Office of the Principal Accountant General (A&E), West Bengal

Treasury Buildings, Kolkata-700001

No. PAGAEWB/02/02/116. VOL. III/2021-22/324 Date : 21.06.2021

Circular

iCISA’s Study Paper & Presentation during webinar on ‘Data Privacy in e-Governance
Projects’, ‘Smart city pro-Evaluation and Security concerns with reference to Internet of Things
(IoT) technology’ and ‘Data Security in a Cloud Environment’ received under letter bearing
518/आईसीसा/आर एं इ आइ/वेबिनार/2020-21 dated 15.04.2021, is enclosed for general
information.

[Authority : DAG (Admn)’s order

Dated 16.06.2021]

Sd/-
(Asim Pal)
Senior Accounts Officer (Admn. I)
Cloud Security-Threats &
Challenges

Dr. Lakshmi Kalyani

Joint Director
C-DAC, Noida
[email protected]
Attacking Cloud
Default, Weak & Hardcoded credentials
Difficult to update firmware & OS
Lack of vendor support for repairing vulnerabilities
Vulnerable web interfaces
Coding errors
Clear text protocols & unnecessary open ports
DoS/DDoS
Physical theft & tampering
Security Challenges in Cloud
Data Breaches
Data Loss
Traffic Hijacking
Insecure API’S
Denial of Service
Malicious Insiders
Abuse of Cloud services
Shared Technology Issues
 Threat Agents to the Cloud
A threat agent is an entity that poses a threat because it is capable of carrying out an attack.
Cloud security threats can originate either internally or externally from humans or software programs
1. Anonymous Attacker:
◦ It is a non trusted cloud service consumer without permissions in the cloud
◦ It typically exists as an external software program that launches network level attacks through public
networks
◦ They commit acts like bypassing user accounts, or stealing user credentials.
Threat Agents to the Cloud ……..
2. Malicious service agent:

◦ It is able to intercept and forward the network traffic that flows within a cloud

◦ It typically exists as a service agent (or as a program pretending to be a service agent ), with
compromised or malicious logic.

◦ It may also exist as an external program , able to remotely intercept and potentially corrupt
,message contents.
Threat Agents to the Cloud ……..
3. Malicious Insider Attack
◦ A trusted attacker shares IT resources in the same cloud environment as the cloud consumer

◦ It attempts to exploit legitimate credentials to target cloud providers and the clod tenants with whom
they share IT resources.

◦ Trusted attackers usually launch their attacks from within a cloud’s trust boundaries, by abusing
legitimate credentials

◦ Exploitations include hacking of weak authentication processes, the breaking of encryption, the
spamming of email accounts or to launch common attacks like DoS .
Threat Agents to the Cloud ……..
Malicious Insider
◦ They are human threat agents acting on behalf of or in relation to the cloud provider

◦ They are typically current or former employees, or third parties with access to the cloud
provider’s premises.

◦ These agents carry tremendous damage as they may gain and have administrative privileges.
Cloud Security Threats
Common Security Threats for a Cloud
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Escalation of privileges
 Cloud Security Threats
1. Traffic Eavesdropping
◦ This occurs when data being transferred to or within a cloud
(usually from the cloud consumer to the cloud provider)

◦ It is passively intercepted by a malicious service agent for

illegitimate information gathering purposes.

◦ The aim of this attack is to directly compromise the

confidentiality of relationship between the cloud consumer
and the cloud provider

◦ As it is a passive attack, it can be undetected for extended

periods of time
 Cloud Security Threats…….
2. Malicious Intermediary:
◦ When messages are intercepted and altered by a
malicious service agent

◦ This results in compromising the message’s

confidentiality and integrity

◦ It may also insert harmful data into the message before

forwarding it to its destination

◦ It can also be carried out by a malicious cloud service

consumer program
 Cloud Security Threats…….
3. Denial of Service
◦ Objective is to overload IT resources so that they cannot
function properly. This form of attack is commonly launched
in one of the following ways:
◦ The workload on cloud services is artificially increased
with repeated communication requests.
◦ The network is overloaded with traffic to reduce its
responsiveness and cripple its performance,
◦ Multiple cloud service requests are sent, each of which is
designed to consume excessive memory and processing
resources.
 Cloud Security Threats…….
4. Insufficient Authorization/Weak Authentication
◦ Occurs when access is granted to an attacker too broadly, resulting in attacker getting access to IT
resources , that are normally protected.
Cloud Security Threats…….
When weak passwords or shared accounts are used to protect IT resources
Cloud Security Threats…….
5. Virtualization Attack
◦ Virtualization provides access to multiple virtualized IT resources , that are logically isolated from each other,
◦ Cloud consumers have administrative access to virtualized IT resources
◦ In this risk is that cloud consumers could misuse this access to attack the underlying physical IT resources
Other Challenges &
Issues
CHECKLISTS OF ISSUES AND GUIDELINES THAT RELATE TO CLOUD
SECURITY
Cloud Security Challenges & Issues…..
1. Flawed Implementations

◦ The substandard/insufficient design , implementation or configuration of

cloud service deployments can have undesirable consequences beyond
runtime exceptions and failures.

◦ If cloud provider’s software/hardware have fundamental security flaws, or

operational weaknesses, then attackers can exploit these vulnerabilities.
Cloud Security Challenges & Issues…..
Poorly implemented cloud service that results in a server shut down
 Cloud Security Challenges & Issues…..
2. Security Policy Inconsistency
◦ When a cloud consumer places It resources with a public cloud provider, its traditional
information security, approach is not identical or similar to that of cloud provider

◦ When leasing raw infrastructure –based IT resources, the cloud consumer may not be
granted sufficient administrative control or influence over security policies

◦ Third parties(security brokers & certificates authorities), may introduce their own set of
security polices and practices.

◦ Complicates standardization to protect of cloud consumer assets

Cloud Security Challenges & Issues…..
3. Contracts
◦ Consumers must carefully examine contracts such as SLA’s, to ensure security
polices and guarantees are satisfactory for asset security/.

◦ Liabilities are clearly assumed by cloud provider and level of protection cloud
provider may ask for

◦ Greater assumed liability by the cloud provider the lower risk to the cloud
consumer

◦ Where the lines are drawn between the cloud consumer and provider, assets i.e
if security breach or runtime failure occurs, how is blame determined.
Cloud Security

Dr. Lakshmi Kalyani

Joint Director
C-DAC, Noida
[email protected]
Why is cloud security important
Increasing usage of cloud services in Non-traditional sectors
Growing adoption of Cloud Services in Government Departments
Rise in cloud service-specific attacks
Growing usage of cloud services for critical data storage
Rise in Employee Mobility
Data in cloud….
•There are three types of data in cloud :
• Data in transit (transmission data)
• Data at rest (storage data)
• Data in processing (processing data)

•Security of data and trust problem has always been

the primary and challenging issue in cloud computing
 Cloud security refers to a set of polices,
technologies, applications and controls to
protect visualized data , applications, services
and the associated infrastructures involved in
cloud computing
Cloud
Security
Cloud security is a shared responsibility
The definition
◦ Using trusted software
◦ Understanding compliance
◦ Managing lifecycles
◦ Continuous monitoring
◦ Choosing the right people
Impact of cloud computing in
organizations
Security concerns & Issues in cloud
environment
THANK YOU
DATA SECURITY MEASURE IN CLOUD ENVIRONMENT

WHAT? & HOW?

 CLOUD – WHAT?
 Cloud computing is
 enabling ubiquitous,
 convenient,
 on-demand network access
 shared pool of configurable computing
resources

 Cloud - Benefits
 Less or No Investment
 Highly Scalable
 Ease of Deployment &
Management
 Optimal Resource Utilization

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 2

SAAS, PAAS & IAAS
Software as a Service Platform as a Service Infrastructure as a
(SaaS) (PaaS) Service (IaaS)

Clients &
Create User Account & Start

Users
End
using the Apps – Eg., Gmail,
One Drive, etc.,

Developer/
Software
Take Platform & Deploy Apps

Admin’s
– Eg., Database, BI Engine,
from Amazon, Google, etc.,

Create User Account & Start

System /
Admin’s
Server
provisioning Servers – Eg.,
Meghraj, AWS, etc.,

BACK
23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 3
RESPONSIBILITIES IN CLOUD MODELS

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 4

TYPICAL IAAS ARCHITECTURE

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 5

TYPICAL PAAS ARCHITECTURE

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 6

TYPICAL SAAS ARCHITECTURE

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 7

COMPARISON OF TRADITIONAL & CLOUD SECURITY

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 8

 MEASURES FOR DATA SECURITY IN CLOUD
 Baseline Security of Cloud
 Availability
 Business use Case – Gap Analysis
 Compliance
 Governance & Regulations
 Security Services
 NGFW / IPS / AV
 SIEM
 CASB
 IAM
 Data Backup
 BCM (DR Services)

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 9

 DIFFERENT STANDARDS AVAILABLE FOR CLOUD SECURITY
 ISO 27001
 ISO 27017
 ISO 27018
 NIST 800-53 / FedRAMP
 Cloud Control Matrix from CSA
 Sector based standards
 PCI DSS – Payment related
 HIPAA – Health Insurance (US)

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 10

NIST CLOUD FRAMEWORK

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 11

ISO 27001:2013 STANDARD

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 12

CCM – CSA STANDARD

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 13

 APPLICATION & INTERFACE SECURITY
 End Users accessing the application
 Employees accessing for Data Management
 Administrators managing the Resources
 Managers accessing the Reports
 Other Business Partners having integration

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 14

 AUDIT ASSURANCE & COMPLIANCE
 Policy Definitions
 Auditing (Internal & External)
 Requirement
 Policies
 Rules, Regulations & Law
 Standards
 Transparency

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 15

 BUSINESS CONTINUITY

 Business Continuity
 Redundancy of Service
 Data Backup & Restoration
 Disaster Recovery Mitigation

 BC Plan
 Defined Roles & Responsibilities
 Process & Procedures
 BC Drills

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 16

 CHANGE CONTROL

 Change Control Process

 Controlled Change Management
 Testing before the Change
 Properly Documented
 Approval Process
 Impact Analysis
 Review & Revert
 Plan with minimum or no downtime

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 17

 DATA LIFE CYCLE MANAGEMENT

 Ensuring the Security in Complete

Data Life Cycle
 Access of Data
 Backup
 Transit
 Storage
 Creation & Deletion
 Archival

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 18

 DATA CENTRE SECURITY

 Physical Security Measures

 Location & Geo-vulnerabilities
 Non- IT Infrastructure
 Access Security
 Tier Level of Data Center

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 19

 IDENTITY & ACCESS MANAGEMENT

 Centralized Authentication
 Access management policy
 Defined Roles
 Creation & Deletion Policy
 Secured Storage – Sensitive Info.
 Privilege Approval
 Proper Security measures

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 20

 INFRASTRUCTURE & VIRTUALIZATION SECURITY
 Virtualization
 Infrastructure – Servers
 Storage
 Network
 Services

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 21

INTEROPERABILITY & PORTABILITY

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 22

CLOUD SECURITY ROLES & RESPONSIBILITIES

23-FEB-21 DATA SECURITY IN CLOUD ENVIRONMENT 23

LAYERING & FUNCTIONAL COMPONENTS
User layer Multi-layer functions
User Business Administrator Integration Security Operational Business Development
function function function systems support support support
systems systems
Security Authentication Service Product Developer
Access layer integration and identity catalogue catalogue environment
management
Connection Provisioning
Access control
management
Account
Monitoring
management
Monitoring Authorization and reporting
integration and
security policy Service policy
Service layer management management Subscription Build
management management
Service Business Administration Service
capabilities capabilities capabilities automation
Service
integration Encryption Service level Billing
Service management management
orchestration Incident and
problem Test
management management
Resource layer Peer service
Accounts
Platform and
Resource abstraction integration virtualization
and control management

Peer service
23-FEB-21 Physical DATA SECURITY IN CLOUD ENVIRONMENT
management 24
resources
 OUTCOME I: BENCHMARKING OF GI CLOUD POLICY
NIST 800-53 R4 vs GoI Guidelines With Respect to the role of CSP CSA CCM v 3.0.1 vs GoI Guidelines
Benchmark of CSP empanelment with NIST 800- Benchmark of CSP empanelment with CCM
53 Rev 4 v3.0.1
ACCESS CONTROL
SYSTEM AND 90.00 AWARENESS AND Mobile Security
INFORMATION INTEGRITY TRAINING 90.00
80.00 Human Resources Identity & Access Management
SYSTEM AND AUDIT AND 80.00
COMMUNICATIONS… 70.00 ACCOUNTABILITY
60.00 Threat and Vulnerability 70.00 Business Continuity
Management 60.00 Management & Operational…
SYSTEM AND SERVICES 50.00 SECURITY ASSESSMENT
ACQUISITION 40.00 AND AUTHORIZATION 50.00
30.00 Application & Interface 40.00 Infrastructure & Virtualization
Security 30.00 Security
20.00 CONFIGURATION
RISK ASSESSMENT
10.00 MANAGEMENT 20.00
0.00 10.00
Governance and Risk
Encryption & Key Management 0.00
Management
PERSONNEL SECURITY CONTINGENCY PLANNING

Audit Assurance &

IDENTIFICATION AND Datacenter Security
PROGRAM MANAGEMENT Compliance
AUTHENTICATION

PLANNING INCIDENT RESPONSE Security Incident Management, Supply Chain Management,

E-Discovery, & Cloud… Transparency, and…
PHYSICAL AND
MAINTENANCE Data Security & Information
ENVIRONMENTAL… Interoperability & Portability
MEDIA PROTECTION Lifecycle Management
Change Control &
Configuration Management
It has been observed that there are no GoI guidelines for role and risks shared by MSP

25
23-FEB-21
THANK YOU

DATA SECURITY IN CLOUD ENVIRONMENT 23-Feb-21 26

 Smart city projects-Evolution and Security concerns with
reference to Internet of Things( IoT) technology

By
Vivek Vijay Sarkale, DSCI

1
®
A NASSCOM Initiative
Summary
1 Background 2
Study Facets
• 100 Smart Cities Planned in India by 2022 (investment 3 lakh cr.)
• Building Blocks and Smart Cities
• Smart Cities to function on IoT Technology
Architecture
• Risk to Smart Cities ( due to Cyber Threats ) : Kinetic Impact and Jeopardize Safety
• Best Practices ( Cyber Security )
of People
• Threat Landscape/Risk Scenarios
• Security & Privacy to be integrated at design stage
for Smart Cities
• iCISA and DSCI teams to collaborate on the research project on “Smart city
• Smart Cities RFPs in India
projects - Evolution and Security concerns with reference to Internet of Things
• Public Policies
(IoT) technology”

3 Study Outcomes

• Prescribing a minimum level of Cyber Security requirements in conceptualization of Smart

Cities w.r.t. current GoI guidelines
• Benchmarking of MoHUA, GoI Smart City Cyber Security Guidelines against Global Best
Practices for prescribing a futuristic road map for Cyber Security Framework
• India RFPs Compliance Benchmarking against Current MoHUA Cyber Security Guidelines
• Way Forward for Govt. of India for better policy formulation to build robust and resilient
Smart Cities

2
®
A NASSCOM Initiative
 Attributes of Smart City

• Smart City Building Blocks

• IoT - Technology Landscape
• ICT/IoT Layers of Smart City & Cyber Security
• Threat Surface & ICT Layers
• The Risks
• Assessment and Audit Check List

3
®
A NASSCOM Initiative
 6
®
A NASSCOM Initiative
 7
®
A NASSCOM Initiative
 11
®
A NASSCOM Initiative
 12
®
A NASSCOM Initiative
Outcome I: Benchmarking of MoHUA,GOI guidelines against Best Practices
Layers Areas Risk Scenarios (Global)

Application • Application Inventory • Interception attack on Smart

• Defined protection processes for areas such as secure development Water Treatment Plant in
Sweden Europe (Gothenburg)
Data • For information and management unit one may require use of monitoring capabilities, • Privacy Data Breach, Million of
security process management Records in the hands of
• Data Classification Adversaries
• Privacy by Design
Communication • Identity and access management encompasses authentication, credential management , • US City Entire Transport
remote access, role based access, Network integrity and device management Communication Crashed (San
• To protected integrated communication refresh of legacy infra, building visibility on Francisco)
interconnection is warranted • Wannacry ransomware led to
• Patch Management denial of services( NHS UK ,
Ukraine Airport ) , ICT Attack
Sensor • Detection of anomalies and its correlation augmented with robust security monitoring • North American smart city
• To protect field components hardware and software diagnostics processes and affected by cyberattack on its
capabilities are a must emergency alarm system.
• Hardware redundancy strategy and shutdown procedures Attackers spoofed
communications siren control
system and activated sirens at
11:40 PM (Dallas)
Security Governance • Cyber security policy and privacy policy • City Unable to Recover after a
• A separate risk management function consisting of processes, threat maps and mitigation cyber attack in absence of
strategies recovery plans
• 13case of cyber incidents
Strategy and plans for response and recovery in
®
A NASSCOM Initiative *Detailed Areas of Improvements in Report
 14
®
A NASSCOM Initiative
Outcome II : India RFPs Compliance to MoHUA Guidelines
City Projects Gaps* Status
1.Ahmedabad Smart City Surveillance System Focus on IT infrastructure components security configurations Partially Compliant#

2. Pune(2) Smart City Operations Center Onus on SI to propose information security related policies and plan Partially Compliant#
Traffic Signal Control System
3. Bhopal Smart Parking No Gaps – Following End to End Requirements Compliant
Smart Pole & Smart lighting
4. Agra Solid Waste Management No Gaps – Following End to End Requirements Compliant
5. Rajkot Integrated Command and • Onus on SI to propose information security related policies and plan Non Compliant
Control Centre Application • ISO 27001 certification
6. Gandhi Nagar Intelligent Transport Focus on IT infrastructure components security configurations Partially Compliant#
Management System
7. Varanasi ICCC No Gaps – Following End to End Requirements Compliant
Waste Management
Traffic Management
8. Ranchi Smart Parking Focus on IT infrastructure components security configurations Partially Compliant#
GIS
9. Cochin Citizen Portals Onus on SI to propose information security related policies and plan Non Compliant
10. Shirdi Smart Utilities MSI shall prepare the detailed technical security requirement and MoHUA Partially Compliant#
ICCC Guidelines mentioned as best practices
11. Faridabad Smart Utilities No Gaps – Following End to End Requirements Compliant
ICCC
# Partial
Compliance – requirements followed for one or two layers only OR
®
A NASSCOM Initiative *Detailed Gaps in Report each layers are mapped with partial requirements
 Smart City Audit Checklist
Sr. NO Areas Assessment Question Yes/No/Workinprogress Compliant/Non Compliant/Remarks
Whether city has formulated a cyber security policy with
Policy
1 dedicated governance and enforcement mechanisms?
Whether city has developed a privacy policy to ensure
Policy
2 data protection of its citizen?
Is city certified on following standards or frameworks?

• Information Security Management: ISO 27001

• Business Continuity Management: ISO 22301
• Sustainable Cities and Communities: ISO 37120
Security Governance • Security Controls for Cloud Security: ISO 27017
• Cloud Privacy Protection: ISO 27018
• Smart City Standards: BSI PAS 180, BSI PAS 181, BSI PAS
182
• DSCI Privacy and Security Framework
3
Whether City has appointed a chief information security
Security Organization
4 officer with defined roles and responsibilities?
Whether City has allocated a dedicated budget for cyber
Security Organization
5 security out of total IT budget?
Is cyber security an agenda item in status update
Security Organization meetings conducted for tracking implementation and
6 maintenance of the smart city?
Is smart city team adequately staffed with cyber security
Security Organization resources for secure design, implementation, and
7 operations?

Security Organization Whether city has built a program to create cyber security
8 awareness for pertinent stakeholders regularly?
Does city performs regular security and privacy risk
Security Processes assessment exercises to identify and map cyber risks for
9 smart city?

16
®
A NASSCOM Initiative
Outcome III : Way Forward for Govt. ( Public Policy )
I. Benchmarking of existing II. Minimum Cyber Security III. Develop detailed IV. A mechanism to be envisaged
Govt. Security architecture Best Practices to be guidelines for for auditing of RFPs before public
guidelines against the mandated by Government implementing cyber domain release, to provide
international best practices of India security in smart cities secondary assurance on inclusion
of cyber security requirements

V. Accountability on special VI. Ensure the VII. Create a platform for VIII. Minimum ICT
purpose vehicle to adhere to implementation of cyber cyber security infrastructure requirements
security guidelines by security guidelines and link information sharing and as a criteria to be mandated
Government of India budget sanctions to the knowledge transfer for a city to qualify as a
compliance status amongst the smart cities candidate for a smart city
and other agencies (e.g.
CERT-In, NCIIPC)
IX. Mandate smart city SPVs X. Encourage smart city SPVs XI. Smart Cities to XII. Formulate security
to appoint security to perform risk assessment leverage existing ICT guidelines for OEMs
organizations with clearly and implement solutions laws in India such as IT
defined security roles and leveraging custom-off-the- Act to expedite cyber-
responsibilities shelf (COTS)/Make in crime investigation
India/open source security scenarios
Legend
(Priority) 17
® High Medium Low
A NASSCOM Initiative
 Thank You.

18
®
A NASSCOM Initiative
 Data Privacy in
E-Governance Projects
Assessing criticality of E-Governance Projects

Reach and scale of the project

Type and sensitivity of transactions

processed by the project
E-Governance
Projects
Data collection arrangement
deployed by the project

Possibilities and extent of the harm

that can be inflicted on the data
subjects/principals
Personal Data

Data

Personal
Data

Sensitive
Personal data

Critical Data

To be notified by
central government 3
 Any Data Relating
to an Identified or
Identifiable Natural
Person

Such data can be

linked back to the
Individual on its
own Name, identification number,
Pseudonymized data (i.e., data that location data, online identifier or to
cannot be attributed to an one or more factors specific to the
individual without the use of Or in combination with physical, physiological, genetic,
additional information) is personal other data, particularly mental, economic, cultural or
data. Identifiers social identity of that natural
person

Data Qualifies as
personal data as
soon as an
individual can be
singled out

4
Examples: Personal Data you can find in your databases

First name, last Home address

name/surname, Email address (street, zip, postal Phone number Photo Date of birth
maiden name code, city)

National
Taxpayer
Identification Passport number,
Identification
Bank account Number, (Social) national ID number, Vehicle registration
Credit card number Number, Tax File
number Insurance Number, driver's license plate number
Number, Permanent
Social Security number
Account Number
Number

Employee number IP address Cookie ID Location data Handwriting Login

Social media profile Employment history,

Password Mobile device IDs Education history
IDs/links job title

5
Sensitive Personal Data

Personal Data
Sensitive in • Subset of Personal Data
Nature

Sensitive in relation to
subject’s fundamental • Impacts the individual’s existence in society
rights and freedoms
Its processing could
create significant
risk of harm to the • High Risk Processing
subject

The classification of Sensitive Personal data is

country, society and culture specific.

Sensitive Personal data is an exhaustive list.

6
Sensitive Personal Data
Racial or Ethnic Origin
Political beliefs
Religious or philosophical beliefs
EU General Data Protection
Trade union membership
Regulation
Genetic or biometric data
Physical or mental health
Sex life or Sexual orientation

Financial data;
Health data;
Official identifier;
Indian Protection Sex life;
of Personal Data Bill, 2019 Sexual orientation;
Biometric data;
Genetic data;
Transgender status;
Geographical Similarities Intersex status;
Geographical Variations Caste or tribe;
Religious or political belief or affiliation 7
Processing
Collection

Destruction Recording

Restriction Organisation

Processing covers a wide range

of operations performed on
personal data.

Dissemination Structuring

Transmission Storage

Alteration
8
Grounds for Processing Personal Data

Data Principal’s
Consent

Function of State

Compliance with law

or order of court/ tribunal

Prompt action in
case emergencies

Purposes related
to employment

Reasonable
Purpose of data
fiduciary

Sensitive Personal Data can only be processed using explicit consent.

Privacy Principles

Privacy principles represent the core of privacy protection and form

the underlying components around which data protection or
privacy protection laws across the world are based.

