stronger focus on the accountability of all organisations for safeguarding the information they handle; a more strategic approach to enforcement is needed; and improved arrangements are needed for the export of personal data outside the European area. Computer crime and anti spam laws, telemarketing legislation and telecom systems interception legislation are some of the laws needed for the regime.

The urge of a strong system; the Record keeping becomes more orderly and reliable; manual records used in the past could be lost due to poor filing, Administrative costs, which include items such as costs of photocopying, are lowered and less paper wasted to maintain paper backups, Information or communication within a organization can be produced much more quickly and efficiently.

The existing system could hinder the development of new Web-based business models and bog down companies with regulations.

Improper Implementation of the Act; When compared to the EU's Data Protection Directive, the Data Protection Act has been improperly implemented and weak in its aims. There are multiple ways in which it has been found to be defective. There is a lack of stringency on the part of the Information Commissioner's Office’s enforcement of the legislation. Further it never overlooks or go out of its way for any investigation unless there has been a complaint of a series of complaints that requires remedial action.

For individuals, their only possibility is recourse to judicial action through the courts and Individuals are limited in their rights in that they do not have recourse to a tribunal for cases affecting them whereas organisations subject to rulings.

Proposed Suggestions

With the aim to modernise, strengthen and future-proof the principles set out in the 1995 Directive, which was designed to safeguard a pre-internet society, The European Commission has announced plans to reform comprehensively the existing EU data protection regime and now be passed to the European Parliament and the EU Member States for consultation, it is hoped, end some of the legal uncertainty and fragmentation that companies of all sizes face when doing business in Europe.

The proposals made by the Entity include some significant amendments to the existing rules including:

• The strengthening of individuals’ rights to include easier access to personal data, a right to request that all personal data be deleted if no longer necessary, and new rules on obtaining explicit consent;

• Increased obligations for data controllers, such as the mandatory requirement to notify security breaches and the obligation for large organisations to appoint a data protection officer;

• The extension of EU rules to companies located outside the EU but which are active in the EU market and offer goods and services to consumers in the EU;

• The reduction of red tape for businesses by removing the requirement to notify all data protection activities to data protection supervisors; and

• The strengthening of national data protection authorities’ powers, such as the ability to impose fines for serious breaches up to €1 million or up to 2% of a company’s annual worldwide turnover.

The UK Government wants to see EU data protection legislation which protects the civil liberties of the individual whilst allowing for proper public protection and economic growth and innovation. These should be achieved in tandem, not at the expense of one or the other, and the proposed Regulation places prescriptive obligations upon data controllers as to how they will comply with the proposed Regulation, such as completing data protection impact assessments and hiring data protection officers. This is a ‘one size fits all’ approach which does not allow data controllers (from small online retailers to multinational Internet companies) to adopt their own practices in order to ensure compliance with the legislation

My Suggestions

A better Data Protection system which guarantee employee workplace privacy rights, could ensure the basic rights of a human being by covering their right to protect their personal secrecy of sensitive data.

Set a rule that prevents any files that include personal information, employee information or customer details (e.g. HSBC EPF numbers / customer account numbers) from being sent outside the company. It prevents either an accidental disclosure or an employee overtly sending data out to alien visitor to the organization the company. Launch a platform for rules-based data monitoring and tracking. It will enable an administrator to automate and enforce certain policies governing the use and movement of customer data.

Firewalls or application servers holding for at least one year and prevent inadvertently shut them off when they are doing something which could cause problems when trying to determine the cause of data-related incidents. It is vital because it can help in forensics capability and also help detect abnormal behaviour and patterns of accessing from an un authorised access to the system ( for an example un authorised access to the internet banking system by a outsider with a fake login as a customer.

Allow passwords for each customer and staff members, further they should be advised for frequent changing of passwords (once a month) and they should strictly restrict for unauthorised access or access for the system from unsecure portals such as internet cafes, open Wi-Fi networks etc. For an example HSBC Bank has introduced digital numbering equipment that registered for each customer and each customer will receive their own set of pin numbers that could enter whenever they log in to the system, further each number cannot be used twice.

Allow to use two passwords when entering in to high secure data systems, or network that will prevent password theft, since it will be very impossible to break both passwords. Each individual must be informed to use passwords which are not very common (their own telephone number, name of the spouse, or pets name; prevent passwords that could be easily guessed by others)

Establish a code of ethics for Data Protection, and it may include guidelines such as; unless the person has written consent of the data subject never reveal personal data to unauthorised third parties and this includes family, landlords and friends, Advice not to leave an individual's personal data lying around on your desk when you are not using it - if possible keep personal data in a locked cabinet to prevent unauthorised access, Not to leave an individual's data displayed on a screen after you have finished processing it, and lock your workstation when you are leaving it unattended.

Provide a proper guidance on the storage, transmission and use of personal and confidential information outside of computing systems, and establish legislative framework for such. Advice the members of the system (customers /staff) not take personal data off-site using portable and mobile devices without the written permission from the Chairman of the organization, If personal data needs to be sent/used offsite the proper permission should be obtained pre-hand. The members must be advice for a secure shared drives to store and access personal and confidential business information, rather than use externally sourced.

Make it mandatory to establish guidance / a code of ethics by every organization. The aim of this guidance is to ensure that each organization complies with its obligations under the Data Protection Act 1998. It is a legal requirement for the every organization to protect personal information using appropriate technical and organisational measures. The guidance will also assist staff in protecting other organizational confidential information against accidental loss and misuse. The guidelines are therefore intended to cover those processing operations which are related to the industry and not processing of a general nature which applies to all sectors such as, processing of Personnel data for employment purposes, or processing of data for direct-marketing purposes, etc

A formal independent Authority is to be established to monitor the implementation of the said code of conduct. The proposed Mechanism for proper monitoring could include, ghost audits (visit audits without prior notices by the Ministry Officials and the Proposed Authority), Penalties for breach of ethics (such as imprison for breach of the written code of ethics), Punishments for the person who breaks the ethics and the immediate supervisor, Ban accessing the system are some of the suggestions. A Data Controller could be appointed for each organization; a person who alone or jointly determines the means and purposes of the processing of personal data.

Conclusion

For a good practice of proper implementation of the Information and communication Technology Policy, a person processing personal information must comply with eight enforceable principles of good information handling practice, namely; fairly and lawfully processed, processed for limited purposes, adequate, relevant and not excessive, accurate and up to date, not kept longer than necessary, processed in accordance with the individual's rights, secure, not transferred to countries outside Sri Lanka unless country has adequate protection for the individual.