Purpose Use Collection Storage

Notice
Limitation Limitation Limitation Imitation

Individual
Security
Participation Accountability
Safeguards
Rights

10
Privacy Principles

OECD APEC DSCI Privacy GDPR PPDB

Framework

Preventing Harm Notice Lawfulness, Fair and reasonable

Collection Limitation
Fairness and processing
Notice Choice &Consent Transparency
Data Quality Purpose limitation

Purpose Collection Limitation Collection Limitation Purpose limitation

Collection limitation
Specification
Use of PI Use Limitation
Use Limitation Data Minimisation Lawful processing
Access and
Choice
Correction
Security Safeguards Accuracy Notice
Integrity of PI Security
Openness Disclosure to third Data quality
Security Safeguards Storage limitation
party
Individual Data storage
Participation Access & Correction Openness limitation
Integrity and
Confidentiality
Accountability Accountability Accountability Accountability Accountability

11
Privacy Principles & Best Practices

Data Collection Data Storage Data Usage Data Flow Data Disposal

Privacy Principles

Best Practices

12
Principle Based Assessment: Notice
Role of
Notice
Trigger Instruments

Transparency Content

Recording
References
& Tracking
Notice
Integration
with Channels
Process
Lifecycle

Effectiveness
Third Party & User
Enforcement Experience

Informed Special
consent considerations
Principle Based Assessment: Collection Limitation

Due
Diligence
Assurance
User
to data
experience
subjects

Employee
Transparency
Awareness

Collection
Limitation

Recording Special
& Tracking considerations

Modes & User

Channels involvement
Third Party
Enforcement
Principle Based Assessment: Accountability

Privacy
Culture

Corporate
Instruments
messaging

Privacy
Trigger
program

Accountability

Third Party
Transparency
Enforcement

Integration
Recording & with
Tracking Process
Lifecycle
Assessment Standard

Assessment Standard
Notice
1.1.1 Users shall have real time access to the Privacy Notice during the entire Lifecycle of their involvement with the
Digital Product. The lifecycle would extend from the time of procurement of the product from the Play
store /AppStore, to Installation, registration, usage and any further Personal Information collection that happens
during usage

1.1.2 Users shall be updated of any changes to the Privacy Notice.

1.1.3 Privacy Notice shall be updated if there are any changes to the purpose of processing the PI

1.1.4 Privacy Notice should be available in the local language of the user to ensure that the user full comprehends the
terms of the Notice.
Assessment Standard
# Area Assessment Standard
1.1.1 Personal Information Entity should provide a notice which clearly states the type of Personal Information being collected from the
Collection user, and specifically sensitive personal information like health information, financial information, etc. Notice
should also mention the indirect sources of Personal information

1.1.2 Personal Information Usage Entity should provide a Notice which clearly states the purpose of collection of Personal Information from the
User. The purpose should cover PI collected directly from the user as well as from indirect sources

1.1.3 Third Parties Disclosure Notice should list the 3rd Parties or Categories with whom the Personal Information is being shared, purpose of
sharing and any mechanisms like contractual agreements that have been agreed to ensure User Privacy

1.1.5 Information Security Notice should state the Information Security and safeguard mechanisms deployed to protect the Personal
Information. Notice should state the Security obligations and expectations from the user
1.1.6 Information Retention Notice should inform the users of the Personal Information retention mechanisms and duration for which
Personal Information is retained and the criteria used to determine the retention period. This should cover the
entire Lifecycle of product usage and post de-installation.

1.1.7 Grievance Redressal Notice should provide details of Mechanism to report misuse/ breach and also the contact point of Grievance
Officer for clarification/ recourse / query
1.1.9 Legitimate Interest & other Notice should inform the user about the Use of PI for legitimate interest of the entity and also for other lawful
lawful basis for processing basis for processing. To ensure clarity to the user, examples of legitimate interest should be listed.

1.1.10 Complaint filing Notice should clearly mention the right of user to file a complaint with the Authority as well as the process for the
same
Assurance Standard Checklist
# Parameters Standard # Question Response Observation
Yes/No/NA/

Cannot Ascertain
1 Notice
1.1 Availability
1.1.1 Users shall have real time access to the Privacy Notice 1 Does the hyperlink for privacy notice of the service exist on
during the entire Lifecycle of their involvement with the Play store/AppStore/Web Portal and is it functional?
service delivery system. The lifecycle would extend
from the time of downloading/accessing the service
from the Play store/AppStore/Web Portal, to Installation,
registration, usage and any further Personal Information
collection that happens during usage.

2 Does the hyperlink for privacy notice of the service exist on

the launch screen and is it functional?
3 Does the service have an option to refer to the privacy
notice while using the service?
4 Does the service page display the hyperlink to view privacy
notice while collecting PI from user on registration page and
is it functional?
5 Does the service page display the hyperlink to view privacy
notice while collecting new PI from user on subsequent
pages of service for subscription purposes and is it
functional?
6 Does the service page display the hyperlink to view privacy
notice while collecting new PI from user while downloading
any file and is it functional?
7 Does the service page display the hyperlink to view privacy
notice while collecting new PI from user on all data
collection instances from service and is it functional?
8 Is the privacy notice easily accessible to the user?
1.1.2 Users shall be updated of any changes to the Privacy 9 Does the Entity send a notification to user when the privacy
Notice. notice is updated?
1.1.3 Privacy Notice shall be updated if there are any 10 Does the service send a notification to user when there is
changes to the purpose of processing the PI significant change in the purpose of processing PI?
1.1.4 Privacy Notice should be available in the local language 11 Is the privacy notice available to the user in the local
of the user to ensure that the user full comprehends the Language?
terms of the Notice.
Sample Analysis

SNo. E-Governance Project Classification

1 Passport Seva Project Central e-Gov MMP
2 Income Tax E-Filing Portal Central e-Gov MMP
3 National Portal of India Integrated e-Gov MMP
4 Digital Seva Portal Integrated e-Gov MMP
5 Shaala Darpan State e-Gov MMP
6 E-Vahan Delhi e-Gov Initiative
7 DigiLocker e-Gov Initiative
8 Project E Seva- Andhra Pradesh e-Gov Initiative
9 IRCTC e-Gov Initiative
10 Project Bhoomi-Karnataka e-Gov Initiative
11 MyGov e-Gov Initiative
Sample Observations
Passport Seva Project

Assurance Standard Assessment

Parameter Assessment
Notice • The website page displays the hyperlink to view privacy notice while collecting
new PI from user on subsequent pages of website.
• The Privacy notice is available in local language.
• The Privacy notice doesn’t mention if it uses any the other (indirect) sources from
where PI/SPI of user is collected by the Entity.
• The Privacy notice does not inform the user about the existence of any other
tracking mechanisms used to collect, store, transmit or process PII/SPI.
• The privacy notice does not state the security obligations and expectations from
the user to protect their PI/SPI.
• The Privacy Notice does not inform user about the standards it follows.
• The privacy notice does not inform the user about their rights and how these
rights can be exercised.
• The Privacy notice does not mention any retention period.
Thank you!
 2018

E-GOVERNANCE
PRIVACY AUDIT
ASSURANCE PROGRAM
International Centre for Information Systems and Audit
Data Security Council of India
 A. Introduction
India is fast emerging as a global front runner in digital adoption. Digitization
and technology are bringing incredible opportunities for the Indian economy
and is set play a major role in the economic and social transformation for our
nation. The Government of India has also sought to tap into this
transformative potential of digitization through the Digital India Initiative.
Envisaging delivery of a host of welfare services and to foster an environment
of digital literacy and awareness.

In its landmark judgement in Justice K.S. Puttaswamy v. Union of India

& Ors.1 the Honourable Supreme Court of India recognized ‘Right to Privacy’
as a Fundamental Right guaranteed under Part-III of the Constitution. The
Apex court observed that, Information Privacy comes under the scope of
Right to Privacy. The said judgement also highlighted the need to draft a
data protection legislation for India, with the current regime being unable to
address evolving privacy concerns.

It would become imperative for government departments to create visibility

and transparency around the purposes and usage of personal data of Indian
residents and incorporate practices such as privacy by design and Privacy
best practices before launching in schemes and undertaking new projects.

The guiding thought behind the formulation of this standard is creating

a Privacy Assurance Program for assessing E-Governance Projects, that
make use of the online medium for dissemination of government
services, through service delivery websites, portals and mobile
applications. The program (a) sets the standard in each case and (b)
provides an assurance of complying with the specific standard.

1. E-Governance Statutory Framework in India

1.1 The Information Technology Act, 2000 and the Information Technology
(Electronic Service Delivery) Rules 2011

The Rules prescribe strict standards to maintain the security, confidentiality

and sanctity of all personal information used during electronic service
delivery transactions. Confidentiality of data is given attention under the
Rules with the incorporation of a provision whereby all service providers are
required to submit a declaration stating that the data of every individual
transaction and citizen will be protected. In the event of an unauthorised

1
WRIT PETITION (CIVIL) NO 494 OF 2012
disclosure without consent, the service provider will be debarred from
providing that service further. 2

But the Rules remain silent on numerous other safeguards which ought to
form part of a comprehensive legal framework protecting electronic service
delivery. For instance, anonymization/obfuscation and deletion policies are
excluded from the ambit of the Rules, despite their core importance to serve
the end of confidentiality. Similarly, privacy principles such as collection
limitation and purpose limitation delineate the precise use of databases.
However, the Rules do not provide for provisions enunciating the appropriate
uses of databases. Moreover, accountability for accuracy of data as well as
individual access and control of personal information appear to be absent
from the instant Rules.

1.2 Right to Information Act, 2005

The advent of the information age has redefined the fundamentals of service
delivery by the Government. In this vein, the Right to Information Act, 2005
(RTI Act), that came into force on 12 October 2005, served as the seminal
legislation in modern India with a revolutionary essence of giving citizens the
right to participate in governance. It is undisputed that e-governance and
RTI are complementary to each other, in that e-governance will be deemed to
be effective only with the full implementation of the RTI; and RTI’s
implementation is premised on a comprehensive system of computerisation,
bereft of which excessive load will have to be borne by the Public Information
Officers and other authorities impairing its effectiveness.

The RTI Act arms citizens with the right to access information held by the
government and ensures transparency and accountability in working of
public authorities. The Act mandates the computerisation of records by every
public authority for wide dissemination and provision of minimum recourse
to citizens to request for information formally. It not only empowers citizens
to request for information for which States must be adequately equipped for
facile and inexpensive access to information, but also casts a positive duty
of suo moto disclosure3 of information by public bodies.

However, it is pertinent to note that the RTI Act while serving as an

empowering tool in the hands of the citizens of India, also breaches the
commonly accepted notions of privacy of individuals with the balance tending
more towards ‘larger public interest’.

2
Rule 8(4), Information Technology (Electronic Service Delivery) Rules, 2011.
3
Section 4(1)(b) & Section 4(2), Right to Information Act, 2005, “It shall be a constant endeavour of every public
authority to take steps in accordance with the requirements of clause (b) of sub-section (1) to provide as much
information suo motu to the public at regular intervals through various means of communications, including
internet, so that the public have minimum resort to the use of this Act to obtain information.”
Notwithstanding the above discussion, it cannot be disputed that the RTI Act
is the premier legislation promoting state-citizen relationship by bringing in
transparency to government functioning and providing right to citizens to
request for information pertaining to governmental functioning.

1.3 Road to Open Data

The NDSAP is designed to promote data sharing and enable access to
Government owned data for national planning and development. The policy
states three types of access: open4, registered5 and restricted6. Further, the
NDSAP requires every Department to identify datasets based on the
categories of Negative List7 or Open List8.

1.4 State Level Electronic Service Delivery

On the State level, many States have laid out their vision to create knowledge
societies by using Information Technology for development and governance
and ensure the last citizen gains access to benefits with the use of such
technology. In this vein, the Electronic Service Delivery model has been
adopted by states in India as a pioneering effort for efficient and effective
governance. In 2006, the Government approved the National e-governance
Plan to provide services electronically, such as processing of passports,
registration of companies etc. In 2008, the Second Administrative Reforms
Commission highlighted the need for a legal framework to implement e-
governance.9 This was followed by the amendments made to the Information
Technology Act, 2000 in 2008 to enable government departments to deliver
services electronically. It is pursuant to Section 90 of the Information
Technology Act, 2000, that many States notified Rules for electronic service
delivery under the IT Act.

4
Access to data in the open category will be “easy, timely, user-friendly and web-based without any process of
registration/authorization.”
5
Registered access category will be accessible “only through a prescribed process of registration/authorization by
respective departments/organizations” and available to “recognized institutions/organizations/public users,
through defined procedures.”
6
Data categorized as restricted will be made available only “through and under authorization.”
7
The Non-shareable data, termed as Negative List, consists of datasets that are confidential in nature and would
compromise the national security and privacy, if made public. Some examples in this category are identification
particulars of informants/establishments in unit level data of India of Industrial production (IIP), ASI and NSS
sample surveys; and data on prices collected from different shops of various rural and urban markets selected for
preparation of Consumer Price Index (CPI). This list contains datasets containing personal information.
8
Open list comprises of datasets that don’t fall in the category of a Negative List.
9
‘Promoting e-Governance’, 11th Report of the Second Administrative Reforms Commission, December 2008.
 State Legislation
Madhya Madhya Pradesh Lok Sewaon Ke Pradhan Ki Guarantee
Pradesh Adhiniyam, 2010
Bihar Bihar Lok Sewaon ka Adhikar Adhiniyam, 2011
Jharkhand Jharkhand Right to Service Act, 2011
Punjab Punjab Right to Public Service Act, 2012
Uttarakhand Uttarakhand Right to Service Act, 2011
Delhi Delhi (Right of Citizen to Time-bound Delivery of
Services) Act, 2011
Uttar Pradesh Janhit Guarantee Act, 2011
Assam Assam Right to Public Services Act, 2012
Chhattisgarh Chhattisgarh Lok Seva Guarantee Bill, 2011
Jammu & Jammu & Kashmir Public Services Guarantee Act,
Kashmir 2011
Himachal Himachal Pradesh Public Services Guarantee Act, 2011
Pradesh
Kerala Kerala State Right to Service Act, 2012
Odisha Odisha Right to Public Services Act, 2012
Gujarat Gujarat (Right of Citizens to Public Services) Bill, 2013
Goa Goa (Right to Time-Bound Delivery of Public Services)
Act 2013
West Bengal West Bengal Right to Public Services Bill, 2013
Haryana Haryana Right to Service Act, 2014
Maharashtra Maharashtra Right to Public Services Ordinance, 2015

1.5 Cyber Security Policy at State and Central Level

With the inspiration from the National Cyber Security Policy 2013, the states
of Andhra Pradesh, Telangana and Haryana introduced their cyber security
policies. Telangana’s Cyber Security Policy10 released in September 2016,
aimed at critical information infrastructure protection, government network,
e-governance, education and skill training, among others. Andhra Pradesh
has been a fore-runner in the use of ICTs extensively for delivery of public
services qua the e-Pragati Program being implemented by the Government

10
https://www.telangana.gov.in/PDFDocuments/Telangana-Cyber-Security-Policy.PDF.
on a whole-of-government approach, whereby all e-Governance systems are
interconnected and integrated to provide a wide range of services online.11
The Vision of the Andhra Pradesh Cyber Security Policy 2017 is ‘to create a
robust cyber ecosystem, wherein the citizens transact online securely and
take steps to protect their identity, privacy and finances online, the
businesses conduct their operations without any disruption or damage and
the Government ensures that its data and ICT systems are secure’. As a part
of the e-Pragati Program, the Government shall design, develop and deploy a
holistic and prioritised e-Pragati Security Architecture. The Government
shall also establish an institutional mechanism for e-Pragati Security
Governance under an e-Pragati Chief Information Security Officer.

To address the cyber security challenges and following the tenets of the
Digital India initiative of the Government, the Haryana state realised the need
to establish a State Cyber Security Policy Framework as per the National
Cyber Security Policy, to serve as an umbrella framework for defining and
guiding the actions related to security in the cyberspace. The country’s
maiden State Cyber Security Policy was launched in September 2017
ensuring confidentiality and integrity of the critical IT and ICT data from
unauthorised use, disclosure, modification and disposal. However, this
policy fails to state the implications in the event of a data breach and no
penalty has been stated in the policy if a firm fails to protect data.

For improved implementation of e-governance, it is essential for the

Government to frame laws that fully incorporate the established as well as
emerging technology; in conjunct with inherent privacy safeguards for
maintaining the sanctity of personal information.

11
http://www.apeita.in/wp-content/uploads/2017/05/Cyber_Security-1-1.pdf.
 B. Data Privacy Assessment of E-Governance Projects
The exercise to gauge the privacy posture of E-Governance projects is twofold.
Firstly, we examine the selected sample of E-governance projects against the
existing privacy framework in India, i.e. the provisions that create privacy
obligations under the Information Technology Act, 2000. Although these
provisions have been created keeping in mind ‘body corporates’ and ensuring
their accountability to protect data privacy of data subject (provider of
information). It was felt that in the absence of an overarching framework that
regulates the operation of government projects with respect to privacy, the
same yardstick may be used to examine E-Governance projects.
Secondly, the assessment of the aforementioned projects would be done
against a model audit assurance standard that has been created by examining
various global privacy legislations and best practices. This standard also
encapsulates the recommendation of the B.N. Justice Srikrishna Data
Protection Committee.
The assessment in both instances has been carried out based on established
assessment parameters-- Privacy Principles and Best Practices. These
principles and best practices have been supplemented with audit checklists
to help audits carry out these assessments.
a. SPDI Rules Assessment Parameters
Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011

Data Collection Data Storage Data Usage Data Disposal

Notice Storage Limitation Storage Limitation

Collection Limitation

Purpose Limitation

Consent

Individual Participation Rights

Security Safeguards

Disclosure of Information

Transfer of Information

Grievance Redressal
The Principles and best practices that have been inscribed in the Reasonable
Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 have been depicted in the above figure.
There are 7 key privacy principles and 3 best practices that will form the
foundation for our assessment in this segment. But, it is important to note
since these requirements have been designed for private sector entities, so
some restrictions have been placed on their application to keep them relevant
for the assessment of E-Governance Projects. These restrictions have been
highlighted to the following sections.
1. Privacy Principles for Assessment
1.1 Notice
Privacy notice is a public statement of how the entity applies data protection
principles to processing Personal Information. It is a statement that describes
how the entity collects, uses, retains and discloses personal information of a
data subject.
As per Rule 4, a privacy policy for handling of or dealing in personal
information including sensitive personal data or information should be
displayed on the website of the entity and should be communicated to the
provider of information (Data Subject). This policy should be clear and easily
accessible and mention type of personal or sensitive personal data or
information collected, purpose of collection and usage of such information;
disclosure of information including sensitive personal data or information as
provided and reasonable security practices and procedures implemented.12
1.2 Storage Limitation
Retention policies or retention schedules list the types of record or information
you hold, what you use it for, and how long you intend to keep it. This
principle creates an obligation on the entity to establish and document
standard retention periods for different categories of personal data.

As per Rule 5(4), sensitive personal data or information should not be retained
for longer than is required for the purposes for which the information may
lawfully be used or is otherwise required under any other law for the time
being in force.13

1.3 Collection Limitation

Entities should collect personal information from users that is adequate,
relevant and limited to what is necessary in relation to the purpose of
processing.

12
Rule 4, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011
13
Rule 5(4), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011
As per Rule 5(2) and Rule 5(3), information should be collected for a lawful
purpose connected with a function or activity alone; such collection of
sensitive personal data or information should be considered necessary for that
purpose.14 The subject should also be informed about the nature of collection
and identity of the agency collecting and the intended receipts of the
information.15
1.4 Purpose Limitation
This principle aims to ensure that the entity is clear and open about the
reasons for obtaining personal data, and that what you do with the data is in
line with the reasonable expectations of the individuals concerned.

The framework laid down under section 43A of Information Technology Act,
2000, clubs the purpose and usage limitation principles under Rule 5 (5). As
per this rule the information collected should be used for the purpose for
which it has been collected.16

1.5 Consent
Consent signifies any freely given, informed and unambiguous indication of
the data subject’s wishes by which they can signify agreement to the
processing of their personal information referring. Consent can be obtained
by a clear affirmative action.
However, consent maybe not be necessary in all instances of processing.
There are certain kind of processing activities which necessitate that
the data subject provides their personal data through non-consensual
grounds such as function of state. This principle would not be applicable
in its entirety in our assessment as the selected e-governance projects carry
out collection of data for provision of schemes and services that may be
deemed as falling under function of state. Keeping this in mind the
assessment of this principle would be restricted to provision of ‘optional data’
or ‘additional data’, i.e. data collection which is outside the scope of the
purpose of provision of government services.
1.6 Individual Participation Rights
Through these rights, users can make a specific request and be assured that
their personal information is not being misused for purposes other than
legitimate purpose.
As per Rule 5(6), only to right access and correction has been extended to the
data subject.17

14
Rule 5(2), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011
15
Rule 5(3), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011
16
Rule 5(5), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011
17
Rule 5(6), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011
1.7 Security Safeguards
This principle places a responsibility on the entity to ensure the reasonable
security practises have been put in place around processing of personal data.
As per Rule 8, the entity must implement such security practices and
standards and have a comprehensive documented information security
programme and information security policies that contain managerial,
technical, operational and physical security control measures that are
commensurate with the information assets.18
2. Best Practices for Assessment
2.1 Disclosure of Information
As per Rule 6, disclosure of sensitive personal data or information by the
entity any third party shall require prior permission from the provider of such
information, who has provided such information under lawful contract or
otherwise, unless such disclosure has been agreed to in the contract between
the body corporate and provider of information, or where the disclosure is
necessary for compliance of a legal obligation. 19
2.2 Transfer of Information
As per rule 7, the transfer of information may be allowed only if it is necessary
for the performance of the lawful contract between the entity or any person
on its behalf and provider of information or where such person has consented
to data transfer.20
2.3 Grievance Redressal
As per rule 5(9), the entity shall designate a Grievance Officer and publish his
name and contact details on its website. The Grievance Officer shall redress
the grievances or provider of information expeditiously but within one month
from the date of receipt of grievance.21

18
Rule 8, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011
19
Rule 6, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011
20
Rule 7, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011
21
Rule 5(9), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011
 b. Audit Assurance Program Assessment Parameters

1. Privacy Principles for Assessment

The Privacy standard evaluates an E-Governance Project throughout its data
collection lifecycle against 10 fundamental Privacy Principles and Best
Practices – all of which have been derived from globally accepted principles of
privacy and take into account some of the recent developments in this field.
Some of the key aspects of the chosen Privacy Principles are:
1. The Privacy principles cover the End-End Information Lifecycle from Data
Collection to Disposal. Each Privacy principle accounts for one or more
stages of the information life cycle.

2. Recent developments around privacy and data protection have been taken
into consideration to keep the standard contemporary and breathable at
the same time.

3. Privacy Principle Notice, given its various dimensions of expression has

been further categorized into logical Sub-categories. For e.g. Notice has
been further divided into sections like Notice Availability, Content and
Implementation. This ensures holistic evaluation of each principle

4. There is interdependencies between the Privacy Principles. Principles like

Transparency and Accountability are manifested through other Principles.
 i.e. aspects of Notice, Purpose limitation, Use limitation, as well Collection
limitation.

5. Data Security, which is a key aspect of Privacy, is covered in detail taking

into account security of Personal Information during storage, transmission
and disposal.
6. Collectively considered, these Principles can help with the Comprehensive
Privacy evaluation of an E-Governance Project.

To test for applicability and ensure robustness, the standards have been
applied to and tested against some of the latest set of privacy related incidents
pertaining to mobile apps and websites that have occurred in India and
globally, as increasing E-Governance services are dispensed through these
mediums.
 Notice: Privacy notice is a public statement of how the entity applies data
protection principles to processing Personal Information. It is a statement that
describes how the entity collects, uses, retains and discloses personal
information of a data subject.

Consent: Consent signifies any freely given, informed and unambiguous

indication of the data subject’s wishes by which they can signify agreement to the
processing of their personal information referring. Consent can be obtained by a
clear affirmative action.
Purpose Limitation: It aims to ensure that and organisaiton is clear and open
about their reasons for obtaining personal data, and that what theydo with the
data is in line with the reasonable expectations of the individuals concerned.
Specifying purposes from the outset helps fix accountability for processing, and
helps to avoid ‘function creep’. It is fundamental to building public trust in how
you use personal data.
Collection Limitation: entities to collect Personal information from user that is
adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed.

Use Limitation: Use Limitation principle states that entity may disclose, make
available or otherwise use the Personal Information collected from user solely for
the purposes identified in the notice and for which the user has provided consent.

Storage Limitation: The entiy shall retain personal data only as long as may be
reasonably necessary to satisfy the purpose for which it is processed; or with
respect to an established retention period.

Security Safeguards: Entities should protect personal information that they

collect or have in their custody with reasonable security safeguards against loss,
unauthorised access, destruction, use, modification, disclosure or other
reasonably foreseeable risks.

Transparency: It places an overarching responsibility on the state to maintain

transparency over the processes and practices of the state while processing
personal data of individuals for public service delivery.

Accountability: The principle states that an entity is accountable for complying

with the privacy principles. Entity must have in place appropriate policies and
procedures that promote privacy.

Individual Participation Rights: Through these rights, users can make a specific
request and be assured that their personal information is not being misused for
purposes other than legitimate purpose. The rights should be clearly
communicated to the data subjects and also the process to exercise the rights.
1.1 Notice
Privacy notice is a public statement of how the entity applies data protection
principles to processing Personal Information. It is a statement that describes
how the entity collects, uses, retains and discloses personal information of a
data subject. 22
Privacy notice ensures that data subjects are informed about what is going to
happen to their Personal information once it is in the custody of the entity
and it also provides the entity an opportunity to communicate its practices
and intentions to stakeholders.23
A robust Privacy Notice can be considered an indicator of Transparency and
Openness. Data Subject can decide whether they want to avail the services
provided by a digital product based on the notice.

However, there are some challenges that have been observed in the way
entities have implemented notice. Some of these are listed below:

1. Inadequate disclosure of the privacy intent and Personal Information usage

objectives.
2. Notice is complex, lengthy, difficult to understand & comprehend
implications.
3. There is a practice of transferring obligation to data subjects
4. It is difficult to obtain the privacy notice as links are not available or are
not working.
5. Commitments made in the notice are not implemented in the entity.
1.2 Consent
Consent signifies any freely given, informed and unambiguous indication of
the data subject’s wishes by which they can signify agreement to the
processing of their personal information referring.24 Consent can be obtained
by a clear affirmative action.25
However, consent maybe not be necessary in all instances of processing.
There are certain kind of processing activities which necessitate that
the data subject provides their personal data through non-consensual

22
APEC Privacy Framework, page 12, available at: https://www.apec.org/Publications/2005/12/APEC-Privacy-
Framework
23
Section 8, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
24
Personal Information Protection and Electronic Documents Act (S.C. (Statutes of Canada) 2000 available at:
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-
electronic-documents-act-pipeda/p_principle/
25
A Free and Fair Digital Economy Protecting Privacy, Empowering Indians Committee of Experts under the
Chairmanship of Justice B.N.Srikrishna (2018), available at:
https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
grounds such as function of state.26 This principle would not be applicable
in its entirety in our assessment as the selected e-governance projects carry
out collection of data for provision of schemes and services that may be
deemed as falling under function of state. Keeping this in mind the
assessment of this principle would be restricted to provision of ‘optional
data’ or ‘additional data’, i.e. data collection which is outside the scope
of the purpose of provision of government services.
1.3 Purpose Limitation
This requirement aims to ensure that you are clear and open about your
reasons for obtaining personal data, and that what you do with the data is in
line with the reasonable expectations of the individuals concerned.27

Specifying your purposes from the outset helps you to be accountable for your
processing, and helps you avoid ‘function creep’. It also helps individuals
understand how you use their data, make decisions about whether they are
happy to share their details, and assert their rights over data where
appropriate. It is fundamental to building public trust in how you use
personal data.

There are clear links with other principles – in particular, the fairness,
lawfulness and transparency principle.28 Being clear about why you are
processing personal data will help you to ensure your processing is fair, lawful
and transparent. And if you use data for unfair, unlawful or ‘invisible’ reasons,
it’s likely to be a breach of both principles.

1.4 Collection Limitation

Entities collect personal information from user directly through application
forms, registration/sign-up pages through applications and websites. In
addition, the entity also indirectly collects online identifiers and other
personal information residing on the users’ device through permissions.

Privacy Law(s) require the entities to collect Personal information from user
that is adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed.29 Mobile Apps and Websites can be
intrusive and access Personal information like camera, contacts, microphone,
location, external storage. The entity may need to access the above features
to provide relevant functionality but, in many cases, it may not be relevant.

26
Section 13, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
27
Section 5, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
28
Article 5(1), EU General Data Protection Regulation, 2016 (Regulation (EU) 2016/679) available at: https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
29
Section 6, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
1.5 Use Limitation
Use Limitation principle states that entity may disclose, make available or
otherwise use the Personal Information collected from user solely for the
purposes identified in the notice and for which the user has provided
consent.30
Once the Personal Information has fulfilled/met the purpose, it must be
destroyed as per the identified procedures for destruction and not be retained
beyond the requisite time period.

1.6 Storage Limitation

Ensuring that you erase or anonymise personal data when you no longer need
it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out
of date. Apart from helping you to comply with the data minimisation and
accuracy principles, this also reduces the risk that you will use such data in
error – to the detriment of all concerned.

Personal data held for too long will, by definition, be unnecessary. You are
unlikely to have a lawful basis for retention. From a more practical
perspective, it is inefficient to hold more personal data than you need, and
there may be unnecessary costs associated with storage and security.
Remember that you must also respond to subject access requests for any
personal data you hold. This may be more difficult if you are holding old data
for longer than you need. Good practice around storage limitation - with clear
policies on retention periods and erasure - is also likely to reduce the burden
of dealing with queries about retention and individual requests for erasure.

Retention policies or retention schedules list the types of record or information

you hold, what you use it for, and how long you intend to keep it. They help
you establish and document standard retention periods for different
categories of personal data.31

However, if you don’t have a retention policy (or if it doesn’t cover all of the
personal data you hold), you must still regularly review the data you hold,
and delete or anonymise anything you no longer need.
1.7 Security Safeguards
Entities should protect personal information that they collect or have in their
custody with reasonable security safeguards against loss, unauthorised
access, destruction, use, modification, disclosure or other reasonably

30
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at:
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.h
tm
31
Section 10, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
foreseeable risks.32 Such safeguards should be proportional to the risk
associated with the personal information misuse and the harms. Entity
should also conduct periodic review and reassessment of the security
measures deployed. 33

1.8 Transparency
Transparency principle is a fundamental piece of the assessment standard, it
has cross cutting elements with other principle such as-Notice, purpose
limitation, etc. It places an overarching responsibility on the state to maintain
transparency over the processes and practices of the state while processing
personal data of individuals for public service delivery.
1.9 Accountability
The principle states that an entity is accountable for complying with the
privacy principles. Entity must have in place appropriate policies and
procedures that promote privacy.34 Entity should be Transparent in its
practices and should provide mechanism for data subject participation.
Accountability also implies the “Demonstration of Compliance”. The principle
of Accountability for a mobile application or website is being tested from the
perspective of an auditor and regulator. 35
1.10 Individual Participation Rights
The privacy regulations around the world aim to give users more control over
the ways in which entities’ process their personal information and this has
led to the granting of new rights to users. Through these rights, users can
make a specific request and be assured that their personal information is not
being misused for purposes other than legitimate purpose.36
GDPR has included new rights like right to erasure, restriction to processing
and objection to automated decision making. Entities are trying to implement
processes catering to these rights.37
Entity should implement processes to receive and subsequently action upon
requests from data subjects around their Rights from a PI perspective. The
rights should be clearly communicated to the data subjects and also the

32
Section 31, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
33
Supra 27.
34
Centre for Information Policy Leadership. (2018). The Case for Accountability: How it enables Effective Data
Protection and Trust in the Digital Society, available at:
https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_accountability_paper_1_-
_the_case_for_accountability_-
_how_it_enables_effective_data_protection_and_trust_in_the_digital_society.pdf
35
Article 5(2), EU General Data Protection Regulation, 2016 (Regulation (EU) 2016/679) available at: https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
36
Privacy Rule, Health Insurance Portability and Accountability Act, 1996, HHS.gov. (2008). Privacy. Available
at: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
37
Chapter 3, EU General Data Protection Regulation, 2016 (Regulation (EU) 2016/679) available at: https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
process to exercise the rights. The rights could be around Access and
Correction of PI to any other rights depending on the geography. The requests
from Data Subjects should be resolved in a reasonable time.

2. Best Practices for Assessment

2.1 Privacy by Design
The Privacy by Design approach is characterized by proactive rather than
reactive measures. It anticipates and prevents privacy invasive events before
they happen.38 PbD does not wait for privacy risks to materialize, nor does it
offer remedies for resolving privacy infractions once they have occurred – it
aims to prevent them from occurring. In short, Privacy by Design comes
before-the-fact, not after.39
Whether applied to information technologies, organizational practices,
physical design, or networked information ecosystems, PbD begins with an
explicit recognition of the value and benefits of proactively adopting strong
privacy practices, early and consistently (for example, preventing (internal)
data breaches from happening in the first place). This implies:
1. A clear commitment, at the highest levels, to set and enforce high
standards of privacy – generally higher than the standards set out by
global laws and regulation.
2. A privacy commitment that is demonstrably shared throughout by user
communities and stakeholders, in a culture of continuous
improvement.
3. Established methods to recognize poor privacy designs, anticipate poor
privacy practices and outcomes, and correct any negative impacts, well
before they occur in proactive, systematic, and innovative ways.

2.2 Data Protection Officer

The designation of a specific individual or officer by a data controller to
facilitate compliance through monitoring and advising as well as to act as a
point of contact with a data protection authority is a crucial element of data
protection laws. These individuals are often called data protection officers
(DPOs). 40
2.3 Grievance Redressal
It is relevant to note that in the present Indian legal framework, a body
corporate is required to designate a grievance officer for grievance redressal
purposes with certain details of the same posted on the body corporate’s
website.

38
Cavoukian, Ann. (2011). Privacy by Design The 7 Foundational Principles, available at:
https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/
39
Section 29, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
40
Section 36, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
2.4 Data Protection Impact Assessment
A data protection impact assessment (DPIA) is a process centred on evaluating
activities that involve high risks to the data protection rights of individuals.
The process can become necessary whenever a new project is taken up or a
new policy is adopted by a data controller which may involve the use of a new
technology or may have a significant impact on the data protection rights of
individuals.41 A DPIA is aimed at describing the details regarding the
processing activity, assessing the necessity and proportionality of such an
activity, and helping manage the risks that are identified in relation to this
activity.42 The DPIA is carried out before the proposed processing activity is
initiated so that the relevant data controller can plan the processing at the
outset itself.

3. Audit Assurance Standard

3.1 Minimum Requirements

SNo. Requirements
1 Privacy Policy in place

2 Privacy Notice in place

3 Consent capture mechanism in place, if applicable. In cases

where consent is not the grounds used for Processing, a
declaration would be obtained from the assessee entity listing the
actual grounds used for processing.

4 Grievance officer appointed

5 Information Security Policy in place

6 Cookie banner (website) is present

Some key points around the minimum criteria have been listed below.
1. Presence of a Privacy Policy and Notice are basic minimum criteria for any
organization which is committed to Privacy. Privacy Policy is typically an
internal document which states the entities’ intent and key processes to
maintain Privacy. Privacy Notice, on the other hand, is an external facing
document, which talks about the key Personal Information collected and
its uses, security posture and also point of contact in case of a grievance.

41
Section 33, Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
42
Article 35, EU General Data Protection Regulation, 2016 (Regulation (EU) 2016/679) available at: https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
 Lack of policy and notice indicates a lack of cohesive planning towards
Privacy.

2. A grievance officer is a single point of contact in an entity for the external

world from a Privacy perspective. Lack of single point of contact reflects
lack of ownership in an organization.

3. Data Security is one of the key areas within Privacy. Presence of

information security policy indicates an entity wide approach to towards
maintaining the Confidentiality, Integrity and Availability of the data.
3.2 Assurance Standard 43 44 45 46

1. Notice
Availability Users shall have real time access to the Privacy Notice during the
entire Lifecycle of their involvement with the service delivery
system. The lifecycle would extend from the time of
downloading/accessing the service from the Play
store/AppStore/Web Portal, to Installation, registration, usage
and any further Personal Information collection that happens
during usage.
Users shall be updated of any changes to the Privacy Notice.
Privacy Notice shall be updated if there are any changes to the
purpose of processing the PI.
Privacy Notice should be available in the local language of the
user to ensure that the user full comprehends the terms of the
Notice.
Content Entity should provide a notice which clearly states the type of
Personal Information being collected from the user, and
specifically sensitive personal information like health
information, financial information, etc. Notice should also
mention the indirect sources of Personal information.
Entity should provide a Notice which clearly states the purpose
of collection of Personal Information from the User. The purpose

43
Personal Data Protection Bill, 2018, available at:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
44
DSCI Privacy Assessment Framework, (2013). Data Security Council of India. Page 13-36.
45
EU General Data Protection Regulation, 2016 (Regulation (EU) 2016/679) available at: https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
46
A Free and Fair Digital Economy Protecting Privacy, Empowering Indians Committee of Experts under the
Chairmanship of Justice B.N.Srikrishna (2018), available at:
https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
should cover PI collected directly from the user as well as from
indirect sources.
Notice should list the 3rd Parties or Categories with whom the
Personal Information is being shared, purpose of sharing and any
mechanisms like contractual agreements that have been agreed
to ensure User Privacy.
Notice should communicate to the user if their Personal
Information is being transferred to another country and also the
purpose of the transfer.
Notice should state the Information Security and safeguard
mechanisms deployed to protect the Personal Information. Notice
should state the Security obligations and expectations from the
user.
Notice should inform the users of the Personal Information
retention mechanisms and duration for which Personal
Information is retained and the criteria used to determine the
retention period. This should cover the entire Lifecycle of product
usage and post de-installation.
Notice should provide details of Mechanism to report misuse/
breach and also the contact point of Grievance Officer for
clarification/ recourse / query.
Notice should mention the Standards followed by the entity.
Notice should clearly mention organizational responsibilities
towards Privacy of user and also mention scope and boundaries
of their responsibilities. (E.g. Clicking on Ads that appear on
mobile app. Once the user clicks and gets directed to the Web page
of ad, organizational boundary ends, and user needs to
understand policies of the redirected site)
Notice should clearly communicate to the user about their
various rights from a PI perspective. The rights could be around
Access and Correction of PI to any other rights (i.e. objection to
processing, data portability, erasure) depending on the
geography. The significance of the rights and process for availing
the rights should also be clearly mentioned.
Notice should inform the user about the Use of PI for legitimate
interest of the entity and also for other lawful basis for
processing. To ensure clarity to the user, examples of legitimate
interest should be listed.
 Notice should clearly mention the right of user to file a complaint
with the Supervisory Authority as well as the process for the
same
Notice should provide the user some basics of the entity like
contact details and also details of the Notice like Last Updated
date
Implementation All the statements made in the Notice should have been
implemented by the entity in terms of processes and procedures
and the same should be verifiable. As other standards are
evaluated as part of the Seal, a cross check on whether the details
match with the statements in the Notice should be done. (E.g. In
Collection Limitation, as the tester reviews the Personal
Information collected from the user, one they should evaluate if
the Personal Information collected is the same as what's
mentioned in the notice).
The implementation check would only be confined to the
boundaries of the product
2 Consent Entity should take consent from User for their agreement with
the Privacy Policy/Notice for collection of optional/additional
personal data which isn’t necessary for providing the service.
Entity should clearly demarcate mandatory and optional data
when collecting data from the user. Optional data are those data
points which are not critical for the service provided by the Entity.
For optional/ additional personal data collected from the user,
they should have the option to withdraw consent at any point of
time and the process to withdraw consent should be easily
available and communicated to the user in advance. The request
should be respected within a reasonable amount of time.
3 Purpose Personal data shall be processed only for purposes that are clear,
Limitation specific and lawful.
Personal data shall be processed only for purposes specified or
for any other incidental purpose that the data principal would
reasonably expect the personal data to be used for, having regard
to the specified purposes, and the context and circumstances in
which the personal data was collected.
4 Collection Entity would only collect Personal information (PI) from user
Limitation which is Adequate and relevant to provide the services, done by
lawful (Adhering to all relevant rules of law) and fair (Without
intimidation or deception) means and in good faith and does not
harm the data subject
 The PI collected by the entity from the User is in line with the
information provided in the Notice.
5 Use Limitation The PI collected by the entity from the User is used for the same
purposes and context as mentioned in the Notice.

6 Storage Retain personal data only as long as may be reasonably

Limitation necessary to satisfy the purpose for which it is processed.
Undertake periodic review in order to determine whether it is
necessary to retain the personal data in its possession.
Where it is not necessary for personal data to be retained, such
personal data must be deleted.
7 Security Security controls would be deployed to protect and secure PI
Safeguards during various stages of the Information Lifecycle including
collection, processing, transmission, storage & disposal
Security controls would be deployed to protect the confidentiality,
integrity and availability of PI during Storage. Entities will
optimize the secure storage process by eliminating Transactional
data which are past utility once the transaction is completed.
(E.g. Personal Information stored in local storage is deleted once
website is closed)
Security controls would be deployed to protect and secure PI
during Data Transmission.
Security controls should be there in place to manage the tracking
mechanisms placed in the website
Secure coding practice to be adopted in order to ensure only
required permissions are requested from user. Root level access
of device should not be requested from user. Passwords should
not be hard coded.
Security controls would be deployed to protect and secure PI
during Data Disposal once the User has uninstalled the
application.
The Security Safeguards deployed by the entity to protect user PI
is in line with the details provided in the Notice.
8. Transparency Reasonable steps to maintain transparency regarding its general
practices related to processing personal data.
Information with respect to categories of personal data generally
collected and the manner of such collection, the purposes for
which personal data is generally processed; any categories of
 personal data processed in exceptional situations or any
exceptional purposes of processing that create a risk of
significant harm; available in an easily accessible form to the
individual.
Existence of and procedure for the exercise of individual
participation rights.
9. Accountability Entity should be accountable for complying with measures that
give effect to Privacy Principles. An accountable entity must have
in place appropriate policies, procedures for privacy
management.
Entity should ensure Accountability by having clearly delineated
roles and responsibilities around Privacy with at least single
point ownership on customer grievances.
10. Individual User should have the right to object to certain types of Processing
Participation on their PI. Entity should implement processes to receive and
Rights subsequently action upon these objections from users. The rights
should be clearly communicated to the data subjects and also
the process to exercise the rights.
User shall have the right to receive their personal information
collected by the entity in a structured, machine-readable format
and have the right to transmit those PI to another entity. Entity
should implement processes to receive and subsequently action
upon these objections from users. The rights should be clearly
communicated to the users and also the process to exercise the
rights.
User should have the right to request restriction of processing of
their Personal Information by the organization. Entity should
implement processes to receive and subsequently action upon
these restrictions from users. The rights should be clearly
communicated to the users and also the process to exercise the
rights
Users should be able to access and modify their Personal
Information as and when needed. The process for access and
correction should be clearly communicated to the user.
11. Privacy by Managerial, organisational, business practices and technical
Design systems are designed in a manner to anticipate, identify and
avoid harm to the individual.
Privacy Principles have been embedded in organisational
practices and processes.
 Technology used in the processing of personal data is in
accordance with commercially accepted or certified standards.
12. Data Protection The entity should have a data protection to oversee compliance
Officer with regulations and standards. The officer should monitor
personal data processing activities of the entity to ensure that
such processing is in concurrence with the regulation/standard.
The Data Protection officer should be an individual of competence
and integrity.
The data Protection officer must develop internal mechanisms to
maintain compliance with the principles set out in the standard.
13. Grievance Entity shall have in place proper procedures and effective
Redressal mechanisms to address grievances of individuals efficiently and
in a speedy manner.
The mechanism should provide redressal in a defined time
period. The Grievance officer/ Data Protection Officers’ contact
information should be displayed in the Privacy notice of the
entity.
14. Data Protection Data protection impact assessment should be undertaken,
Impact processing involving new technologies or large-scale profiling or
Assessment use of sensitive personal data such as genetic data or biometric
data, or any other processing which carries a risk of significant
harm to individuals.
Data protection impact assessment shall contain, detailed
description of the proposed processing operation, the purpose of
processing and the nature of personal data being processed,
assessment of the potential harm that may be caused to the data
principals whose personal data is proposed to be processed,
measures for managing, minimising, mitigating or removing such
risk of harm.
 C. Usage Illustration: Sample Analysis

The existing framework under SPDI Rules and the Audit Assurance program
was used to assess privacy practices of 11 E-Governance Projects in India
that make use of online dissemination of government services, through service
delivery websites, portals and mobile applications.

SNo. E-Governance Project Classification

1 Passport Seva Project Central e-Gov MMP

2 Income Tax E-Filing Portal Central e-Gov MMP

3 National Portal of India Integrated e-Gov MMP

4 Digital Seva Portal Integrated e-Gov MMP

5 Shaala Darpan State e-Gov MMP

6 E-Vahan Delhi e-Gov Initiative

7 DigiLocker e-Gov Initiative

8 Project E Seva- e-Gov Initiative

Andhra Pradesh

9 IRCTC e-Gov Initiative

10 Project Bhoomi-Karnataka e-Gov Initiative

11 MyGov e-Gov Initiative

 1. Passport Seva Project
The Passport Seva Project was launched by the Ministry of External Affairs
with the objective of delivering Passport Services to the citizens in a
comfortable environment with wider accessibility and reliability. The project
envisages setting up of 77 Passport Seva Kendras (PSKs) across the country,
a Data Centre and Disaster Recovery Centre, call centre operating 18x7 in 17
languages, and a centralized nationwide computerized system for issuance of
passports. The entire operation will function in a “less paper” environment
with an attempt being made to deliver passports within 3 working days to
categories not requiring police verification.
1.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The Privacy notice is Notice  The website page displays the
available in local hyperlink to view privacy
language. notice while collecting new PI
 The Privacy notice from user on subsequent
doesn’t mention if it pages of website.
uses any the other  The Privacy notice is available
(indirect) sources from in local language.
where PI/SPI of user is  The Privacy notice doesn’t
collected by the mention if it uses any the
Entity. other (indirect) sources from
 The privacy notice where PI/SPI of user is
does not state the collected by the Entity.
security obligations  The Privacy notice does not
and expectations from inform the user about the
the user to protect existence of any other
their PI/SPI. tracking mechanisms used to
 The Privacy notice collect, store, transmit or
does not mention any process PII/SPI.
retention period.  The privacy notice does not
state the security obligations
 The Privacy Notice and expectations from the
does not inform user user to protect their PI/SPI.
about the standards it  The Privacy Notice does not
follows. inform user about the
 The privacy notice standards it follows.
does not inform the  The privacy notice does not
user about their rights inform the user about their
and how these rights rights and how these rights
can be exercised. can be exercised.
 The Privacy notice does not
mention any retention period.
 Consent  The website does not Consent  The website does not take
take consent from consent from user for the
user for the privacy privacy notice on the landing
notice on the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or  The website does not provide
through check box). user an option to withdraw
 The Website does consent.
provide an option to  The Website does provide an
user not to provide PI, option to user not to provide
which is not necessary PI, which is not necessary for
for provision of provision of services.
services. (Optional (Optional data entry fields)
data entry fields)

Collection  The Personal Data Collection  The Personal Data collection

Limitation collection while Limitation while signing up is restricted
signing up is to what is functionally
restricted to what is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies  It doesn’t take access to any
and e-tags. additional data through
 It doesn’t take access microphone, camera, location
to any additional data and notification permissions.
through microphone,
camera, location and
notification
permissions.

Purpose The privacy notice does Purpose The privacy notice does not
Limitation not clearly state the Limitation clearly state the purpose of
purpose of processing the processing the personal data and
personal data and sensitive personal data.
sensitive personal data.
Use Limitation Assessment for this principle
could not be ascertained, with the
available information.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal the
to determine the existence of a retention
retention period. period that the project
  Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any  The website code doesn’t
uncommon open contain
ports. Passwords/encryption key in
 The website uses hard coded manner i.e.
session cookies for visible in source code.
login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency  The website maintains basic

level of transparency of
operations by informing the
user of the data collected and
processed for the provision of
the service and clear
statement of purpose.
 The E-governance services shows
limited transparency in giving
user visibility over individual
participation rights and the
process to exercise these rights.
Individual The Privacy notice in does Individual  The Privacy notice in does
Participation inform the user of their Participation inform the user of their
Rights rights:1) Access and Rights rights: 1) Access and
Correction. Correction, 2); But does not
inform about their rights to
The Privacy notice does Object, 3) Data Portability, 4)
not direct the user to a Right to be Forgotten.
designated position for  The Privacy notice does not
execution of these rights. direct the user to a
designated position for
execution of these rights.
Disclosure of The privacy notice Accountability
Information mentions that the user
information won’t
disclosed to 3rd parties.

Assessment for this best (A) Privacy by Design  Its compliant with
practice could not be the notice
Transfer of ascertained, with the availability
Information available information. segment of the
assessment.
 Is partially
compliant with the
individual
participation
rights execution.
(B) Data Protection The Passport Seva
Officer Service does not inform
the user of the
existence of a Data
Protection officer for
privacy compliance.
Grievance The website does not (C) Grievance Redressal The website does not
Redressal provide a dedicated point provide a dedicated
of contact for execution of point of contact for
rights and grievance execution of rights and
redressal, however grievance redressal,
provisions a support email however provisions a
id for assistance. support email id for
assistance.
(D) Data Protection Assessment for this
Impact Assessment principle could not be
ascertained, with the
available information.
 1.2 Observations
The Passport Seva Service shows great promise in creating accountable
privacy practices. There is proactive compliance with privacy principles-
Collection Limitation and Individual Participation Rights. There are also,
their well-defined security practices, clear communication with respect to
collection limitation. The project would have to establish better practises to
enable user control and execution of rights. Absence of a touch point for
Individual participation rights and grievance redressal needs to be resolved to
ensure privacy compliance.
2. Income Tax-E-Filing Portal
This is the official portal of Income Tax Department, Ministry of Finance,
Government of India. The portal has been developed as a Mission Mode
Project under the National E-Governance Plan. The objective of this portal is
to provide a single window access to the income tax related services for
citizens and other stakeholders.
2.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page Notice  The website page displays

displays the hyperlink the hyperlink to view privacy
to view privacy notice notice while collecting new PI
while collecting new PI from user on subsequent
from user on pages of website.
subsequent pages of  The Privacy notice is
website. available in local language
 The Privacy notice is  The Privacy notice doesn’t
available in local mention if it uses any the
language other (indirect) sources from
 The Privacy notice where PI/SPI of user is
doesn’t mention if it collected by the Entity.
uses any the other  The Privacy notice does not
(indirect) sources from inform the user about the
where PI/SPI of user is existence of any other
collected by the tracking mechanisms used
Entity. to collect, store, transmit or
 The Privacy notice process PII/SPI.
does not inform the  The privacy notice does not
user about the state the security obligations
existence of any other and expectations from the
tracking mechanisms user to protect their PI/SPI.
used to collect, store,  The Privacy Notice does not
transmit or process inform user about the
PII/SPI. standards it follows.
  The privacy notice  The privacy notice does not
does not state the inform the user about their
security obligations rights and how these rights
and expectations from can be exercised.
the user to protect The Privacy notice does not
their PI/SPI. mention any retention
 The Privacy Notice period.
does not inform user
about the standards it
follows.
 The privacy notice
does not inform the
user about their rights
and how these rights
can be exercised.
 The Privacy notice
does not mention any
retention period.
Consent  The website does not Consent  The website does not take
take consent from consent from user for the
user for the privacy privacy notice on the landing
notice on the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or  The website does not provide
through check box). user an option to withdraw
 The Website does consent.
provide an option to  The Website does provide an
user not to provide PI, option to user not to provide
which is not necessary PI, which is not necessary for
for provision of provision of services.
services. (Optional (Optional data entry fields)
data entry fields)

Collection  The Personal Data Collection  The Personal Data collection

Limitation collection while Limitation while signing up is restricted
signing up is to what is functionally
restricted to what is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies  It doesn’t take access to any
and e-tags. additional data through
It doesn’t take access to microphone, camera,
any additional data location and notification
through microphone, permissions.
camera, location and
notification permissions
Purpose The privacy notice clearly Purpose The privacy notice clearly
Limitation states the purpose of Limitation states the purpose of processing
 processing the personal the personal data and sensitive
data and sensitive personal data.
personal data.
Use Limitation Assessment for this principle
could not be ascertained, with
the available information.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal
to determine the the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any  The website code doesn’t
uncommon open contain
ports. Passwords/encryption key in
 The website uses hard coded manner i.e.
session cookies for visible in source code.
 login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency  The website maintains basic

level of transparency of
operations by informing the
user of the data collected and
processed for the provision of
the service and clear
statement of purpose.
 The E-governance services
shows limited transparency
in giving user visibility over
individual participation
rights and the process to
exercise these rights.
Individual  The Privacy notice in Individual  The Privacy notice in does
Participation does inform the user of Participation inform the user of their
Rights their right to Access Rights rights: 1) Access and
and Correction. Correction, 2); But does not
inform about their rights to
 The Privacy notice does Object, 3) Data Portability, 4)
not direct the user to a Right to be Forgotten.
designated position for  The Privacy notice does not
execution of these direct the user to a
rights. designated position for
execution of these rights.
Accountability
The privacy notice (A) Privacy by  Non-compliance with
Disclosure of mentions that the user Design provision of granular
Information information won’t and withdrawable
disclosed to 3 parties.
rd consent.
 Compliance with
notice availability
Partial compliance
with individual
participation rights.
Transfer of Assessment for this best (B) Data Protection The India Portal Website
Information practice could not be Officer does not inform the user of
ascertained, with the the existence of a Data
available information. Protection officer for
privacy compliance.
Grievance  The website does not (C) Grievance  The website does not
Redressal provide a dedicated Redressal provide a dedicated
point of contact for point of contact for
execution of rights execution of rights
 and grievance and grievance
redressal, however redressal, however
provisions a support provisions a support
email id for email id for
assistance. assistance.

(D) Data Protection Assessment for this

Impact principle could not be
Assessment ascertained, with the
available information.

2.2 Observations
The Income Tax E-filing Portal shows great promise in creating accountable
privacy practices. There is proactive compliance with privacy principles-
Purpose Limitation, Collection Limitation and Notice Availability. There
are also, their well-defined security practices. The project would have to
establish better practises to enable user control and execution of rights.
Absence of a touch point for Individual participation rights and grievance
redressal needs to be resolved to ensure privacy compliance and increasing
the level adoption of privacy by design in the project.
3. National Portal of India
This is the Official Portal of the Government of India, designed, developed
and hosted by the National Informatics Centre (NIC), a premier ICT
organization of the Government of India under the aegis of the Ministry of
Electronics & Information Technology. The Portal has been developed as a
Mission Mode Project (MMP) under the National E-Governance Plan (NEGP)
of the Government. The portal was launched in November 2005.The objective
behind the Portal is to provide a single window access to the information and
services being provided by the Indian Government for citizens and other
stakeholders. An attempt has been made through this Portal to provide
comprehensive, accurate, reliable and one stop source of information about
India and its various facets. The current Portal is a metadata driven site that
links to the other Indian Government Portals/websites for most updated
information.

3.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page Notice  The website page displays the
displays the hyperlink hyperlink to view privacy
to view privacy notice notice while collecting new PI
while collecting new PI from user on subsequent
from user on pages of website.
subsequent pages of  The Privacy notice is available
website. in local language.
 The Privacy notice is  The Privacy notice doesn’t
available in local mention if it uses any the
language. other (indirect) sources from
 The Privacy notice where PI/SPI of user is
doesn’t mention if it collected by the Entity.
uses any the other  The Privacy notice does not
(indirect) sources from inform the user about the
where PI/SPI of user is existence of any other
collected by the tracking mechanisms used to
Entity. collect, store, transmit or
 The Privacy notice process PII/SPI.
does not inform the  The privacy notice does not
user about the state the security obligations
existence of any other and expectations from the
tracking mechanisms user to protect their PI/SPI.
used to collect, store,  The Privacy Notice does not
transmit or process inform user about the
PII/SPI. standards it follows.
 The privacy notice  The privacy notice does not
does not state the inform the user about their
security obligations rights and how these rights
and expectations from can be exercised.
the user to protect  The Privacy notice does not
their PI/SPI. mention any retention period.
 The Privacy Notice
does not inform user
about the standards it
follows.
 The privacy notice
does not inform the
user about their rights
and how these rights
can be exercised.
 The Privacy notice
does not mention any
retention period.

Consent  The website takes Consent  The website takes consent

consent from user for from user for the privacy
the privacy notice on notice on the landing
the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or
through check box).
  The website does not provide
 The Website does user an option to withdraw
provide an option to consent.
user not to provide PI,  The Website does provide an
which is not necessary option to user not to provide
for provision of PI, which is not necessary for
services. (Optional provision of services.
data entry fields) (Optional data entry fields)

Collection  The Personal Data Collection  The Personal Data collection

Limitation collection while Limitation while signing up is restricted
signing up is to what is functionally
restricted to what is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies It doesn’t take access to any
and e-tags. additional data through
It doesn’t take access to microphone, camera, location
any additional data and notification permissions.
through microphone,
camera, location and
notification permissions.
Purpose The privacy notice does Purpose The privacy notice does not
Limitation not clearly state the Limitation clearly state the purpose of
purpose of processing the processing the personal data and
personal data and sensitive personal data.
sensitive personal data.

Use Limitation India Portal Service is in

compliance with this principle
from the assessment of the
information provided by the
department in charge of
execution.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal the
to determine the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
 processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any  The website code doesn’t
uncommon open contain
ports. Passwords/encryption key in
 The website uses hard coded manner i.e.
session cookies for visible in source code.
login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency  The website maintains basic

level of transparency of
operations by informing the
user of the data collected and
processed for the provision of
the service and clear
statement of purpose.
 The E-governance services
shows limited transparency
in giving user visibility over
individual participation
rights and the process to
exercise these rights.
 Individual  The Privacy notice in Individual  The Privacy notice in does
Participation does inform the user of Participation inform the user of their
Rights their right to Access Rights rights: 1) Access and
and Correction. Correction, 2); But does not
inform about their rights to
 The Privacy notice does Object, 3) Data Portability, 4)
not direct the user to a Right to be Forgotten.
designated position for  The Privacy notice does not
execution of these direct the user to a
rights designated position for
execution of these rights.

Disclosure of The privacy notice

Information mentions that the user Accountability
information won’t
disclosed to 3rd parties.

Assessment for this best (A) Privacy by Design Absence of granular

Transfer of practice could not be and withdrawable
Information ascertained, with the consent.
available information.
(B) Data Protection The India Portal
Officer Website does not
inform the user of the
existence of a Data
Protection officer for
privacy compliance.
Grievance The website does not (C) Grievance Redressal The website does not
Redressal provide a point of contact provide a point of
for execution of rights and contact for execution of
grievance redressal. rights and grievance
redressal.
(D) Data Protection  Privacy Risks were
Impact Assessment evaluated while
performing risk
assessment for
this project.
 The information
provided does not
provide more
insight into the
process of
evaluation.

3.2 Observations
The India Portal shows great promise in creating accountable privacy
practices. There is proactive compliance with privacy principles- Collection
Limitation, Use Limitation and Purpose limitation. There are also, their
well-defined security practices, clear communication with respect to collection
limitation. The project would have to establish better practises to enable user
control and execution of rights. Absence of a touch point for Individual
 participation rights and grievance redressal needs to be resolved to ensure
privacy compliance. The inclusion of Privacy risks in project risk assessment
is a great step towards building sustainable privacy practices.

4. Digital Seva Portal

Common Services Centers (CSC) are one of the crucial enablers of the Digital
India Programme. They are the access points for delivery of various e-
governance and business services to citizens in rural and remote areas of the
country. It is a pan-India network catering to regional, geographic, linguistic
and cultural diversity of the country, thus enabling the Government’s
mandate of a socially, financially and digitally inclusive society. CSCs offer
assisted access of e-services to citizens with a focus on enhancing
governance, delivering essential government and public utility services,
social welfare schemes, financial services, education and skill development
courses, health and agriculture services and digital literacy, apart from a
host of B2C services.

4.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page does Notice  The website page does not
not display the display the hyperlink to view
hyperlink to view privacy notice while collecting
privacy notice while new PI from user on
collecting new PI from subsequent pages of website.
user on subsequent  The Privacy notice is not
pages of website. available in any local
 The Privacy notice is language.
not available in any  The Privacy notice doesn’t
local language. mention if it uses any the
 The Privacy notice other (indirect) sources from
doesn’t mention if it where PI/SPI of user is
uses any the other collected by the Entity.
(indirect) sources from  The Privacy notice does not
where PI/SPI of user is inform the user about the
collected by the existence of any other
Entity. tracking mechanisms used to
 The Privacy notice collect, store, transmit or
does not inform the process PII/SPI.
user about the  The privacy notice does not
existence of any other state the security obligations
tracking mechanisms
 used to collect, store, and expectations from the
transmit or process user to protect their PI/SPI.
PII/SPI.  The Privacy Notice does not
 The privacy notice inform user about the
does not state the standards it follows.
security obligations  The privacy notice does not
and expectations from inform the user about their
the user to protect rights and how these rights
their PI/SPI. can be exercised.
 The Privacy Notice  The Privacy notice does not
does not inform user mention any retention period.
about the standards it
follows.
 The privacy notice
does not inform the
user about their rights
and how these rights
can be exercised.
 The Privacy notice
does not mention any
retention period.

Consent  The website takes Consent  The website takes consent

consent from user for from user for the privacy
the privacy notice on notice on the landing
the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or  The website does not provide
through check box). user an option to withdraw
consent.
 The Website does not  The Website does not provide
provide an option to an option to user not to
user not to provide PI, provide PI, which is not
which is not necessary necessary for provision of
for provision of services. (Optional data entry
services. (Optional fields)
data entry fields)

Collection  The Personal Data Collection  The Personal Data collection

Limitation collection while Limitation while signing up is restricted
signing up is to what is functionally
restricted to what is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies  It doesn’t take access to any
and e-tags. additional data through
 It doesn’t take access microphone, camera, location
to any additional data and notification permissions.
through microphone,
 camera, location and
notification
permissions.

Purpose The privacy notice clearly Purpose The privacy notice clearly states
Limitation states the purpose of Limitation the purpose of processing the
processing the personal personal data and sensitive
data and sensitive personal data.
personal data.
Use Limitation Digital Seva Portal Service is in
compliance with this principle
from the assessment of the
information provided by the
department in charge of
execution.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal the
to determine the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
  The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any  The website code doesn’t
uncommon open contain
ports. Passwords/encryption key in
 The website uses hard coded manner i.e.
session cookies for visible in source code.
login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency  The website maintains basic

level of transparency of
operations by informing the
user of the data collected and
processed for the provision of
the service and clear
statement of purpose.
 The E-governance services
shows limited transparency
in giving user visibility over
individual participation
rights and the process to
exercise these rights.
Individual  The Privacy notice in Individual  The Privacy notice in both
Participation both instances does Participation instances does not inform the
Rights not inform the user of Rights user of their rights: 1) Access
their right to Access and Correction, 2) to Object,
and Correction. 3) Data Portability, 4) Right to
be Forgotten.
 The Privacy notice does  The Privacy notice does not
not direct the user to a direct the user to a
designated position for designated position for
execution of these execution of these rights.
rights.
Accountability
The privacy notice (A) Privacy by Design Absence of granular
mentions that the user and withdrawable
Disclosure of information won’t consent.
Information disclosed to 3rd parties.

Transfer of Assessment for this best (B) Data Protection The Digital Seva Portal
Information practice could not be Officer does not inform the
user of the existence of
 ascertained, with the a Data Protection
available information. officer for privacy
compliance.
Grievance The website only provides (C) Grievance Redressal The website only
Redressal a support email id for provides a support
grievances. It does not email id for grievances.
provide a point of contact It does not provide a
for execution of rights and point of contact for
grievance redressal. execution of rights and
grievance redressal.
(D) Data Protection  Privacy Risks were
Impact Assessment evaluated while
performing risk
assessment for
this project.
 The information
provided does not
provide more
insight into the
process of
evaluation.

4.2 Observations
The Digital Seva Portal shows promise in creating accountable privacy
practices. There is proactive compliance with privacy principles- Collection
Limitation, Use Limitation and Purpose limitation. There are also, their
well-defined security practices, clear communication with respect to collection
limitation. The project would have to establish better practises to enable user
control and execution of rights. Absence of a touch point for Individual
participation rights and grievance redressal needs to be resolved to ensure
privacy compliance. The inclusion of Privacy risks in project risk assessment
is a great step towards building sustainable privacy practices.
5. School Education- Shaala Darpan
KV Shaala Darpan is an e-Governance platform for all Kendriya Vidyalayas in
the country. It aims to improve quality of learning, efficiency of school
administration, governance of schools & service delivery to key stakeholders
namely, students, parents, teachers, community and schools. The project KV
Shaala Darpan is under implementation. The Ministry has also written to all
States/UTs to implement Shaala Darpan in their respective states.
 5.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice The website page does not Notice The website page does not display
display a privacy notice to a privacy notice to the users.
the users.

Consent  The website does not Consent  The website does not take
take consent from user consent from user for the
for the privacy notice on privacy notice on the landing
the landing page/registration page of
page/registration page website (via click of
of website (via click of continue/agree or through
continue/agree or check box).
through check box).  The Privacy notice does not
 The Website does not inform the user that by
provide an option to reading the content of the
user not to provide PI, privacy notice and by
which is not necessary continuing to use the
for provision of services. application, user agrees to be
(Optional data entry bound by the terms of Privacy
fields) Notice.
 The website does not provide
user an option to withdraw
consent.
 The Website does not provide
an option to user not to
provide PI, which is not
necessary for provision of
services. (Optional data entry
fields)

Collection  The Personal Data Collection  The Personal Data collection

Limitation collection while signing Limitation while signing up is not
up is not specified in the specified in the privacy notice
privacy notice but is but is functionally necessary
functionally necessary to provide the service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies and It doesn’t take access to any
e-tags. additional data through
 It doesn’t take access to microphone, camera, location
any additional data and notification permissions.
through microphone,
camera, location and
 notification
permissions.
Purpose  The Personal Data Purpose  The Personal Data collection
Limitation collection while signing Limitation while signing up is not
up is not specified in the specified in the privacy notice
privacy notice but is but is functionally necessary
functionally necessary to provide the service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies and  It doesn’t take access to any
e-tags. additional data through
It doesn’t take access to microphone, camera, location
any additional data through and notification permissions.
microphone, camera,
location and notification
permissions.
Use Assessment for this principle
Limitation could not be ascertained, with the
available information.
Storage  The Privacy notice failed Storage  The Privacy notice failed to
Limitation to inform the user about Limitation inform the user about any
any retention period for retention period for the
the personal data personal data processed.
processed.  The privacy notice does not
 The privacy notice does inform the user about the
not inform the user criteria to determine the
about the criteria to retention period.
determine the retention  Assessment did not reveal the
period. existence of a retention
 Assessment did not period that the project
reveal the existence of a follows, with respect to
retention period that processing of personal data.
the project follows, with
respect to processing of
personal data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t leak escalation.
PI/SPI through privilege  The website doesn’t leak
escalation. PI/SPI through SQL injection
 The website doesn’t leak attacks.
PI/SPI through SQL  The website doesn’t leak
injection attacks. PI/SPI through XSS attacks.
  The website doesn’t leak  The website transmits the
PI/SPI through XSS data collected in a secure
attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any uncommon  The website code doesn’t
open ports. contain
 The website uses Passwords/encryption key in
session cookies for login hard coded manner i.e.
sessions in secure visible in source code.
manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency The E-governance services shows

limited transparency in giving
user visibility over data collection
and processing activities.
 The Privacy notice in  The Privacy notice in both
both instances does not instances does not inform the
Individual inform the user of their Individual user of their rights: 1) Access
Participation right to Access and Participation and Correction, 2) to Object,
Rights Correction. Rights 3) Data Portability, 4) Right to
be Forgotten.
 The Privacy notice does  The Privacy notice does not
not direct the user to a direct the user to a
designated position for designated position for
execution of these rights. execution of these rights.
Accountability
Assessment for this best (A) Privacy by Design Absence of privacy
Disclosure of practice could not be notice.
Information ascertained, with the
available information.
Transfer of Assessment for this best (B) Data Protection Shaala Darpan
Information practice could not be Officer Website does not
ascertained, with the inform the user of the
available information. existence of a Data
Protection officer for
privacy compliance.
Grievance Absence of support email/ (C) Grievance Redressal Absence of support
Redressal touch point for grievance email/ touch point for
redressal. grievance redressal.
(D) Data Protection Assessment for this
Impact Assessment principle could not be
 ascertained, with the
available information.

5.2 Observations
Shaala Darpan, follows well established security practices. But with respect
to privacy there’s a lot to be desired. Even though there exists a national level
policy for privacy, the same hasn’t been expressed in this instance. As we
have seen in recent years, the absence of a privacy notice is a major privacy
error as notice has emerged as the mode of communicating with the end
citizen their rights and enabling greater transparency in E-Governance
practices.
6. E-Vahan- Delhi
The Ministry of Road Transport & Highways (MoRTH) has been facilitating
computerization of over 1100 Road Transport Offices (RTOs) across the
country. RTOs issue Registration Certificate (RC) & Driving License (DL) that
are mandatory requirements and are valid across the country, subject to
certain provisions and permissions. Govt. of NCT of Delhi has
shifted Vahan Online Services to make these mandatory requirements
executable.
6.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice The website page does not Notice The website page does not
display a privacy notice to display a privacy notice to the
the users. users.
Consent  The website does not Consent  The website does not take
take consent from consent from user for the
user for the privacy privacy notice on the landing
notice on the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or  The website does not provide
through check box). user an option to withdraw
 The Website does not consent.
provide an option to  The Website does not provide
user not to provide PI, an option to user not to
which is not necessary provide PI, which is not
for provision of necessary for provision of
services. (Optional services. (Optional data entry
data entry fields) fields)
Collection  The Personal Data Collection  The Personal Data collection
Limitation collection while Limitation while signing up is not
signing up is not specified in the privacy notice
specified in the but is functionally necessary
privacy notice but is to provide the service.
functionally necessary  The Use of tracking
to provide the service. mechanisms is limited to 3rd
 The Use of tracking party cookies and e-tags.
mechanisms is limited It doesn’t take access to any
to 3rd party cookies additional data through
and e-tags. microphone, camera, location
It doesn’t take access to and notification permissions.
any additional data
through microphone,
camera, location and
notification permissions.
Purpose The privacy notice doesn’t Purpose The privacy notice doesn’t state
Limitation state the purpose of Limitation the purpose of processing the
processing the personal personal data and sensitive
data and sensitive personal data.
personal data.
Use Limitation Assessment for this principle
could not be ascertained, with the
available information.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal the
to determine the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.
Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
escalation.
  The website doesn’t  The website doesn’t leak
leak PI/SPI through PI/SPI through SQL injection
privilege escalation. attacks.
 The website doesn’t  The website doesn’t leak
leak PI/SPI through PI/SPI through XSS attacks.
SQL injection attacks.  The website transmits the
 The website doesn’t data collected in a secure
leak PI/SPI through encrypted manner.
XSS attacks.  The website does not contain
 The website transmits any uncommon open ports.
the data collected in a  The website uses session
secure encrypted cookies for login sessions in
manner. secure manner.
 The website does not  The website code doesn’t
contain any contain
uncommon open Passwords/encryption key in
ports. hard coded manner i.e.
 The website uses visible in source code.
session cookies for
login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency The E-governance services shows

limited transparency in giving
user visibility over data collection
and processing activities.
 The Privacy notice in  The Privacy notice in both
both instances does instances does not inform the
not inform the user of user of their rights: 1) Access
Individual their rights: 1) Access Individual and Correction, 2) to Object,
Participation and Correction. Participation 3) Data Portability, 4) Right to
Rights Rights be Forgotten.
 The Privacy notice does  The Privacy notice does not
not direct the user to a direct the user to a
designated position for designated position for
execution of these execution of these rights.
rights.
Disclosure of The privacy notice
Information mentions that the user Accountability
information won’t
disclosed to 3 parties.
rd

Assessment for this best (A) Privacy by Design Absence of privacy

practice could not be notice.
Transfer of ascertained, with the
Information available information.
 (B) Data Protection The E-Vahan-Delhi
Officer Website does not
inform the user of the
existence of a Data
Protection officer for
privacy compliance.
Grievance (C) Grievance Redressal Absence of support
Redressal email/ touch point for
grievance redressal
(D) Data Protection E-Vahan-Delhi
Impact Assessment Assessment for this
principle could not be
ascertained, with the
available information.

6.2 Observations
Project E-Vahan- Delhi follows well established security practices. But with
respect to privacy there’s a lot to be desired. Even though there exists a
national level policy for privacy, the same hasn’t been expressed in this
instance. As we have seen in recent years, the absence of a privacy notice is
a major privacy error as notice has emerged as the mode of communicating
with the end citizen their rights and enabling greater transparency in E-
Governance practices.

7. My Gov
MyGov aims to establish a link between Government and Citizens towards
meeting the goal of good governance. MyGov encourages citizens as well as
people abroad to participate in various activities i.e. 'Do', 'Discuss', 'Poll',
'Talk', ‘Blog’, etc. There are multiple theme-based discussions on MyGov
where a wide range of people can share their thoughts and ideas. 35.6 lakh
registered users have participated in 49 groups, 492 tasks, 590 discussion
themes and 221 blogs.
7.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page does Notice  The website page does not
not display the display the hyperlink to view
hyperlink to view privacy notice while collecting
privacy notice while new PI from user on
collecting new PI from subsequent pages of website.
user on subsequent The Privacy notice is available
pages of website. in a local language.
 The Privacy notice is  Hyperlink for privacy notice
available in a local of the application does not
language. exist on the launch screen of
 Hyperlink for privacy the application.
notice of the  The user does not have an
application does not option to refer to the privacy
exist on the launch notice while using the
screen of the application.
application.  The application page does not
 The user does not display the hyperlink to view
have an option to refer privacy notice while collecting
to the privacy notice new PI from user on
while using the subsequent pages of
application. application for subscription
 The application page purposes.
does not display the  The privacy notice is easily
hyperlink to view accessible to the user.
privacy notice while  Privacy notice is available to
collecting new PI from the user in a local Language.
user on subsequent  The Privacy notice informs
pages of application the user about the cookies
for subscription used to collect, store,
purposes. transmit or process PI/SPI.
 The privacy notice is  The privacy notice
easily accessible to the communicates to the user
user. about the third parties or the
 Privacy notice is categories of third parties to
available to the user in which the information will be
a local Language. shared and for what purpose.
 The Privacy notice  The privacy notice does not
informs the user state the security obligations
about the cookies and expectations from the
used to collect, store, user to protect their PI/SPI.
transmit or process  The Privacy Notice does not
PI/SPI. inform user about the
 The privacy notice standards it follows.
communicates to the  The privacy notice does
user about the third inform the user about their
parties or the rights and how these rights
categories of third can be exercised.
parties to which the  The Privacy notice does not
information will be mention any retention period.
shared and for what  The Privacy notice clearly
purpose. states the type of the PI/SPI
 The privacy notice collected by the Entity
does not state the  The Privacy Notice clearly
security obligations states the purpose of the
and expectations from PI/SPI collected by the
the user to protect Entity.
their PI/SPI.  The Privacy Notice does state
 The Privacy Notice the security obligations and
does not inform user expectations from the user to
protect their PI/SPI.
 about the standards it  The Privacy Notice does not
follows. inform the user about any
 The privacy notice retention period/ the criteria
does inform the user to determine the retention
about their rights and period.
how these rights can  The Privacy notice does not
be exercised. inform the user how the
 The Privacy notice PI/SPI will be treated once
does not mention any the user has uninstalled the
retention period. application.
 The Privacy notice  The Privacy Notice does not
clearly states the type inform user about the
of the PI/SPI collected standards it follows.
by the Entity  The Privacy Notice does not
 The Privacy Notice inform the user about their
clearly states the rights and how these rights
purpose of the PI/SPI can be exercised.
collected by the
Entity.
 The Privacy Notice
does state the security
obligations and
expectations from the
user to protect their
PI/SPI.
 The Privacy Notice
does not inform the
user about any
retention period/ the
criteria to determine
the retention period.
 The Privacy notice
does not inform the
user how the PI/SPI
will be treated once
the user has
uninstalled the
application.
 The Privacy Notice
does not inform user
about the standards it
follows.
 The Privacy Notice
does not inform the
user about their rights
and how these rights
can be exercised.

Consent  The website and Consent  The website does not take
application do not consent from user for the
take consent from privacy notice on the landing
user for the privacy page/registration page of
notice on the landing website (via click of
 page/registration continue/agree or through
page of website (via check box).
click of  The website and application
continue/agree or do not provide user an option
through check box). to withdraw consent.
 The Website and  The Website and application
application do not do not provide an option to
provide an option to user not to provide PI, which
user not to provide PI, is not necessary for provision
which is not necessary of services. (Optional data
for provision of entry fields)
services. (Optional
data entry fields)
Collection  The Personal Data Collection  The Personal Data collection
Limitation collection while Limitation while signing up is restricted
signing up is to, which is functionally
restricted to, which is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies It doesn’t take access to any
and e-tags. additional data through
It doesn’t take access microphone, camera, location
to any additional data and notification permissions.
through microphone,  The Application takes 6
camera, location and dangerous permissions,
notification which is lower than the
permissions. industry average.
 The Application takes  The application only takes 2
6 dangerous other high-risk Permissions
permissions, which is as well, which in in
lower than the combination with other
industry average. information can identify the
 The application only user.
takes 2 other high-risk The Application still works if
Permissions as well, dangerous group permissions
which in in are disabled, hence not
combination with locking out the user of the
other information can service.
identify the user.
The Application still works
if dangerous group
permissions are disabled,
hence not locking out the
user of the service.
Purpose The privacy notice clearly Purpose The privacy notice clearly states
Limitation states the purpose of Limitation the purpose of processing the
processing the personal personal data and sensitive
data and sensitive personal data.
personal data.
Use Limitation MyGov Website and Application
are in compliance with this
 principle in accordance with the
information supplied.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria Assessment did not reveal the
to determine the existence of a retention
retention period. period that the project
Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any The website code doesn’t
uncommon open contain
ports. Passwords/encryption key in
 The website uses hard coded manner i.e.
session cookies for visible in source code.
login sessions in  The privacy notice states the
secure manner. security practices and
The website code procedures to protect the
doesn’t contain PI/SPI of the user.
 Passwords/encryption  The application stores user
key in hard coded PI/SPI on the device in
manner i.e. visible in encrypted form.
source code.  Other applications on the
 The privacy notice device cannot access the
states the security PI/SPI stored in folder of the
practices and application (Cross app data
procedures to protect sharing)
the PI/SPI of the user.  The application doesn’t take
 The application stores root level access of the device.
user PI/SPI on the  The mobile application
device in encrypted code contains Passwords
form. /encryption key in hard
 Other applications on coded manner i.e. visible in
the device cannot source code. This is bad
access the PI/SPI practice and needs to be
stored in folder of the corrected.
application (Cross app  The application transmits the
data sharing) data collected in a secure
 The application manner.
doesn’t take root level The data stored by the
access of the device. application on the device gets
 The mobile wiped clean after uninstalling
application code the application.
contains Passwords
/encryption key in
hard coded manner
i.e. visible in source
code. This is bad
practice and needs
to be corrected.
 The application
transmits the data
collected in a secure
manner.
The data stored by the
application on the
device gets wiped
clean after
uninstalling the
application.

Transparency  The website and application

maintain basic level of
transparency of operations
by informing the user of the
data collected and processed
for the provision of the service
and clear statement of
purpose.
 The E-governance services
shows limited transparency
in giving user visibility over
 individual participation
rights and the process to
exercise these rights.
Individual  The Privacy notice in Individual  The Privacy notice in both
Participation both instances does Participation instances does not inform the
Rights not inform the user of Rights user of their rights: 1) Access
their rights: 1) Access and Correction, 2) to Object,
and Correction. 3) Data Portability, 4) Right to
 The Privacy notice be Forgotten.
does not direct the  The Privacy notice does not
user to a designated direct the user to a
position for execution designated position for
of these rights. execution of these rights.

Disclosure of The privacy notice

Information mentions that the user
information won’t Accountability
disclosed to 3 parties.
rd

Assessment for this best (A) Privacy by Design Lack of granularity

practice could not be and withdrawal of
Transfer of ascertained, with the consent.
Information available information.
(B) Data Protection MyGov Service Website
Officer and mobile application
does not inform the
user of the existence of
a Data Protection
officer for privacy
compliance.
Grievance The website and (C) Grievance The website and
Redressal application only list a Redressal application only list a
support email id for support email id for
grievances. It does not grievances. It does not
provide a point of contact provide a point of
for execution of rights and contact for execution of
grievance redressal. rights and grievance
redressal.
(D) Data Protection  Privacy Risks were
Impact evaluated while
Assessment performing risk
assessment for
this project.
 The information
provided does not
provide more
insight into the
process of
evaluation.
 7.2 Observations
MyGov project shows great promise in creating accountable privacy
practices. This is highlighted in their well-defined security practices, clear
communication with respect to purpose limitation, collection limitation and
use limitation.
The project would have to establish better practises to enable user control
and execution of rights. Absence of a touch point for Individual participation
rights and grievance redressal needs to be resolved to ensure privacy
compliance.

8. Project e-Seva- Andhra Pradesh

Launched in 2001, e-Seva are centres spread across Hyderabad and
Secunderabad and Ranga Reddy district covering thirteen districts, offering
118 different services like payment of utility bills/taxes, registration of
births/deaths, registration of applications for passports etc. It was designed
to provide Government to Citizen services and delivers services online to
consumers by connecting them to the respective government departments
and providing online information at the point of service delivery.

8.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice The website page does not Notice The website page does not
display a privacy notice to display a privacy notice to
the users. the users.

Consent  The website does not Consent  The website does not take
take consent from consent from user for the
user for the privacy privacy notice on the landing
notice on the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or  The website does not provide
through check box). user an option to withdraw
 The Website does not consent.
provide an option to  The Website does not
user not to provide PI, provide an option to user not
which is not necessary to provide PI, which is not
for provision of necessary for provision of
services. (Optional services. (Optional data
data entry fields) entry fields)
Collection  The Personal Data Collection  The Personal Data collection
Limitation collection while Limitation while signing up is not
signing up is not specified in the privacy
specified in the notice but is functionally
privacy notice but is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies It doesn’t take access to any
and e-tags. additional data through
It doesn’t take access to microphone, camera,
any additional data location and notification
through microphone, permissions.
camera, location and
notification permissions.
Purpose The privacy notice doesn’t Purpose The privacy notice doesn’t state
Limitation state the purpose of Limitation the purpose of processing the
processing the personal personal data and sensitive
data and sensitive personal data.
personal data.
Use Limitation Assessment for this principle
could not be ascertained, with
the available information.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal
to determine the the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
escalation.
  The website doesn’t  The website doesn’t leak
leak PI/SPI through PI/SPI through SQL
privilege escalation. injection attacks.
 The website doesn’t  The website doesn’t leak
leak PI/SPI through PI/SPI through XSS attacks.
SQL injection attacks.  The website transmits the
 The website doesn’t data collected in a secure
leak PI/SPI through encrypted manner.
XSS attacks.  The website does not contain
 The website transmits any uncommon open ports.
the data collected in a  The website uses session
secure encrypted cookies for login sessions in
manner. secure manner.
 The website does not  The website code doesn’t
contain any contain
uncommon open Passwords/encryption key
ports. in hard coded manner i.e.
 The website uses visible in source code.
session cookies for
login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency The E-governance services

shows limited transparency in
giving user visibility over data
collection and processing
activities.
Individual  The Privacy notice in Individual  The Privacy notice in both
Participation both instances does Participation instances does not inform
Rights not inform the user of Rights the user of their rights: 1)
their right to Access Access and Correction, 2) to
and Correction. Object, 3) Data Portability,
4) Right to be Forgotten.
 The Privacy notice  The Privacy notice does not
does not direct the direct the user to a
user to a designated designated position for
position for execution execution of these rights.
of these rights.

Disclosure of Assessment for this best

Information practice could not be Accountability
ascertained, with the
available information.
Assessment for this best (A) Privacy by Design Absence of privacy
practice could not be notice.
 Transfer of ascertained, with the
Information available information.
(B) Data Protection The E-Seva Andhra
Officer Pradesh Website
service does not inform
the user of the
existence of a Data
Protection officer for
privacy compliance.
Grievance Absence of support email/ (C) Grievance Absence of support
Redressal touch point for grievance Redressal email/ touch point for
redressal. grievance redressal.
(D) Data Protection Assessment for this
Impact Assessment principle could not be
ascertained, with the
available information.

8.2 Observations
Project E-Seva- Andhra Pradesh follows well established security practices.
But with respect to privacy there’s a lot to be desired. Even though there
exists a national level policy for privacy, the same hasn’t been expressed in
this instance. As we have seen in recent years, the absence of a privacy notice
is a major privacy error as notice has emerged as the mode of communicating
with the end citizen their rights and enabling greater transparency in E-
Governance practices.

9. IRCTC
Indian Railway Catering and Tourism Corporation Ltd. has been set up by
the Ministry of Railways with the basic purpose of hiving off entire catering
and tourism activity of the railways to the new Corporation so as to
professionalise and upgrade these services with public-private participation.
Rail based Tourism in India will be the specific vehicle for achieving high
growth in coordination with state agencies, tour operators, travel agents and
the hospitality industry. A dynamic marketing strategy in association with
public and private agencies, tour operators, transporters, hoteliers and local
tour promoters is on the anvil. Indian Railways span global volumes in
hospitality and catering sectors with services provided to 13 million
passengers every day.

9.1 Assessment
 SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page does Notice  The website page does not
not display the display the hyperlink to view
hyperlink to view privacy notice while collecting
privacy notice while new PI from user on
collecting new PI from subsequent pages of website.
user on subsequent The Privacy notice is not
pages of website. available in any local
The Privacy notice is language.
not available in any  Hyperlink for privacy notice
local language. of the application does not
 Hyperlink for privacy exist on the launch screen of
notice of the the application.
application does not  The user does not have an
exist on the launch option to refer to the privacy
screen of the notice while using the
application. application.
 The user does not  The application page does not
have an option to refer display the hyperlink to view
to the privacy notice privacy notice while
while using the collecting new PI from user
application. on subsequent pages of
 The application page application for subscription
does not display the purposes.
hyperlink to view  The privacy notice is not
privacy notice while easily accessible to the user.
collecting new PI from  Privacy notice is not available
user on subsequent to the user in the any local
pages of application Language.
for subscription  The Privacy notice doesn’t
purposes. mention if it uses any the
 The privacy notice is other (indirect) sources from
not easily accessible to where PI/SPI of user is
the user. collected by the Entity.
 Privacy notice is not  The Privacy notice does not
available to the user in inform the user about the
the any local existence of any other
Language. tracking mechanisms used to
 The Privacy notice collect, store, transmit or
doesn’t mention if it process PII/SPI.
uses any the other  The privacy notice does not
(indirect) sources from state the security obligations
where PI/SPI of user is and expectations from the
collected by the user to protect their PI/SPI.
Entity.  The Privacy Notice does not
 The Privacy notice inform user about the
does not inform the standards it follows.
user about the
existence of any other
 tracking mechanisms  The privacy notice does not
used to collect, store, inform the user about their
transmit or process rights and how these rights
PII/SPI. can be exercised.
 The privacy notice  The Privacy notice does not
does not state the mention any retention
security obligations period.
and expectations from  Privacy Notice does not
the user to protect mention other (indirect)
their PI/SPI. sources from where PI/SPI of
 The Privacy Notice user is collected by the
does not inform user Entity.
about the standards it  The Privacy Notice does not
follows. clearly state the purpose of
 The privacy notice the PI/SPI collected by the
does not inform the Entity.
user about their rights  The Privacy Notice does not
and how these rights state the security obligations
can be exercised. and expectations from the
 The Privacy notice user to protect their PI/SPI.
does not mention any  The Privacy Notice does not
retention period. inform the user about the
 Privacy Notice does criteria to determine the
not mention other retention period.
(indirect) sources from  The Privacy notice does not
where PI/SPI of user is inform the user how the
collected by the PI/SPI will be treated once
Entity. the user has uninstalled the
 The Privacy Notice application.
does not clearly state  The Privacy Notice does not
the purpose of the inform user about the
PI/SPI collected by the standards it follows.
Entity.  The Privacy Notice does not
 The Privacy Notice inform the user about their
does not state the rights and how these rights
security obligations can be exercised.
and expectations from
the user to protect
their PI/SPI.
 The Privacy Notice
does not inform the
user about the criteria
to determine the
retention period.
 The Privacy notice
does not inform the
user how the PI/SPI
will be treated once
the user has
uninstalled the
application.
 The Privacy Notice
does not inform user
 about the standards it
follows.
 The Privacy Notice
does not inform the
user about their rights
and how these rights
can be exercised.

Consent  The website does not Consent  The website does not take
take consent from consent from user for the
user for the privacy privacy notice on the landing
notice on the landing page/registration page of
page/registration website (via click of
page of website (via continue/agree or through
click of check box).
continue/agree or  The website and application
through check box). do not provide user an option
 The Website does not to withdraw consent.
provide an option to  The Website and application
user not to provide PI, do not provide an option to
which is not necessary user not to provide PI, which
for provision of is not necessary for provision
services. (Optional of services. (Optional data
data entry fields) entry fields)

Collection  The Personal Data Collection  The Personal Data collection
Limitation collection while Limitation while signing up, is not
signing up, is not functionally necessary to
functionally necessary provide the service in some
to provide the service instances
in some instances  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies  It doesn’t take access to any
and e-tags. additional data through
 It doesn’t take access microphone, camera,
to any additional data location and notification
through microphone, permissions.
camera, location and  The Application takes 7
notification dangerous permissions,
permissions. which is lower than the
 The Application takes industry average.
7 dangerous  The application only takes 2
permissions, which is other high-risk Permissions
lower than the as well, which in in
industry average. combination with other
 The application only information can identify the
takes 2 other high-risk user.
Permissions as well, The Application still works if
which in in dangerous group
combination with permissions are disabled,
other information can hence not locking out the
identify the user. user of the service.
 The Application still works
if dangerous group
permissions are disabled,
hence not locking out the
user of the service.
Purpose The privacy notice does Purpose The privacy notice does not
Limitation not clearly state the Limitation clearly state the purpose of
purpose of processing the processing the personal data and
personal data and sensitive personal data.
sensitive personal data.
Use Limitation Assessment for this principle
could not be ascertained, with the
available information.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal
to determine the the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
 secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any The website code doesn’t contain
uncommon open Passwords/encryption key in
ports. hard coded manner i.e. visible in
 The website uses source code
session cookies for  The privacy notice states the
login sessions in security practices and
secure manner. procedures to protect the
 The website code PI/SPI of the user.
doesn’t contain  The application stores user
Passwords/encryption PI/SPI on the device in
key in hard coded encrypted form.
manner i.e. visible in  Other applications on the
source code. device cannot access the
 The privacy notice PI/SPI stored in folder of the
states the security application (Cross app data
practices and sharing)
procedures to protect  The application doesn’t take
the PI/SPI of the user. root level access of the device.
 The application stores  The mobile application code
user PI/SPI on the contains Passwords
device in encrypted /encryption key in hard
form. coded manner i.e. visible in
 Other applications on source code. This is bad
the device cannot practice and needs to
access the PI/SPI corrected.
stored in folder of the  The application transmits the
application (Cross app data collected in a secure
data sharing) manner.
 The application  The data stored by the
doesn’t take root level application on the device gets
access of the device. wiped clean after uninstalling
 The mobile application the application.
code contains
Passwords
/encryption key in
hard coded manner
i.e. visible in source
code. This is bad
practice and needs to
corrected.
 The application
transmits the data
collected in a secure
manner.
The data stored by the
application on the device
gets wiped clean after
uninstalling the
application.
 Transparency  The website and application
maintain basic level of
transparency of operations
by informing the user of the
data collected and processed
for the provision of the
service and clear statement
of purpose.
 The E-governance services
shows limited transparency
in giving user visibility over
individual participation
rights and the process to
exercise these rights.

Individual  The Privacy notice in Individual  The Privacy notice in both

Participation both instances does Participation instances does not inform the
Rights not inform the user of Rights user of their rights: 1) Access
their rights: 1) Access and Correction, 2) to Object,
and Correction. 3) Data Portability, 4) Right to
 The Privacy notice be Forgotten.
does not direct the  The Privacy notice does not
user to a designated direct the user to a
position for execution designated position for
of these rights. execution of these rights.

Disclosure of The privacy notice Accountability

Information mentions that the user
information won’t
disclosed to 3rd parties.

Assessment for this best (A) Privacy by Design Lack of granularity

practice could not be and withdrawal of
Transfer of ascertained, with the consent.
Information available information.
(B) Data Protection The IRCTC Website
Officer and mobile application
does not inform the
user of the existence of
a Data Protection
officer for privacy
compliance.
Grievance The website and (C) Grievance Redressal The website and
Redressal application only list a application only list a
support email id for support email id for
grievances. It does not grievances. It does not
provide a point of contact provide a point of
for execution of rights and contact for execution
grievance redressal. of rights and grievance
redressal.
(D) Data Protection Assessment for this
Impact Assessment principle could not be
 ascertained, with the
available information.

9.2 Observations
IRCTC project follows well established security practices, although the
project would have to establish better practises to enable user control and
execution of rights. Absence of a touch point for Individual participation
rights and grievance redressal needs to be resolved to ensure privacy
compliance. The Privacy notice needs for the project would need further
development to meet the growing privacy compliance requirements.
10. Land Records- Project Bhoomi
Project Bhoomi of Karnataka State Government is focused on Land Records
management system. The project was inaugurated in the year 2000. Under
this project, all the manual RTCs which prevailed at the time of data entry
were digitized and made available to the citizen through Kiosk Centres. All
the ownership or any other changes in the RTCs are carried out through
mutation as per KLR Act using the Land Records database. Bhoomi back
offices have been set up at all taluks of the state. In each of these centres LR
Kiosk & Application Kiosk have also been setup.
10.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page does Notice  The website page does not
not display the display the hyperlink to view
hyperlink to view privacy notice while collecting
privacy notice while new PI from user on
collecting new PI from subsequent pages of website.
user on subsequent The Privacy notice is not
pages of website. available in any local
The Privacy notice is language.
not available in any  The Privacy notice doesn’t
local language. mention if it uses any the
 The Privacy notice other (indirect) sources from
doesn’t mention if it where PI/SPI of user is
uses any the other collected by the Entity.
(indirect) sources from  The Privacy notice does not
where PI/SPI of user is inform the user about the
collected by the existence of any other
Entity. tracking mechanisms used to
 The Privacy notice collect, store, transmit or
does not inform the process PII/SPI.
user about the
 existence of any other  The privacy notice does not
tracking mechanisms state the security obligations
used to collect, store, and expectations from the
transmit or process user to protect their PI/SPI.
PII/SPI.  The Privacy Notice does not
 The privacy notice inform user about the
does not state the standards it follows.
security obligations  The privacy notice does not
and expectations from inform the user about their
the user to protect rights and how these rights
their PI/SPI. can be exercised.
 The Privacy Notice  The Privacy notice does not
does not inform user mention any retention period.
about the standards it
follows.
 The privacy notice
does not inform the
user about their rights
and how these rights
can be exercised.
 The Privacy notice
does not mention any
retention period.

Consent  The Website does not Consent

provide an option to  The website does not provide
user not to provide PI, user an option to withdraw
which is not necessary consent.
for provision of  The Website does not provide
services. (Optional an option to user not to
data entry fields) provide PI, which is not
necessary for provision of
services. (Optional data entry
fields)

Collection  The Personal Data Collection  The Personal Data collection

Limitation collection while Limitation while signing up is restricted
signing up is to what is functionally
restricted to what is necessary to provide the
functionally necessary service.
to provide the service.  The Use of tracking
 The Use of tracking mechanisms is limited to 3rd
mechanisms is limited party cookies and e-tags.
to 3rd party cookies It doesn’t take access to any
and e-tags. additional data through
It doesn’t take access to microphone, camera, location
any additional data and notification permissions.
through microphone,
camera, location and
notification permissions.
Purpose The privacy notice clearly Purpose The privacy notice clearly states
Limitation states the purpose of Limitation the purpose of processing the
processing the personal
 data and sensitive personal data and sensitive
personal data. personal data.
Use Limitation Project Bhoomi, is in compliance
with respect to the use limitation
principle.
Storage  The Privacy notice Storage  The Privacy notice failed to
Limitation failed to inform the Limitation inform the user about any
user about any retention period for the
retention period for personal data processed.
the personal data  The privacy notice does not
processed. inform the user about the
 The privacy notice criteria to determine the
does not inform the retention period.
user about the criteria  Assessment did not reveal the
to determine the existence of a retention
retention period. period that the project
 Assessment did not follows, with respect to
reveal the existence of processing of personal data.
a retention period that
the project follows,
with respect to
processing of personal
data.

Security  The privacy notice Security  The privacy notice states the
Safeguards states the security Safeguards security practices and
practices and procedures to protect the
procedures to protect PI/SPI of the user.
the PI/SPI of the user.  The website does not store
 The website does not any data of the user on the
store any data of the local storage.
user on the local  The website doesn’t leak
storage. PI/SPI through privilege
 The website doesn’t escalation.
leak PI/SPI through  The website doesn’t leak
privilege escalation. PI/SPI through SQL injection
 The website doesn’t attacks.
leak PI/SPI through  The website doesn’t leak
SQL injection attacks. PI/SPI through XSS attacks.
 The website doesn’t  The website transmits the
leak PI/SPI through data collected in a secure
XSS attacks. encrypted manner.
 The website transmits  The website does not contain
the data collected in a any uncommon open ports.
secure encrypted  The website uses session
manner. cookies for login sessions in
 The website does not secure manner.
contain any  The website code doesn’t
uncommon open contain
ports. Passwords/encryption key in
 The website uses hard coded manner i.e.
session cookies for visible in source code.
 login sessions in
secure manner.
 The website code
doesn’t contain
Passwords/encryption
key in hard coded
manner i.e. visible in
source code.

Transparency  The website and application

maintains basic level of
transparency of operations by
informing the user of the data
collected and processed for
the provision of the service.
 The E-governance services
shows limited transparency
in giving user visibility over
individual participation
rights and the process to
exercise these rights.
Individual  The Privacy notice in Individual  The Privacy notice in both
Participation both instances does Participation instances does not inform the
Rights not inform the user of Rights user of their rights: 1) Access
their rights: 1) Access and Correction, 2) to Object,
and Correction. 3) Data Portability, 4) Right to
be Forgotten.
 The Privacy notice  The Privacy notice does not
does not direct the direct the user to a
user to a designated designated position for
position for execution execution of these rights.
of these rights.

Disclosure of The privacy notice Accountability

Information mentions that the user
information won’t
disclosed to 3 parties.
rd

Assessment for this best (A) Privacy by Design It does not provide
practice could not be granularity and
Transfer of ascertained, with the option for withdrawal
Information available information. of consent.

(B) Data Protection Project Bhoomi does

Officer not inform the user of
the existence of a Data
Protection officer for
privacy compliance.
Grievance The website and (C) Grievance Redressal The website and
Redressal application only list a application only list a
support email id for support email id for
grievances. It does not grievances. It does not
provide a point of contact provide a point of
 for execution of rights and contact for execution of
grievance redressal. rights and grievance
redressal.
(D) Data Protection Assessment for this
Impact Assessment principle could not be
ascertained, with the
available information.

10.2 Observations
Project Bhoomi shows great promise in creating accountable privacy
practices. There is proactive compliance with privacy principles- Purpose
Limitation, Collection Limitation and Use Limitation. There are also,
their well-defined security practices, clear communication with respect to
purpose limitation, collection limitation and use limitation. The project would
have to establish better practises to enable user control and execution of
rights. Absence of a touch point for Individual participation rights and
grievance redressal needs to be resolved to ensure privacy compliance.
11. Digi Locker
DigiLocker is a platform for issuance and verification of documents &
certificates in a digital way, thus eliminating the use of physical documents.
Indian citizens who sign up for a DigiLocker account get a dedicated cloud
storage space that is linked to their Aadhaar (UIDAI) number. Organizations
that are registered with Digital Locker can push electronic copies of
documents and certificates (e.g. driving license, Voter ID, School certificates)
directly into citizens lockers. Citizens can also upload scanned copies of their
legacy documents in their accounts. These legacy documents can be
electronically signed using the e-Sign facility.
11.1 Assessment

SDPI Rules Assessment Assurance Standard Assessment

Parameter Assessment Parameter Assessment

Notice  The website page does not Notice  The website page does not
display the hyperlink to display the hyperlink to
view privacy notice while view privacy notice while
collecting new PI from collecting new PI from user
user on subsequent pages on subsequent pages of
of website. website.
The Privacy notice is not The Privacy notice is not
available in any local available in any local
language. language.
 Hyperlink for privacy  Hyperlink for privacy
notice of the application notice of the application
does not exist on the does not exist on the
 launch screen of the launch screen of the
application. application.
 The user does not have an  The user does not have an
option to refer to the option to refer to the
privacy notice while using privacy notice while using
the application. the application.
 The application page does  The application page does
not display the hyperlink not display the hyperlink to
to view privacy notice view privacy notice while
while collecting new PI collecting new PI from user
from user on subsequent on subsequent pages of
pages of application for application for
subscription purposes. subscription purposes.
 The privacy notice is not  The privacy notice is not
easily accessible to the easily accessible to the
user. user.
 Privacy notice is not  Privacy notice is not
available to the user in available to the user in the
the any local Language. any local Language.
 The Privacy notice doesn’t  The Privacy notice doesn’t
mention if it uses any the mention if it uses any the
other (indirect) sources other (indirect) sources
from where PI/SPI of user from where PI/SPI of user
is collected by the Entity. is collected by the Entity.
 The Privacy notice does  The Privacy notice does not
not inform the user about inform the user about the
the existence of any other existence of any other
tracking mechanisms tracking mechanisms used
used to collect, store, to collect, store, transmit or
transmit or process process PII/SPI.
PII/SPI.  The privacy notice does not
 The privacy notice does state the security
not state the security obligations and
obligations and expectations from the user
expectations from the to protect their PI/SPI.
user to protect their  The Privacy Notice does not
PI/SPI. inform user about the
 The Privacy Notice does standards it follows.
not inform user about the  The privacy notice does not
standards it follows. inform the user about their
 The privacy notice does rights and how these rights
not inform the user about can be exercised.
their rights and how these  The Privacy notice does not
rights can be exercised. mention any retention
 The Privacy notice does period.
not mention any retention  Privacy Notice does not
period. mention other (indirect)
 Privacy Notice does not sources from where PI/SPI
mention other (indirect) of user is collected by the
sources from where Entity.
PI/SPI of user is collected  The Privacy Notice does not
by the Entity. clearly state the purpose of
  The Privacy Notice does the PI/SPI collected by the
not clearly state the Entity.
purpose of the PI/SPI  The Privacy Notice does not
collected by the Entity. state the security
 The Privacy Notice does obligations and
not state the security expectations from the user
obligations and to protect their PI/SPI.
expectations from the  The Privacy Notice does not
user to protect their inform the user about the
PI/SPI. criteria to determine the
 The Privacy Notice does retention period.
not inform the user about  The Privacy notice does not
the criteria to determine inform the user how the
the retention period. PI/SPI will be treated once
 The Privacy notice does the user has uninstalled
not inform the user how the application.
the PI/SPI will be treated  The Privacy Notice does not
once the user has inform user about the
uninstalled the standards it follows.
application.  The Privacy Notice does not
 The Privacy Notice does inform the user about their
not inform user about the rights and how these rights
standards it follows. can be exercised.
 The Privacy Notice does
not inform the user about
their rights and how these
rights can be exercised.

Consent Consent  The website does not

 The Website does not provide user an option to
provide an option to user withdraw consent.
not to provide PI, which is  The Website does not
not necessary for provide an option to user
provision of services. not to provide PI, which is
(Optional data entry not necessary for provision
fields) of services. (Optional data
entry fields)

Collection  The Personal Data Collection  The Personal Data

Limitation collection while signing Limitation collection while signing up
up is restricted to mobile is restricted to mobile
number and email id, number and email id,
which is functionally which is functionally
necessary to provide the necessary to provide the
service. service.
 The Use of tracking  The Use of tracking
mechanisms is limited to mechanisms is limited to
3rd party cookies and e- 3rd party cookies and e-
tags. tags.
 It doesn’t take access to  It doesn’t take access to
any additional data any additional data
through microphone, through microphone,
 camera, location and camera, location and
notification permissions. notification permissions.
 The Application takes 7  The Application takes 7
dangerous permissions, dangerous permissions,
which is lower than the which is lower than the
industry average. industry average.
 The application only  The application only takes
takes 3 other high-risk 3 other high-risk
Permissions as well, Permissions as well, which
which in in combination in in combination with
with other information other information can
can identify the user. identify the user.
The Application still works if The Application still works
dangerous group permissions if dangerous group
are disabled, hence not permissions are disabled,
locking out the user of the hence not locking out the
service. user of the service.
Purpose The privacy notice clearly Purpose The privacy notice clearly states
Limitation states the purpose of Limitation the purpose of processing the
processing the personal data personal data and sensitive
and sensitive personal data. personal data.
Use The DigitLocker Website and
Limitation Mobile Application, is in
compliance with respect to the
implementation segment of
notice assessment.

Storage  The Privacy notice failed Storage  The Privacy notice failed to
Limitation to inform the user about Limitation inform the user about any
any retention period for retention period for the
the personal data personal data processed.
processed.  The privacy notice does not
 The privacy notice does inform the user about the
not inform the user about criteria to determine the
the criteria to determine retention period.
the retention period.  Assessment did not reveal
 Assessment did not reveal the existence of a retention
the existence of a period that the project
retention period that the follows, with respect to
project follows, with processing of personal
respect to processing of data.
personal data.

Security  The privacy notice Security  The privacy notice

Safeguards states the security Safeguards states the security
practices and practices and
procedures to protect procedures to protect
the PI/SPI of the user. the PI/SPI of the user.
 The website does not  The website does not
store any data of the store any data of the
user on the local user on the local
storage. storage.
 The website doesn’t  The website doesn’t
leak PI/SPI through leak PI/SPI through
privilege escalation. privilege escalation.
 The website doesn’t  The website doesn’t
leak PI/SPI through leak PI/SPI through
SQL injection attacks. SQL injection attacks.
 The website doesn’t  The website doesn’t
leak PI/SPI through leak PI/SPI through
XSS attacks. XSS attacks.
 The website transmits  The website transmits
the data collected in a the data collected in a
secure encrypted secure encrypted
manner. manner.
 The website does not  The website does not
contain any contain any uncommon
uncommon open open ports.
ports.  The website uses
 The website uses session cookies for login
session cookies for sessions in secure
login sessions in manner.
secure manner.  The website code
 The website code doesn’t contain
doesn’t contain Passwords/encryption
Passwords/encryption key in hard coded
key in hard coded manner i.e. visible in
manner i.e. visible in source code.
source code.  The privacy notice
 The privacy notice states the security
states the security practices and
practices and procedures to protect
procedures to protect the PI/SPI of the user.
the PI/SPI of the user.  The application stores
 The application stores user PI/SPI on the
user PI/SPI on the device in encrypted
device in encrypted form.
form.  Other applications on
 Other applications on the device cannot
the device cannot access the PI/SPI
access the PI/SPI stored in folder of the
stored in folder of the application (Cross app
application (Cross app data sharing)
data sharing)  The application doesn’t
 The application take root level access of
doesn’t take root level the device.
access of the device.  The mobile application
 The mobile application code contains
code contains Passwords /encryption
Passwords key in hard coded
/encryption key in manner i.e. visible in
hard coded manner source code. This is bad
i.e. visible in source practice and needs to
code. This is bad corrected.
 practice and needs to  The application
corrected. transmits the data
 The application collected in a secure
transmits the data manner.
collected in a secure  The data stored by the
manner. application on the
 The data stored by the device gets wiped clean
application on the after uninstalling the
device gets wiped application.
clean after
uninstalling the
application.

Transparency  The website and

application maintains
basic level of transparency
of operations by informing
the user of the data
collected and processed for
the provision of the service.
 The E-governance services
shows limited
transparency in giving user
visibility over individual
participation rights and the
process to exercise these
rights.

Individual  The Privacy notice in both Individual  The Privacy notice in both
Participation instances does not inform Participation instances does not inform
Rights the user of their rights: 1) Rights the user of their rights: 1)
Access and Correction. Access and Correction, 2)
to Object, 3) Data
 The Privacy notice does Portability, 4) Right to be
not direct the user to a Forgotten.
designated position for  The Privacy notice does not
execution of these rights. direct the user to a
designated position for
execution of these rights.

Disclosure of The privacy notice mentions Accountability

Information that the user information
won’t disclosed to 3rd parties.

Assessment for this best (A) Privacy by Design Assessment for this
practice could not be principle could not
Transfer of ascertained, with the available be ascertained with
Information information. the available
information.
(B) Data Protection The DigiLocker
Officer Website and mobile
application does not
inform the user of the
 existence of a Data
Protection officer for
privacy compliance.
Grievance The website and application (C) Grievance The website and
Redressal only list a support email id for Redressal application only list a
grievances. It does not provide support email id for
a point of contact for grievances. It does not
execution of rights and provide a point of
grievance redressal. contact for execution
of rights and
grievance redressal.
(D) Data Protection  Privacy Risks
Impact were evaluated
Assessment while performing
risk assessment
for this project.
The information
provided does not
provide more insight
into the process of
evaluation.

11.2 Observations
The DigiLocker project through its website shows proactive compliance with
privacy principles- Purpose Limitation, Collection Limitation and Use
Limitation. Though shows room for improvement with respect to the
Notice, Consent, Transparency and Accountability. The DigiLocker
mobile application would need to be re-looked at through the eye glass of
privacy. Although, having stellar security safeguards, it would need some
improvement, especially with respect to emergence of granular privacy
requirements.

12. Recommendations

This proposed framework was used to assess privacy practices of 11 E-

Governance Projects in India that make use of online dissemination of
government services, through service delivery websites, portals and mobile
applications. This assessment revealed certain best practices that would
assist projects around the world to comply with whichever privacy regulation
they are subject to in the long run. These Practices are as follows:

1. The Entity should lay utmost emphasis on drafting a privacy notice that
clearly communicates the purpose of the collection and usage of personal
data, in an easy understand manner keeping in the mind the average end
user of the government service. The translation or availability of the notice in
different languages based on the area or spread of the Project should be
carried out as well.
2. When an E-Governance Project replies on consent as a ground for
processing personal data, it should provide the ability to withdraw consent
for additional data collection. The manner of gaining consent should be
through an affirmative action (For E.g. Clicking a tick box). The entity should
also ensure the manifestation of the notice before consent is sought.
3. The Project must provide a single point of contact for execution of
Individual Participation Rights. The procedure to exercise these rights should
be clearly communicated to the user.
4. The incorporation of Privacy by Design in projects to ensure individual
interests are considered at the time of conception of a project.
 13. Bibliography

Statues & Case Law

I. Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors. 2017
II. Information Technology (Reasonable security practices and procedures
and sensitive personal data or information) Rules, 2011.
III. Personal Data Protection Bill, 2018 (India)
IV. Right to Information Act, 2005
V. EU General Data Protection Regulation, 2016 (Regulation (EU)
2016/679).
VI. California Consumer Privacy Act of 2018
VII. Health Insurance Portability and Accountability Act Of 1996
VIII. Personal Information Protection and Electronic Documents Act (S.C.
(Statutes of Canada) 2000
IX. National Data and Accessibility Policy, 2012
X. Telangana Cybersecurity policy, 2016

Guidelines
I. OECD Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data

Reports and Studies

I. A Free and Fair Digital Economy Protecting Privacy, Empowering Indians
Committee of Experts under the Chairmanship of Justice B.N.Srikrishna
(2018)
II. Centre for Information Policy Leadership. (2018). The Case for
Accountability: How it enables Effective Data Protection and Trust in the
Digital Society
III. Cavoukian, Ann. (2011). Privacy by Design The 7 Foundational Principles
IV. Case Studies on E-Governance in India (2011)

Frameworks
I. APEC Privacy Framework
II. DSCI Privacy Framework
III. DSCI Privacy Assessment Framework
 Data Security in Cloud Environment
DG, i-CISA, ……, C-DAC

Abstract— The Digital India programme is a flagship program of the having local servers or personal devices to handle applications. Cloud
Government of India with a vision to transform India into a digitally empowered services are offered through public, private or hybrid cloud storage
society and knowledge economy. Recently it has taken the form of E-kranti offerings, depending on the security needs and other considerations.
(NeGP 2.0) with a vision of “Transforming e- Governance for transforming
governance”. Some of the principles on which it is based are Transformation and Organizations can determine their level of control with as-a-service options.
not translation, integrated services and not individual services, Government
These include software as a service (SaaS), platform as a service (PaaS) and
Process Reengineering (GPR) to be mandatory in every MMP, Infrastructure on
demand, Cloud by default, Mobile first, Fast tracking approvals, mandating infrastructure as a service (IaaS). Cloud computing takes services (“cloud
standards and protocols, National GIS, language localization , security and services”) and moves them outside an organization's firewall. Applications,
Electronic Data preservation. In order to utilise and harness the benefits of Cloud storage and other services are accessed via the Web. The services are
Computing, Government of India has embarked upon an ambitious initiative - delivered and used over the Internet and are paid for by the cloud customer
"GI Cloud" which has been named as 'MeghRaj'. The focus of this initiative is to on an as-needed or pay-per-use business model.
accelerate delivery of e-services in the country while optimizing ICT spending of
the Government. This will ensure optimum utilization of the infrastructure and Many organizations are moving to the cloud, due to the obvious benefits
speed up the development and deployment of e-Gov. applications. While that it offers, which are majorly that of ease and convenience of use, lower
deployment of these technologies will no doubt provide the flexibility, agility and
infrastructure requirements, ubiquitous access, increased efficiency,
cost effectiveness in its deployment, it will bring along with it the concerns of
privacy, security, integrity, availability, inter-operability, licensing and other growing bandwidth demands, scalability etc.
governance issues. In this scenario a clear understanding of the issues involved
and ways to manage the associated risks is required for the adoption of cloud To leverage these obvious benefits of cloud technology, and to be in
technology by the government on a sustainable basis. compliance with the JAM(Jan Dhan Aadhaar-Mobile) trinity initiative of its
This paper will discuss the issues related to adopting the cloud technology and e-Kranti scheme, the Government has initiated the cloud based e-
will provide guidance to concerned authorities to build a safe and secure governance services delivery, so as to reach to the masses seamlessly. This
platform for adoption of this technology for delivery of services (Infrastructure, Government cloud has been coined as “MeghRaj”, and has been indicated,
platform, software) on demand. Due diligence at this stage may result in greater as the default cloud to be used by one and all the departments-at central and
assurance to the investors and consumers to participate in this new endeavour state level.
with increased confidence and chance of success.
However, the GI cloud has been launched without any specific guidelines
Index Terms—e-Kranti, NeGP, Meghraj, GI cloud
for the roles and risks shared by the MSP’s and without actually having a
cloud management office, well in place, to monitor and manage for a
sustainable governance. There are many lacuna in the GI cloud strategy
I.INTRODUCTION where provisional empanelment has been done without firstly defining the
roles, responsibilities, ownership for ensuring the cloud data security and
Cloud computing, simply put, is computing on the internet. It provides clear guidelines and laws for enforcement and management of the various
hardware platform, and applications as a service and enables ubiquitous cloud stakeholders.
access, convenience, on demand network access, and shared pool of Operating in the cloud comes with greater risks than operating an on-
configurable computing resources, available through internet, instead of premises IT infrastructure. Moving onto cloud based services, has its own
associated risks and comes with a package of cloud specific threats, like and responsibility of the data and its security. The term governance in the
poor security practices, insufficient identity, credential and access cloud relates to the rules, policies, and processes used by businesses to
management, poor or no governance and management practices, application operate in the cloud. These are the “what, when, who, and how” when it
vulnerabilities etc. While, many departments- both at center and states have comes to cloud security, and govern factors such as what assets can be used,
either already rolled their e-governance services through the cloud or are on when assets can be used, who has access to assets, and how assets should be
the, verge of migrating into the cloud, they have done so, without doing the protected against malicious actors (both inside and outside the business).
precursory groundwork and necessary checking of the various aspects,
related to before, after and during the use of cloud based operations and There is thus an immediate need to not only have a sound cloud governance
services. and management policy, but also a cloud enforcement policy to check and
monitor and ensure adherence to the guidelines of the policy, by the
As organizations are moving their data from on-premises into cloud, it is stakeholders. It is thus required to manage the cloud data in a professional
making their data to be shared between the CSP’s, MSP’s and the cloud manner, with cloud specific law regulations, clauses, and compliancy. The
users. The responsibility for protecting organization’s data in the cloud lies regulations and guidelines are required to indicate what measures to be
not with cloud service providers but with cloud customers. Most of the taken, if the data is lost, whom to approach, and who would be ultimately
cloud users are either not aware of this fact or do not take it seriously responsible for maintaining the integrity, confidentiality and availability of
enough to take necessary and precautionary measures to safeguard their the data.
shared data on the cloud.
The purpose of this study, is thus to sensitize the Government departments
“Every Opportunity has associated Risks” and in case of Government and the industry, about the potential risks and serious challenges, that are
Cloud, ensuring the data security is one of the major Risk. As the associated with cloud based service deployments and what safeguard
Government moves to the cloud, it must be vigilant to ensure the security measures, are needed to be adopted, for preventing, defending and
and proper management of government information to protect the privacy recovering themselves from such risks. The study presents the comparison
of citizens and national security. The Government has specific cloud of the GI cloud policy with respect to the international standards, and
computing challenges that require careful adoption considerations, provides the details of the identified gaps that are needed to be filled in the
especially in areas of cyber security, continuity of operations, information GI cloud policy. The study has derived an audit assurance checklist, as an
assurance (IA), and resilience. The risks are high, as the data is sensitive outcome for assisting in checking and monitoring of the CSP’s as well as
and in large numbers, of both the public as well as the Government, and the cloud users, while using the cloud based services.
which is also continuously on the rise.
In the sub-sequent sections of the paper, we have presented the present
So, it has become the need of the hour to understand the risks associated scenario in the deployment and adaptation of GI cloud, the challenges, and
with the cloud, create awareness and share the knowledge with all the risks associated with data security in the cloud. We have also presented the
stakeholders and take action to prevent, detect, and defend one’s data from details of some of the projects evaluated, the findings of the evaluation
these risks. results of the projects studied, and finally conclude with the cloud security
guidelines and recommendations, that are needed to be followed and the
Meghraj, Government of India’s cloud framework, has been introduced, way forward for ensuring the same.
without taking into account the implementation and management aspects of
the cloud service and the same has been left it to the user body. There are
no guidelines for handling the management of the cloud services and its II. OVERVIEW AND PRESENT SCENARIO OF GI CLOUD
stakeholders and for ensuring the strict enforcement of the policy.
For this reason effective governance in the cloud is of the utmost This section, gives a brief overview about the GI cloud, its deployment
importance, so as to have clear set of guidelines regarding the ownership models and present adaptation scenario.
 connected through existing network infrastructure such as the SWANs,
The Government of India has initiated e-Kranti with the vision of NKN, as well as the internet. Based on demand assessment and taking into
“Transforming e-Governance for Transforming Governance”, based on the account security related considerations, government may also engage the
learning’s of NeGP and with the aim for continuous upgradation and services of private cloud providers.
proliferation of the Digital India initiatives. The GI Cloud will provide services to government departments, citizens
and businesses through internet as well as mobile connectivity. In addition
Amongst the key principles of e-Kranti, one of the important principles is to accelerating the delivery of e-services to citizens and businesses, the
Cloud by default, which indicates that all sensitive information of government’s cloud-based service delivery platform will also support a
Government Departments shall be stored in a Government Cloud only, number of other objectives including increased standardization,
coined as MeghRaj. This was to ensure proliferation of Cloud in interoperability and integration, a move towards an opex model, the pooling
government. Any Government Department may use a private cloud only of scarce, under-utilized resources and the spread of best practices. It will
after obtaining permission from Ministry of Electronics and Information also support on-going cost effectiveness and manageability.
Technology (MeitY), which shall do so after assessing the security and
privacy aspects of the proposed cloud. The aim of the cloud policy is to
realize a comprehensive vision of a government private cloud environment
available for use by central and state government line departments, districts
and municipalities to accelerate their ICT-enabled service improvements. In
the similar lines to the cloud model defined by NIST (shown in table 1),
GoI has also proposed three different cloud deployment models.

Figure 1

Government of India has setup National Cloud (under NIC) and also has
Table1: initiated setup of State Clouds, cloud computing environments at the State
Level – building on or augmentation of the infrastructure investments
already made, as shown in figure1.
They are the public cloud, Government Virtual Private Cloud and Based on the demand consideration, GoI has empaneled cloud service
Government Community Cloud. offerings of Service providers that the end-user departments can leverage in
Presently, the GI Cloud is being established, initially on national and state addition to the National Cloud services offered by NIC for their e-
data center assets (adapted for the cloud through virtualization) and
governance solutions. The cloud services, offered under National Cloud as their e-governance solutions The cloud services, offered under National
well as the provisionally empaneled cloud service offerings of the 13 Cloud Cloud as well as the provisionally empaneled cloud service offerings of the
Service Providers, will be published through a GI Cloud Services Directory 13 Cloud Service Providers, will be published through a GI Cloud Services
for use by government departments or agencies at the Centre and States. Directory for use by government departments or agencies at the Centre and
The cloud providers would require the common standards & guidelines on States.
the security, interoperability, data portability, SLAs, contractual terms &
conditions, service definitions that they would need to adhere to in order to Create eGovAppStore: eGovAppStore will include the setting up of a
be part of the GI Cloud environment. common platform on National Clouds to host and run applications,
Below diagram provides the high-level view of the cloud ecosystem with developed by government agencies or private players, which are easily
the various actors along with the indicative roles. customizable and configurable for reuse by various Government agencies or
departments at the central and state levels without investing effort in the
development of such applications.

Publish through GI Cloud Services Directory: The GI Cloud services and

the applications in eGovAppStore will be published through a single GI
Cloud Services Directory for use by government departments or agencies at
the Centre and States.

The overall benefits of GI cloud include:

 Optimum utilization of existing infrastructure
 Rapid deployment and reusability
 Manageability and maintainability
 Scalability
 Efficient service delivery and agility
 Security
 Cost reduction
 Ease of first time IT solution deployment
Figure 2  Reduced effort in managing technology
In order to realize the policy and facilitate cloud services’ adoption by the  Increased user mobility
Center and States, there is a need to define the GI Cloud Reference  Standardization
Architecture, identify the common standards and service definitions;
develop guidelines with respect to security, service delivery, Though the GI cloud has been defined and being implemented, with
interoperability and portability that the cloud service providers (CSPs) will increased scalability, amongst the organizations, there are many security
have to adhere to, for the departments to leverage cloud services. risks and challenges associated with the adoption and use of Cloud.

With the GI cloud also based on the NIST architecture and standard model, III. CHALLENGES, RISKS & ISSUES IN CLOUD SECURITY
the MeghRaj policy, is proposed to
Cloud computing is not a new technology. Rather it is a new model of IT
Setup GI Cloud: Based on the demand consideration, GoI has empaneled service delivery. The cloud computing is yet to mature both in terms of
cloud service offerings of Service providers that the end-user departments technology and business readiness as well as adoption by the market. Issues
can leverage in addition to the National Cloud services offered by NIC for like standards for security, interoperability, licensing, governance and
contracting in cloud are still being deliberated upon and work is in progress computing systems to rapidly scale and increase the magnitude of the
worldwide. So, a clear understanding of the associated risks is required for attack;
the adoption of cloud computing by the government. • A consumer’s unauthorized access (through improper authentication or
authorization, or exploit of vulnerabilities introduced maliciously or
unintentionally) to software, data, and resources provisioned to, and owned
by another authorized cloud consumer;
• Increased levels of network-based attacks that exploit software not
designed for an Internet-based model and vulnerabilities existing in
resources formerly accessed through private networks;
• Limited ability to encrypt data at rest in a multi-tenancy environment;
• Portability constraints resulting from the lack of standardization of
cloud services application programming interfaces (APIs) that preclude
cloud consumers to easily migrate to a new cloud service provider when
availability requirements are not met;
• Attacks that exploit the physical abstraction of cloud resources and
exploit a lack of transparency in audit procedures or records;
• Attacks that take advantage of known, older vulnerabilities in virtual
machines that have not been properly updated and patched;
• Attacks that exploit inconsistencies in global privacy policies and
regulations;
• Attacks that exploit cloud computing supply chain vulnerabilities to
include those that occur while cloud computing components are in transit
from the supplier to the cloud service provider;
• Insider abuse of their privileges, especially cloud provider’s personnel
in high risk roles (e.g. system administrators; and
• Interception of data in transit (man-in-the-middle attacks).
Fig. Risk Matrix for cloud services
Further, the potential risks and issues, specific to GI cloud, grouped into
Securing the information systems and ensuring the confidentiality, integrity, various aspects are as below:
and availability of information and of the information being processed,
stored, and transmitted are particularly relevant as these are the high- Cloud standards:
priority concerns and present a higher risk of being compromised in a cloud  Existing cloud standards pertaining to implementation, storage and
computing system. Cloud computing implementations are subject to local migration need to be interpreted to understand their applicability for the
physical threats as well as remote, external threats. GI Cloud environment.
Possible types of security challenges for cloud computing services include  Adoption of open standards as per Government of India’s policy on open
the following: standards (http://egovstandards.gov.in/) on interoperability and data
• Compromises to the confidentiality and integrity of data in transit to portability is required in order to reduce the risk of vendor lock-in and
and from a cloud provider and at rest; inadequate data portability.
• Attacks which take advantage of the homogeneity and power of cloud Security and privacy
 • Risk of compromise of confidential information and intellectual property cloud providers. This puts customers at significant risk if the need arises for
(IP). systems to interoperate across cloud and in-house environments or to
• Risk of inappropriate access to personal and confidential information. retrieve data and/or applications if a cloud provider withdraws from the
• Appropriate privacy and security measures need to be in place. market. These issues are to be managed though appropriate standards and
 Application design contract provisions.
• Traditional application design approaches are different from cloud based Portability
application design. • Applications developed on one platform may not be portable to, or
• All new applications must be designed keeping basic cloud design executable on another.
premises in mind. In order to ensure this, guidelines on application Loss of control
development and design need to be adopted. • Loss of control may lead to resistance to change. As the need to
• Existing applications need to be assessed and if required customized in maintain servers and other data centre infrastructure diminishes, the form of
line with cloud design principles to make them cloud ready. the IT function in government may change.
Integration with legacy environment • Users may spawn instances unnecessarily and wastefully, just because it
• In order to have a fully operational cloud environment, cloud based is possible and easy.
applications need to be integrated with existing on-premise legacy Funding model
applications. • Due to the different funding models like pay-per-use , subscription etc.
• However the opportunity for customization of existing applications and , some part of ICT capital budgeting will need to be translated into
services may be limited, leading to increased complexity in integrating with operating expenses (OPEX), as opposed to capital expenditure (CAPEX).
existing legacy environments. This will affect budgeting for ICT and may have an effect on the ICT
Licensing procurement.
• Existing software licensing models may not facilitate cloud • New procurement guidelines, funding and a sustainability model need to
deployment especially from the point of cloud service delivery. be identified to address this.
• To facilitate Government departments in deployment of cloud services, a Performance and conformance
comprehensive framework will be developed on the usage of various • Need to ensure that guaranteed service levels are achieved in the GI
licensing models. This framework will be flexible to take into account Cloud else it may affect effective service delivery.
emerging technologies and business models to leverage the same in the best • SLAs are required to be defined for each of the services that will be
interest of government. Location of data provided by the GI Cloud. Existing contractual agreements and SLAs both
• The dynamic nature of cloud may result in uncertainty as to where data with third part data center operators, and cloud service providers, may be
actually resides (or where it is in transit) at a given point in time. This raises evaluated and customized to meet the government’s requirements
concerns related to data ownership, accessibility, privacy and security. • For failure to adhere to the service levels, proper penalty clauses must be
• The decision regarding storage and transmittal of data to different cloud incorporated. This will require proper interpretation of SLAs. Proper
models may, therefore, be based on application sensitivity, data institutional mechanism should be established to resolve any conflict and
classification and other relevant privacy and security related considerations provide for timely intervention (if required).
including the regulatory and legal framework of the hosting jurisdiction. • A fully functional 24x7 helpdesk may be incorporated.
Vendor lock-in Skills requirement
• Due to the rapid emergence of cloud computing through the initiatives • A direct result of transitioning to a cloud environment results in
of individual companies, many offerings are proprietary in nature, creating demand of resources with different skill sets than those in the traditional
challenges in migrating data and applications to the cloud, or switching environment.
• Given that the Government departments are generally under-staffed in designed for web services and the Internet, they also support the functions
ICT, this presents an opportunity for requirements identification. A well- and requirements of cloud computing. Other standards are now being
defined capacity and capability building exercise needs to be carried out developed in specific support of cloud computing functions and
across the country to ensure projects do not suffer due to lack of skilled requirements, such as virtualization.
resources
• Ongoing training programmes and plans need to be in place for training There are many International Standards in general available related to
Information Security, IT Services Management, Service Organization
existing resources and upgrading their skill set in line with the new
Control, Health Standards, Payment / Finance related standards, Education
requirement
related standards, Cloud related standards specifically related to Portability,
Identification and Authorization, Interoperability, Accessibility,
Change management Performance Management, Securing Government Systems and many more.
 More than being a technology, cloud is a new model of service The major International Standards, which are deemed to fit for the security
delivery related to Cloud, are summarized with its applicability and status of
 Adopting cloud across various government departments and maturity and are given in Annexure A.
agencies at centre and states would call for intensive change
management initiatives. The capacity and capability building
exercise should incorporate orientation programmes to address In order to ensure the security in the Cloud, environment, many standards
these have already evolved and each standards have their own strengths. In this
 The procurement teams in state and central nodal agencies need to research report, three global standards namely ISO 27001:2013, NIST 800-
be trained on procuring for cloud and move away from the 53 r4, CCM v3.0.1 have been analyzed and the controls of these standards
traditional experience of procuring hardware and software are commonly categorized.
 Such a comprehensive change management initiative would require The categorizations table is shown in Annexure B. The indicative
proper communication at all levels overlapping of the standards are depicted as below:

Thus, to accelerate the adoption of cloud computing, and to advance the

deployment of cloud services, solutions coping with cloud security threats
need to be addressed. Many of the threats that cloud providers and
consumers face can be dealt with through traditional security processes and
mechanisms such as security policies, cryptography, identity management,
intrusion detection/prevention systems, and supply chain vulnerability
analysis. However, risk management activities must be undertaken to
determine how to mitigate the threats specific to different cloud models and
to analyze existing standards for gaps that need to be addressed.

IV. DATA SECURITY STANDARDS AND THEIR

APPLICABILITY IN CLOUD ENVIRONMENT
Standards are already available in support of many of the functions and
requirements for cloud computing. While many of these standards were
developed in support of pre-cloud computing technologies, such as those
 Figure
The above mentioned standards are mostly in general applicable to the Project 1 42 39 3 0
cloud services, while some of them are enacted by specific countries, but
still these are generic and adoptable globally.
Further, the compliance of the sample RFP’s with respect to the standard Project 2 38 12 20 6
compliance to the standards like NIST, ISO are detailed in the Annexures.
Project 3 37 26 5 6
V.EVALUATION OF PROJECTS AGAINST THE GOI GUIDELINES
As the GI cloud is being envisaged to be used for all Government’s digital
endeavors, we studied issues of data security on the cloud from global
implementations and analyzed a representative sample of RFPs of Indian e- Project 4 42 32 10 0
governance projects, which are being moved onto the cloud.
The samples have been selected based on the following criteria:
1. Different Projects of State Government, Central Government and
Integrated (State and Central) Governments
2. Implementation of Project, RFP which has been implemented and
RFP to be implemented
Based on the above selection criteria, five projects were selected, which VI. LEARNINGS FROM EXAMINATION OF GI CLOUD POLICY &
have already been implemented –two at the central level and three at the RFP’S
state level. The scope of the RFP’s mainly consisted of empanelment of In this section, the key learning’s from the research study on Indian RFP’s,
cloud service providers and deployment of cloud services by them. have been indicated, which must be taken into account while implementing
data security in cloud environment.
Evaluation of Projects
The evaluation of these RFP’s against the Guidelines issued by MeitY,
Government of India has been carried out and results are provided in the
Annexure C. The three major standards ISO 27001:2013, NIST 800-53 r4,
CSA-CCM v3.0.1 have been considered for benchmarking the Indian
Government cloud policy, with respect to the selected sample RFP’s. The
RFP’s were evaluated based on their compliancy with the GI cloud policy
parameters, whether they are fully complaint, partially compliant and extent
of non-compliancy, in terms of percentage, as given below:

Applica Partial
Non-
ble Fully ly
Complia
Guideli Compliant Compl
Projects nt
ne Parameter iant
Paramet
Parame s Param
ers
ters eters
  Many of the RFP;s and the applications hosted are not fully complaint
and do not meet some of the key parameters/guidelines of the GI
cloud policy

 It has been observed clearly that there are no GoI guidelines for role
and risks shared by MSP

 It has also been observed that some parts of the applications, are
hosted in that CSP(cloud service provider), which is not empanelled
by GoI.

 Some applications data hosted on the cloud resolves and routes to an

IP of outside India, leading to Data sovernity issue.

 There are application level security issues , as some of the Banking

link on the portal is defunct & no warning on Third Party Site
redirections.

As part of the study, the major threats have also been identified and
categorized, with respect to various stakeholders of cloud computing, as
below:

Threats for Cloud Service Users

From the above details of benchmarking the GI cloud policy with  Responsibility Ambiguity
international Standards like NIST etc and through the evaluation of the  Loss of Governance
RFP’s w.r.t the GI cloud policy, the following learnings have been  Loss of Trust
summarized as below:  Service Provider Lock-in
 It has been observed that the applications that have been already  Unsecure Cloud Service User Access
hosted on the cloud, as per the RFP’s studied without checking their  Lack of Information/Asset Management
compliancy with the GI cloud policy  Data loss and leakage
Threats for Cloud Service Providers
 Responsibility Ambiguity
 Protection Inconsistency
 Evolutional Risks
 Business Discontinuity
 Supplier Lock-in
 License Risks
 Bylaw Conflict
 Bad Integration
 Unsecure Administration API
 Shared Environment
 Hypervisor Isolation Failure
 Service Unavailability
 Data Unreliability
 Abuse Right of Cloud Service Provider

Further, to manage the above threats, the checklist has been formulated for
various types of cloud deployment models and services, mainly in terms of
IaaS, SaaS and PaaS, as below:

Checklist for Public Cloud

 Checklist for Private Cloud • Protect consumers’ data from unauthorized access, disclosure,
In addition to the above, the following are needed for private cloud modification or monitoring. This includes supporting identity management
deployments: and access control policies for authorized users accessing cloud services. This
includes the ability of a customer to make access to its data selectively
available to other users.
• Prevent unauthorized access to cloud computing infrastructure
resources. This includes implementing security domains that have logical
separation between computing resources (e.g. logical separation of customer
workloads running on the same physical server by VM monitors
[hypervisors] in a multi-tenant environment) and using secure-by-default
configurations.
• Deploy in the cloud web applications designed and implemented for an
Internet threat model.
• Challenges to prevent Internet browsers using cloud computing from
attacks to mitigate end-user security vulnerabilities. This includes taking
measures to protect internet-connected personal computing devices by
applying security software, personal firewalls, and patch maintenance.
• Include access control and intrusion detection and prevention solutions
in cloud computing implementations and conduct an independent assessment
to verify that the solutions are installed and functional. This includes
traditional perimeter security measures in combination with the domain
security model. Traditional perimeter security includes restricting physical
access to network and devices; protecting individual components from
exploitation through security patch deployment; setting as default most secure
configurations; disabling all unused ports and services; using role-based
access control; monitoring audit trails; minimizing privileges to minimum
necessary; using antivirus software; and encrypting communications.
• Define trust boundaries between cloud provider(s) and consumers to
ensure that the responsibilities to implement security controls are clearly
identified.
• Implement standardized APIs for interoperability and portability to
VII. GUIDELINES & RECOMMENDATIONS FOR CLOUD support easy migration of consumers’ data to other cloud providers when
SECURITY necessary.

Outcome - Future Way Forward:

Based on the findings, after examination of the sample RFP; s and
evaluation of the best practices, in comparison with the international To sum up the guidelines and the way forward for ensuring the
standards, the guidelines have been suggested, for a cloud implementer. confidentiality, integrity and availability security aspects of data in the
Some of the main security objectives for a cloud computing implementer cloud environment, the following measures are indicated:
should include:
1. Develop detailed guidelines for diff. services of Cloud like IaaS, PaaS, up procedure required towards adoption and managing the data security in
SaaS. cloud environment. This will enable the cconcerned authorities to build a
2. Granular level Guidelines for the End user Departments with process & safe and secure platform for adoption of this technology for delivery of
Procedure for Cloud Deployment. services (Infrastructure, platform, software) on demand. The study
3. Enforce the implementation of Cloud Security Policy guidelines and link emphasizes on the need for a strong and strict governance and management
budget sanctions to the compliance status. policy for the GI cloud , based on the gaps identified , from the study of the
4. Establish dedicated risk assessment process for User Dept., MSP and sample RFP’s studied. In future, more RFP’s may be explored and studied,
CSP in the implementation of Cloud security. for both central and state level cloud deployments, which are already
5. Create a common platform for monitoring and guiding end user implemented and which are to be implemented.
Departments, MSP and CSP to migrate the legacy applications to
Cloud. ACKNOWLEDGEMENT
6. Interoperability & Portability of Data among the CSP / MSP guidelines This study has been conducted as part of the joint collaboration work with
to be published. ICISA and the research would not have been able to be completed without the
7. Detailed qualification criteria for MSP’s & guidelines for User Dept’s for timely inputs and valuable suggestions of DG, ICISA, Noida.
selection of MSPs.
8. A mechanism to be envisaged for auditing / vetting of RFP’s before APPENDIX
public domain release, to provide secondary assurance on cloud The checklist and the detailed standards evaluation are provided in the
security requirements. Annexure enlisted in the Appendix.
9. Accountability on User Dept., MSP and CSP to adhere to Cloud security
guidelines by Government of India. REFERENCES
10. Awareness creation for the User Dept.’s about CSP/MSP evaluation & [1] Evaluation Criteria for Cloud Services. Available from:
https://www.researchgate.net/publication/261436007_Evaluation_Criteria_for_Cloud_Se
Monitoring. rvices [accessed Sep 12 2018].
11. Personal & Data Privacy Laws to be formed and link the security level [2] https://economictimes.indiatimes.com/news/economy/policy/how-safe-is-digital-india-
in Cloud Environment. indias-vast-data-pools-need-to-be-secured-with-tighter-de-risking-
tools/articleshow/62489823.cms
12. Benchmarking of existing Govt. Security architecture guidelines [3] eKranti Available from: http://digitalindia.gov.in/content/ekranti [accessed on 10 Oct
against the international best practices. 2018]
[4] Guidelines on security and privacy in public cloud computing, Wayne Jansen, Timothy
Grance, NIST Special publication 800-144.
CONCLUSION [5] Policy Report on GI cloud strategic direction paper, MeitY
This research paper has presented the benchmarking of the Government of [6] Policy report on GI cloud adoption and implementation roadmap, MeitY ZZZFP-Gem
portal
India” Policy on Cloud w.r.t. the International Standards & Guidelines. It
has studies and evaluated few GoI projects that have migrated onto the
cloud and provides the way forward for the Security Precautions to be taken
care of before moving to, while using and on exiting the Cloud services.
The study also emphasizes on the need for a strong and strict cloud
governance and management policy, so as to safeguard the cloud user’s
data from potential risks and real time attacks.

The study findings of this paper, can be used by Government departments and
industry, to understand the essential prerequisites, modalities and the follow
ANNEXURES

Annexure A: Audit Checklist

Annexure B: Benchmark of CSP empanelment
with CCM 3.0.1 Matrix
GoI CSP Audit CCM CSP Guidelines CSP Guidelines Mapping
SN Domain
Criteria Compliance Score Mapping Score Score in %
1 Mobile Security No 200 50 25.00
2 Identity & Access Management Partial 130 78 60.00
Business Continuity Management & Operational
3 Resilience Full 110 98 89.09

4 Infrastructure & Virtualization Security Partial 130 75 57.69

5 Governance and Risk Management Full 110 97 88.18
6 Datacenter Security Partial 90 60 66.67
Supply Chain Management, Transparency, and
7 Accountability Full 90 78 86.67
8 Data Security & Information Lifecycle Management Partial 70 38 54.29
9 Change Control & Configuration Management Partial 50 35 70.00
10 Interoperability & Portability No 50 10 20.00
Security Incident Management, E-Discovery, & Cloud
11 Forensics Full 50 40 80.00
12 Audit Assurance & Compliance Partial 30 20 66.67
13 Encryption & Key Management Partial 40 25 62.50
14 Application & Interface Security Full 40 35 87.50
15 Threat and Vulnerability Management Partial 30 15 50.00
16 Human Resources Full 110 98 89.09
Total 1330 852 64.06
 Annexure C: Benchmark of CSP 66.6
PL PLANNING Partial 6 60 40 7
empanelment with NIST 800-53 Rev 4 P PROGRAM 25.0
M MANAGEMENT No 16 160 40 0
GoI CSP PERSONNEL 81.2
Audit Total CSP PS SECURITY Full 8 80 65 5
Tota 60.0
CN Control Name Criteria Scor Scor %
l RA RISK ASSESSMENT Partial 5 50 30 0
Complianc e e
e SYSTEM AND
63.0 SERVICES 57.5
AC ACCESS CONTROL Partial 23 230 145 4 SA ACQUISITION Partial 20 200 115 0
AWARENESS AND 50.0 SYSTEM AND
AT TRAINING Partial 4 40 20 0 COMMUNICATIO 23.1
AUDIT AND 46.8 SC NS PROTECTION No 41 410 95 7
AU ACCOUNTABILITY Partial 16 160 75 8 SYSTEM AND
SECURITY INFORMATION 21.8
ASSESSMENT AND 37.5 SI INTEGRITY No 16 160 35 8
CA AUTHORIZATION Partial 8 80 30 0 51.2
C CONFIGURATION 68.1 Total 240 2400 1230 5
M MANAGEMENT Partial 11 110 75 8
CONTINGENCY 79.1
CP PLANNING Full 12 120 95 7
IDENTIFICATION
AND 63.6
IA AUTHENTICATION Partial 11 110 70 4
INCIDENT 50.0
IR RESPONSE Partial 10 100 50 0
M 41.6
A MAINTENANCE Partial 6 60 25 7
M MEDIA 87.5
P PROTECTION Full 8 80 70 0
PHYSICAL AND
ENVIRONMENTAL 81.5
PE PROTECTION Full 19 190 155 8
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 18

Annexure D: Mapping of Project Compliance with Guidelines of Government of India

Project 1
GoI Guidelines Implemented GEM Portal RFP State of Punjab RFP
Cloud Services Requirements
Environment to be set up NA Yes Yes
The Service model Requirements NA Yes Yes
Defining the Requirements for Cloud Services NA Yes Yes
Details of Existing Software Licenses NA NA NA
Additional Requirements specific to a project NA Partial Partial
CSP Support Requirements NA Yes Yes
Security – Shared Responsibility NA Yes Yes
Migration of existing applications NA NA NA
Operation and Maintenance NA Yes Partial
a. Resource Management NA Yes Partial
b. User Administration NA Yes Partial
c. Security Administration and monitoring Security Incidents NA Yes Partial
d. Monitoring Performance and Service Levels (Availability,
Incident Management, Performance) NA Yes Partial
e. Backup NA Yes Partial
f. Usage Reporting and Billing Management NA Yes Partial
Exit Management / Transition-Out Services NA Yes Not included
Managed Services NA Yes NA
a. Disaster Recovery NA Yes Partial
b. Exit Management Services NA Yes NA
c. Operation and Maintenance Services NA Yes Partial
d. Support Third Party Audit and other requirements (e.g.,
Forensic Investigations...) NA Yes Yes
Role of Government Departments in Operations Phase NA Yes Partial
Contractual Terms and Service Level Objectives NA Yes Partial
Annexure
I. Infrastructure as a Service (IaaS) Requirements NA
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 19

Project 1
GoI Guidelines Implemented GEM Portal RFP State of Punjab RFP

a. Pre-Production and Production Environment Requirements NA Yes Yes

b. Disaster Recovery Environment (indicative list below) NA Yes Partial

II. Platform as a Service (PaaS) Requirements NA NA

Contract Terms
Information Security
a. Certification/Compliance: NA Yes Yes
b. Privacy and Security Safeguards. Partial Yes No
c. Confidentiality Partial Yes Partial
d. Location of Data Partial Yes No
e. E-Discovery: NA Yes No
f. Law Enforcement Request: Partial Partial No
Audit NA Yes Yes
Transitioning/Exit NA Yes NA
Performance Management NA Yes Partial
Payment Terms NA Yes Partial
Service Levels
Availability NA Yes Yes
Support Channels - Incident and Helpdesk NA Yes Partial
Response Time NA Yes No
Performance NA Partial Partial
Security Incident and Management Reporting NA Yes Partial
Vulnerability Management NA Yes Partial
Indicative SLOs for MSP/SI: NA Yes NA
Measurement and Monitoring NA Yes Yes
Periodic Reviews NA Yes Partial
Penalties NA Yes Yes
Smart City Projects: Evolution and Security concerns
with reference to Internet of Things (IoT) Technology
First A. Author, Fellow, IEEE, Second B. Author, and Third C. Author, Jr., Member, IEEE

Abstract—Across the world governments are conceptualising smart nation, Taiwan has initiated a USD 625 million IoT
smart cities to improve the quality of life of citizens with help of fund, Korea is pushing Seoul as model city of the world,
smart technologies. Cities may become smarter, but in absence of Australia is planning 30 minutes smart cities, Denmark is
a holistic cyber security strategy it may not be a sustainable
aiming to become city with zero problems and India is aiming
preposition as with increasing level of digitization, the potential
for attack on ICT and OT components of a city is expected to to build 100 smart cities [1][2].
expand significantly. The emerging risks are rising and The livability quotient of cities is dripping due to the rapid
becoming advanced like installation of ransomware leading to population influx & urbanization that is straining the city
disruptions, botnet army building a large DDoS against city infrastructure, degrading the environment and deteriorating
infra, panic and harm to citizens disabling or sabotaging city the living conditions. Cities are facing acute pressures of:
infrastructure.The priorities of smart cities is to thwart above
population growth, economic crisis, higher than normal levels
attacks and robustly prepare for it. The plan to prepare against
complex cyber risks may consist of, strategy, policies, of pollution, increased demands of power and other resources,
procedures, capabilities and services. Emerging best practices deteriorating city infrastructure, traffic congestion etc. [6]. It
are ,but not limited to, end user awareness, end point protection, is become a daunting task for the governments and
segmentation of network traffic, data loss prevention, bi- municipalities to even furnish essential public services to the
directional DDoS mitigation etc.It is evident that investment in citizens. The only way out of this complex scenario is that the
security would be very productive as the costs of disruption may
government of a country takes focused and ambitious
be quite disproportionate to the investments to be made in cyber
security. The due diligence may result in promoting a culture of initiatives to foster sustainable smart cities for resource
secure innovation, generating new opportunities for investments, management and economic growth. For efficient utilization of
and providing impetus to vibrant and economically competitive city resources and other environmental non-renewable
cities. This paper provides guidance on cyber security of smart resources, there is an urgent need to determine and deploy
cities and is intended to serve as the starting point for smart city intelligent & innovative technological solutions for
stakeholders to build robust and resilient smart cities.
administrating and delivering the city resources [3].
But what exactly is a Smart City? What makes a city smart
Index Terms—
and intelligent? Even though there is no unanimously
accepted standard definition of what constitutes a smart city,
I. INTRODUCTION however different consortiums and organization across the
world have defined smart cities with different approaches.
I nnext two decades more than 600 cities are expected to
propel 65 % of global GDP growth and top 100 smart cities
may account for 35 % global growth,as per a Mckinsey report.
ITU-T Focus Group on Smart Sustainable Cities defines a
smart sustainable city as an “innovative city that uses
information and communication technologies (ICTs) and
The competition to excel at building smart cities across the
other means to improve quality of life, efficiency of urban
world have begun. The objectives are to make future cities
operation and services, and competitiveness, while ensuring
vibrant, business friendly, promoting innovation,
that it meets the needs of present and future generations with
strengthening infrastructure and enriching living condition of
respect to economic, social and environmental aspects. [3]”
the citizens. Global investments in smart cities are
BSI Standards Publication elucidates, “Smart cities is a term
proliferating, no country wants to lag behind, China has
denoting the effective integration of physical, digital and
currently 300 cities on drawing board, Singapore is planning a
human systems in the built environment to deliver a
This paragraph of the first footnote will contain the date on which you sustainable, prosperous and Inclusive future for its citizens
submitted your paper for review. It will also contain support information, [4]”. ECSO explains, “A smart city is an urbanised area where
including sponsor and financial support acknowledgment. For example, “This multiple sectors cooperate to achieve sustainable outcomes
work was supported in part by the U.S. Department of Commerce under
Grant BS123456.” through analysis of contextual real-time information shared
The next few paragraphs should contain the authors’ current affiliations, among sector-specific information and operational technology
including current address and e-mail. For example, F. A. Author is with the systems [6]. NIST defines, “Smart City is the integration of
National Institute of Standards and Technology, Boulder, CO 80305 USA (e-
mail: author@ boulder.nist.gov). data and digital technologies data into a strategic approach to
S. B. Author, Jr., was with Rice University, Houston, TX 77005 USA. He sustainability, citizen well-being and economic development.
is now with the Department of Physics, Colorado State University, Fort [8]”
Collins, CO 80523 USA (e-mail: [email protected]).
The systems and infrastructure either from ICT or OT
family which city planners are aiming to digitize and
integrate, are vulnerable to cyber-attacks from adversaries.
The emerging risks are rising and becoming advanced, e.g.
installation of ransomware leading to disruptions, city Smart Energy
information tampered, botnet army building a large DDoS Waste Smart
Management Mobility
against city infra, leakage of smart city databases, panic and
harm to citizens disabling or sabotaging city infrastructure. Smart
Emergency
The city architectural approaches to intertwine ICT and OT Services &
Smart
Buildings
Risk
warrants a holistic treatment. From bottom to top, it may Management

consist of layers such as sensors, communication, data and

application. Each layer requires protection either unique as Internet & Water
per its requirements or security which protects layers Smart Security
& Surveillance
Communication
Manag
Technologies and
interconnected to each other. Each component of city is of Sensor Networks ement
prime importance from resilience and protection viewpoint,
hence requires special attention from cyber security lens.
Smart
The priorities of smart cities is to thwart above attacks and Governance &
Administratio
Smart
robustly prepare for it. The plan to prepare against complex Education n

cyber risks, may consist of, strategy, policies, procedures,

Smart
capabilities and services. Emerging best practices are, but not Business &
Smart Economy
limited to, end user awareness, end point protection, Healthcare Smart Tourism

segmentation of network traffic, data loss prevention, bi-

directional DDoS mitigation etc. The ever-rising attack
Fig.1. Building Blocks of Smart Cities
surface is pushing the city boundaries, hence this is the
pertinent time to act and build resilient cities at the earliest. aspirations should be to: (i) enhance the livability conditions
This paper may server as starting point for smart city stake in the city which shall in turn improve the quality of life and
holders to build trustable and resilient cities. The paper is productivity of the citizens, (ii) contrive and compound the
divided into following sections: (I) Introduction (II) Building physical or hard infrastructure in the city, (iii) preserve and
Blocks of Smart Cities (III) Architectural Approaches to protect the environmental landscape & natural resources of
Secure Smart Cities (IV) Threat & Risk Scenarios (V) the city, (iv) boosting the economic growth of the city and
Cybersecurity Key Learningsfor Smart Cities and (VI) fostering circumstances for ease of doing business, (v) equity
Conclusion. and social inclusion of citizens from all strata and segments of
the city so that every citizen is enabled and empowered to
II. BUILDING BLOCKS OF SMART CITIES derive benefits from a sustainable smart city; these may
To make a cities smart and sustainable, innovative & become the key performance indicators to evaluate a smart
affordable technology driven solutions must be designed to city [9].
address the labyrinth economic, social and environmental A smart city may be planned and developed in three ways
needs of the city and its citizens such as: clean air & water, depending on city’s existing state of affairs and the envisioned
adequate and timely food supplies, safety & security of smart aspirations from the future city; and SPV may
citizens, disaster management, ample job and business accordingly strategize the smart projects and initiatives. First
opportunities, health &well being of citizens and prevention one is a retrofitting or improvement-based approach where
of epidemics, uninterrupted power supply, appropriate waste Brownfield communities are developed by overlaying existing
disposal, convenient means of transportation etc. [4]. These city infrastructure with multiple, smart & innovative ICT
myriad smart city needs are the motivations behind the based solution and projects. The second strategy is a renewal
enlisted building blocks of a smart city as proposed by various or redevelopment-based approach where small smart plants
consortiums, think-thanks and research organizations. These such as neighborhoods / blocks / harbors etc. are developed
building blocks and some of their illustrative smart solutions from scratch inside the city or by extending the city. The last
that may be considered are illustrated in figure 1 and table 1. strategy is to develop Greenfield cities or New Cities which
Even though it may not be necessary for a city to roll out all means to plan and develop the smart city from scratch or
the smart solutions for every building block at its inception ground zero[7][3].
stage; however an extensible and flexible strategy is Information and Communication Technologies and Sensor
recommended while conceptualizing a smart city from Networks are the underlying backbone of sustainable smart
scratch. Such a futuristic strategy shall permit fabricating the cities. Machine to Machine and Machine to Human
smart city solutions incrementally. In light of this, it is communication is what that makes the realization of smart
imperative to have a foresight and interconnect a city’s cities possible. ICT connects and glues together the various
common infrastructure, datasets and technologies[10]. building blocks of a smart city for a seamless delivery of
While designing & planning such smart cities the services to the end user [5]. The advancements in the
Information and Communication Technologies like 4G, LTE,
5G, high speed broadband internet, FTTH, WiFi, Home Area
 TABLE I Network like Bluetooth, Zigbee etc. and Wireless Sensor
SAMPLE SMART CITY SOLUTIONS FOR VARIOUS BUILDING BLOCKS
Networks like RFID, NFC, Dash 7 are the propelling fuel
Building Blocks Smart Solutions for the mission smart cities for countries around the world
[12]. It is impossible to foster a smart city without ICT and
Smart Energy Smart meters and microgrids to conserve
energy based on usage patterns, Energy WSN which form the solid bedrock foundation of every
efficient delivery systems, smart street IoET based solution. Some other technological trends and
lighting, Clean energy and low C02 advancements that have accelerated the incubation and
emissions
blossoming of smart cities are: Big Data Analytics, Cloud
Smart Mobility Ride sharing mobile apps, Traffic & Computing, Embedded Systems & IoT, Mobile &
congestion management via smart signals, Ubiquitous Computing, and Geographic Positioning
Smart parking, Self driving vehicles,
Automated toll and challan tendering, GPS
Systems.
Maps, GPS enabled vehicles and real time
navigation support, deatiled & accurate III. SMART CITY ARCHITECTURE &CYBER SECURITY
public transport schedule
The smart city foundational approaches and architectures
Smart Buildings Connected & voice controlled home differs with respect to objectives a city aspires to achieve.
appliances, sensors to monitor and regulate
Preceding section illustrated the basic building blocks of
energy consumption, voice support to
control devices, smart indoor lighting and smart cities as proposed by various global consortiums or
temperature control/HVAC, smart home envisaged by the countries for their cities including India.
entertainment solutions Next endeavor is to understand smart city architectural
Water Management Smart meters, efficient water distribution distinctions which can be achieved with exploration of
networks like electric grids to minimize architectural approaches and its interconnection with cyber
wastage [11], water quality detectors security constituents. It is imperative to learn potpourri of
Smart Government & Smart delivery of government services like architectural choices as defined by different institutions, to
Administration subsidies & ID documents e.g. renewing DL select a hybrid approach based on a city needs, objectives and
and vehicle RC, automated tax collection, goals to ensure security, safety and resiliency.
online delivery of public services via
municipalties, GIS linked land usage Think tank institutions such as NIST, ENISA, and CSA
information for better urban planning [11] have taken a lead globally to define standard cyber security
architectures for smart city implementations. At the same time
Smart Business & Civic Hackathons,Online job portals,
Economy Improve ease of doing business and
regulators and capability providers have also defined
streamline tender and procurement approaches to secure smart cities globally. This section entails
processes, Free Public WiFi, boositng e- study of cyber security architectures as proposed by various
commerce and delivery channels, video
institutions to derive a best practices model for envisioning
conferencing and alike solutions to improve
employee productivity secure smart cities. In this section we first discuss the Global
Architectures proposed and implemented by consortiums and
Smart Tourism Information booths & kiosks, travel booking countries, and then we deliberate on India approach to
help desks & portals, heritage preservation,
recreational activities, free hotspots and securing smart cities as envisaged by its Ministry of Housing
USB charging sockets [11] and Urban Affairs Cyber Security Guidelines. Each
architectural approach is studied with a framework consisting
Smart Healthcare Wearable health monitoring devices,
AR/VR based smart solutions for remote of following elements i.e. capture the philosophy for broader
health monitoring & diagnosis, Doctor on understanding, nuances of cyber security considerations and
call like M-Health solutions key learnings from cyber security perspective while
Smart Education Smart classes, AR/VR based virtual conceptualizing a smart city.
learning, E-Learning portals

Smart Security & Face & biometric recognition and use of A. NIST [13][14]
Surveillance CCTVs & Drones for live surveillance, Real Philosophy:Smart city blocks and architecture consist of
time video analytics for crime & terrorism
prevention separate cyber security functions which warrants distinct
Treatments.
Smart Emergency Real time Social media content monitoring,
Services & Risk AR/VR assisted displays for emergency
1) Cyber Security Approaches
Management response teams, environment & weather
sensors, smart evacuation systems,  Functions to be considered for cyber security
monitoring air quality, disaster management consideration are, but not limited to, asset
solutions, fire detectors
management, business environment, risk
Waste Management Sensors enabled garbage bins, solid waste management, identity management, data protection,
disposal continuous monitoring, response & recover, incident
management, protection processes, awareness &
trainings
  For each cyber security function, requirement C. CSA [16]
mapping is warranted Philosophy:Cyber security of a smart city is to be
strategized and conceptualized with different stages of
2) Key Learnings planning and implementation.
 City needs to build application and device inventory
 Business environment mission, objectives, 1) Cyber Security Approaches
dependencies needs alignment with cyber security  Cyber requirements of smart city requires attention
goals of cities from following perspectives: Design & Planning,
 Cyber security policy with defined RACI matrix and Implementation, Operations & Maintenance,
mapped to compliance landscape Disposal
 A separate risk management function consisting of
processes, threat maps and mitigation strategies 2) Key Learnings
 Identity and access management encompasses  For design and planning, cyber security constituents
authentication, credential management, remote which requires consideration are cryptography,
access, role based access, Network integrity and authentication, authorization, secure updates, alert &
device management logging, anti-tampering, secure by default, fail/safe,
 Data protection at rest and in motion SLA based security, vulnerability assessment and
 Detection of anomalies and its correlation augmented penetration testing
with robust security monitoring  When city move into implementation stage,
 Strategy and plans for response and recovery in case following cyber security contours would need to be
of cyber incidents prioritized i.e. secure delivery of technology, system
 Defined protection processes for areas such as secure administration, managing dormant accounts, auditing
development, security change management, BCP/DR of security events, password protection
 Awareness & Trainings for all stakeholders  During operations & Maintenance, city requires
monitoring stability & abnormal behaviors, patching,
regular assessment & auditing, protecting logging
B. ENISA[15] environment, access controls, cyber threat
Philosophy:Smart city architectural components require intelligence, recovery mechanisms
integrated cyber security strategy and ICT and OT cyber  Lastly for disposal stage, city needs, avoiding
requirements intertwines for a safe smart city. repurposing technology, securely erase data, vendor
replacement as and when required
1) Cyber Security Approaches
 Cyber requirements defined for different layers from
D. UAE [17]
bottom to top which are field components, data
transmission network, data processing, data Philosophy: Secure key components of a smart city i.e. IoT,
aggregation & connectivity, smart processing M2M, Cloud and Big Data.
 Threats mapping as per different architectural layers
1) Cyber Security Approaches
2) Key Learnings  Approaching cyber security of a smart city with
layered protection which to include city data sources,
 To protect field components hardware and software
IoT, infrastructure, service enablement, application
diagnostics processes and capabilities are a must,
other areas include legacy infra refresh, device
2) Key Learnings
hardening and building resiliency
 Common protection mechanisms for city data
 Hardware redundancy strategy and shutdown
sources and IoT layer are as follows, MPLS
procedures are to be defined for protecting
isolation, IPsec encryption, SSL, SIEM, information
components pertaining to field which is to be
security governance, device enrolment &
augmented with M2M and network security
management
 For data processing key elements are encryption,
 To protect infrastructure, service enablement &
monitoring, debugging, log capturing and monitoring
application layer, it requires multifactor federated
and role of response teams
authentication, web application firewall, load
 Smart processing is to be protected with KPI
balancers, Storage encryption, policy management,
monitoring, design specifications, InfoSec policy of a
single sign on etc.
city, incident reporting system, web services
protection and access control
E. France Telecom Authority [18] API security, secure gateway provisioning, gateway
Philosophy:Smart city security to be envisaged basis basic tunneling and port binding, brokers communication
ICT/OT units of smart cities. encryption, inbound ports by default to be closed,
unique identifiers for devices
1) Cyber Security Approaches
 Basic units to be considered for securing smart cities H. Cyber Security Guidelines of Ministry of Housing and
are application, information, management and Urban Development, India
integrated communication
India has begun its journey to envisage 100 smart cities in
 Each unit to be protected basis threat analysis as
different parts of the country. The task at hand is herculean
applicable and complex, especially considering demographics of India as
a nation. At city level the infrastructure of municipalities is to
2) Key Learnings be digitized and integrated. During the journey of digitization
 For application unit of a smart city one may require of city infrastructure, it is evident that new cyber and security
physical asset monitoring, embedded networks and risks are expected to emerge. This sub-section entails
industrial monitoring capabilities architecture layer wise analysis on India efforts on building
 For information and management unit one may cyber security best practices. We enlist the Cyber Security
require use of monitoring capabilities, security Guidelines mandated by Ministry of Housing and Urban
process management Development to be followed by all upcoming smart cities in
 To protected integrated communication refresh of India.
legacy infra, building visibility on interconnection is
warranted 1) Application Layer
 Authentication and Authorization for user and
administrators of smart city applications
F. Capability Provider 1 [19]  Secure API management as per its interconnections
Philosophy:Derive cyber security requirements based on with data layer
components of basic building blocks of smart cities,  Web application firewall to distill harmful traffic
augmented with threat analysis.  Security incident and management to build visibility
on attacks and deploy mitigations
1) Cyber Security Approaches
 Identity and Access Management to secure end
 Basic building blocks of smart cities can be as
citizen and workforce identities
follows: energy, transportation, connectivity,
environment & governance  Intra application traffic to be encrypted
 Role based access to be defined for managing city
2) Key Learnings applications
 Cyber security measures to include:manual override  Applications architecture to follow the principle of
zoned architecture or demilitarized zones as per
by design, Pen-test to check on stability & reliability,
business criticalities
encryption of data, patch testing, device binding,
 Procedures for incident management and reporting
firmware isolation, EEPROM secure configuration,
 Regular vulnerability assessment and penetration
radio signals encryption, web application firewalls,
testing to be carried out for city resiliency
security policies, privacy by design
preparedness
 Secure API integration and management
G. Capability Provider I1 [20]  Web architecture protection
Philosophy:Build cyber security considerations with aid of  Citizen security and safety
key architectural principles.  Building federated access management
 Secure implementation of service orchestration
1) Cyber Security Approaches
 Principles to consider the following; automation, 2) Data Layer
sensor device security, system level authorization,  Deploy data leak prevention
secure data streams, threat intelligence, data  To be treated as a gateway between application and
segmentation & encryption communication layer
2) Key Learnings  Data classification policy, procedures and system to
be implemented
 Best practices to include areas such as, but not  Privacy enhancing technologies such as encryption,
limited to, secure access of devices with VPN, sensor anonymization, masking, tokenization to be
data routing based on data classification policies, leveraged as per criticality of data
securing telemetry data, role-based access controls,  Data flows to be defined
  Applications to be aligned with data flows technologies and city infrastructure to provide a higher quality
 Creation of zoned architectures as per data flows and of living. Though technologies assist in making better lifestyle
criticality within smart city, it also exposes the end infra, data and
 Visualization of data citizens to a larger cyber threat landscape. Single invasion into
 Data privacy interconnected systems of smart cities can leave entire city in
 Segmentation of data havoc; hence it is prudent for smart cities to focus cyber
 Secure binding between app and data layer security of smart cities and provide safe and secure
environment for the end citizens.
 Securing data during analytics for delivery of
Preceding sections illustrated the basic building blocks of
services
smart cities and its cyber security architectural distinctions in
global and Indian context. This section covers cyber security
3) Communication Layer
aspects of smart city infrastructure, mainly divided into three
 Authentication and Authorization for user and
major areas: A. Security threats to smart city building blocks
administrators of smart city networks
B. Smart city architecture - layer wise security threats C. Risk
 Network security appliances such as firewalls,
analysis, scenarios and mitigations.
IDS/IPS, anomaly detection, DDoS and APT
protection
 Communication layer to be integrated with data A. Smart City Building Blocks & Threat Landscape
diodes This section maps threats against following five main
 Role based access principle to be followed for systems that are essentially required to be in the smart city i.e.
network architects and administrators accounts Smart Energy, Smart Mobility, Smart Water, and Smart
 Network segmentation as per city policies which is to Public Services.
be augmented with creation of zones
 Gateway traffic to be encrypted 1) Smart Energy [32]
Threats to smart energy categorized into following
 Unidirectional traffic
categories, but not limited to: Network availability, Data
 Industrial traffic protection
Integrity, Information privacy. Some of them are discussed
 Deep packet inspection below.
 Pattern recognition for detection of anomalies Availability Attacks (DDoS): Open communication
 Resilient network architecture infrastructure is embedded into smart grids for data
exchange, it makes smart grid vulnerable to attacks such
4) Sensor Layer as DDoS. Where it attacks on time constraint and load
 Authentication and authorization of sensor and frequency control of smart grid, creating an adverse
devices impact on delivery of messages and availability of edge
 Device discovery to be deployed for visibility on devices.
field components Rogue/Infected devices: Malware propagation in smart
 Dynamic provisioning and onboarding of city assets grid devices exploits common hardware vulnerabilities.
All smart systems are interconnected, due to which
 Secure remote administration leveraging tunneling
distribution occurs at an expedited rate within devices and
 Network Segmentation as per field components and there is a possibility of its escalation to other architecture
sensors criticalities layers.
 Sensor and network binding to avoid rogue Communication Protocol Vulnerabilities: Vulnerabilities
connection scenarios in communication protocols stack of IPv4, IPv6 and
 Hardening of field components, sensor and devices TCP/IP which is commonly leveraged by the smart grids
 SSL to securing traffic of sensors to communicate with central system is a potential to be
 Operational technologies discovery exploited because of improper configurations of the
 Baseline monitoring networks.
 Device centric authentication Jamming Attack: Wireless power network connecting
smart grids/appliances jammed by unusual and
 Securing program logic controllers
illegitimates traffic which may result in interruption of
 Monitoring of signals legitimate communication.

2) Smart Mobility [32]

IV. SMART CITY THREATS AND RISK SCENARIOS Threats to smart mobility are categorized into the
The concept of smart city is building interconnectivity following categories, but not limited to: Physical Threats,
between traditional infrastructure and information technology Threats to Communication Channels, Cloud Data
and communication technologies, to create a system for Protection.
resource efficient and real-time service, to be provided in the Fault Injection: Fault/ malicious content injection into
urban environment. Smart city leverages state of the art vehicle networking components – an attack on ECU
 module or software controller leads to engine operation surveillance & overall smart city administration are
failure in smart vehicles and can defeat central managing discussed below.
system. Traffic control system has three major components:
Side Channel Attacks: Smart public transport system 1)Micro Control: Road network strategy, 2)Macro
periodically generates data and it is pushed to the Control: Demand prediction control at every intersection,
centralized storage systems. Side channel attack is a potent 3)Information Transmission:Information detector.
attack mechanism, which may break the cryptographic Compromise of any one of the above components may
standards and results in data leakage during transit. impact adversely on entire traffic control system.
Man in the Middle: MITM attacks- an interception Interception attacks (i.e. MITM) due to vulnerabilities in
attack, is executed through various attack mechanisms communication channel would also allow attacker to read
such as sessions or cookies hijack, wireless network information from sensors and manipulate the signals.
eavesdropping. Man in the middle on communication Traffic and surveillance cameras are the eyes of the city;
channel between component of smart cars (for e.g. ECU) Vulnerability in DVR and OSD controller or cameras,
and cloud storage results in exposing sensitive information accidently accessing open internet could make city blind.
to attacker. City authority may not be able to access cameras when
Replay Attacks: Malicious entities carry out replay attack required. DDoS is most common attack on smart
by delaying or repeating of the data transmissions, In surveillance.
Smart mobility systems replay attack is applicable against Smart city administration is responsible for governance
data transmitted over the network, internally between and all other management activities within smart cities.
ECU’s or between vehicles and control centers. Lack of firm cyber security strategy and plans, user access
Targeted Malware attacks: ECU, Engine Modules, management and security testing would give attacker
Software controller often run on embedded version of humongous opportunities to cause harm.
Linux, Windows, malicious code injection or targeted
malware attacks through USB devices phishing, remote
B. Smart City Architecture Layers & Threat Landscape
downloads may compromiseconnected entities in the
smart mobility ecosystem. In this sub-section we try to analyze possible threats to a
smart city as per its different architectural layers.
3) Smart Water[33]
Cyber threats to smart city water system are classified 1) Sensor/Device Layer [35]
into following categories, but not limited to: Threats on In smart city architecture, Internet of things sensor layer
Sensing Devices, Sub Component Communication, End incorporates largenumber of distinct and heterogeneous
User Applications. devices.Radiofrequency Identification (RFID) tags are
Data Tampering: Data being deliberately altered, edited implemented in the various sensor-based
during its transmission from sensors to central storage components/devices of smart cities and prone to many
could allow attacker change water usage readings. cyber-attacks that we discuss here. Communication
Jamming: Adversaries continuously monitor wireless between RFID tags and reader is achieved via unique
network to determine frequency of data transferred product code (EPC). RFID tags are prone to unauthorized
between two nodes. Attacker could send malicious data access by illegal user, cause data theft.
packets communication to hinder the reception of data at Tag Killing: Tags can be made useless with help of
the receiver end. In water system it could result in techniques such as application delete or kill command by
unavailability. the attacker. Due to this reader may be unable to read or
Fault Injection: Physical layer attacks such as fault identify the tags.
injection, attempt to insert malicious content into device Tag Cloning: Tag cloning to gain data from original tag
cause system failure. Due to failure devices/sensors could and makes unauthorized copy of the captured data on a new
not collect the data and could disturb smart water tag.
management flow. Spoofing: Spoofing attack, tag data is duplicated and
Software System Flaws: Software system flaws or communicated to reader. Spoofing attack exploit
weakness in user application compromise the user vulnerability in protocol used in RFID communication.
security. In smart water management system, common Eavesdropping (MITM, DNS Spoofing, ARP Poisoning):
vulnerabilities such as format string, directory traversal, Insecure communication between the sensor and the
XSS and overflow permits attacker to change centralized server also affect the integrity of the data. Data
configuration, manipulate statistics etc. transmitted to the centralized server, communications could
be intercepted and manipulated which could cause the
4) Smart Public Services [34] sensors to relay incorrect actions and the servers to record
Emerging technologies and innovation in the traditional false events.
urban landscape also brings new threats and risks, which Remote Exploitation: Remote exploitations could be
may directly impact residents, city administration and launched from the main servers, connecting nodes or even
businesses. Cyber security threats applicable to smart an individual sensor or potentially it may propagate via
traffic control systems, smart lighting systems, network. Remote exploitation in which attacker exploit
 vulnerabilities in network protocol such as ICMP, TCP to Buffer over Flow Attack: Web application vulnerability
access the device and execute malicious code. deals with memory allocations and buffers, usually
TABLE II
RISK ANALYSIS
2) Communication Layer [35]
This layer comprises of 4G/5G networks, Network layer Scenarios Risk Mitigation
and messaging platforms, Internet, WLAN and GPS.
Oct 2017, one of Transport Early detection: monitor
Devices/sensors communicate with data layer through the major administration system and analyze network traffic
cellular / wireless network, attacks are mainly categorized metropolitan in one of the European continuously
into four categories and are captured in below city affected country affected by Set up bandwidth limit on
representation: Attacks against Authentication, Attacks badly due to distributed denial network
organized service, larger impact Deploy DDoS protection
against Integrity, Attacks against Privacy, Attacks against distributed of attack on train Solution
Availability. These are depicted in figure 2. Denial of service traffic management. Traffic filtering based on
(DDoS) attack Train arrival/ strong rules/ signature and
and resulting departure services had behavior
into crashing to be managed
entire transport manually.
system.

Threat’s impact
on Security
Triad:
Availability

In March 2018, In Water treatment Employ robust encryption

Interception plant, using mechanisms
attack on smart interception attack
water treatment mechanisms such as Obtain TLS/SSL
plant in MITM, attacker tried certification for web
undisclosed city to change the level of applications
Fig. 2 Attacks on 4G/5G in Europe. chemicals used for
water purification.
Threat’s impact Such attack scenarios
3) Data Layer on Security could directly harm
The data generated in a smart city from each of the Triad: many lives, posing
components is expected to be of exponential scale in terms Confidentiality risks to citizen health
safety.
of storage, volume, velocity and veracity, securely storing
the data is one of the major challenge in smart city Malware attack Malware attack on air Secure wireless
infrastructure.Threats to data layer discussed not limited to on air traffic traffic control system communication
following. control systems in one of European IAM – Authentication/
in Nov 2016. country, affected Authorization
Insecure API Communication: Most software and several airports, Network protection
application connected to the Cloud infrastructure use APIs Threat’s impact preventing air traffic
to interact with Cloud services andAPIs usage might get on security triad: controllers from
exposed to broken authentication attacks and access Confidentiality having aircraft
and Integrity information screen.
control bypass.
Data Leakage at rest - Insecure Encryption, SQL
Injection: Data hosted in a multitenant environment, it can
be potentially accessed by adversaries or even third-party
providers, due to insecure encryption, loose access control exploited when given low level read and write access to
policies and SQL injection attacks. memory. Buffer over flow vulnerability in smart city
Data in Motion - Sensitive data leak, Availability: Side administration web application would expose sensitive data
channel and DDoS scenarios create severe bottleneck to the attackers.
hence secure transmission of data flow, automated SQL Injection: Malicious SQL query injection leads to
detection and response are essential part of data protection unauthorized access to the databases vulnerability can
strategy exploit the web app by injecting malicious client side script
into webpages.
4) Application Layer [35] Cross Side Scripting: Cross side scripting is most
Application Layer threats are divided into following common vulnerability in web applications.Modification of
three categories: Threats to Smartphones / Web cookie (Personal information in web user’s computer) by
Applications, Application Layer Protocols, Operating adversaries to steal the data.
SystemLevel Threats. Some examples of each are described Cookie Poisoning: All web applications in smart city
here. architecture require to test against these common
vulnerabilities. Regular Vulnerability and penetration
testing is the solution to curb web app attacks.
 Malicious Application: Untested and vindictive protection application that will issue warnings to users
applications on app marketplace, can infect smartphone when suspicious activity is detected on their phones, as
devices and cause damage to end user of smart city well as new protection for the city’s public Wi-Fi
services. networks.
Botnet: Botnet is formed by attacker by contaminating  Los Angeles launched a City-Based Cyber Lab to
multiple devices with malware propagating via floating strengthen cyber security for its businesses and
attachments and malicious websites. residents. The lab is a public-private partnership that
Exploitation of Misconfiguration: In many cases, several will disseminate information and intelligence based on
components such as operating systems, databases, and analysis of more than one billion security-related
servers can be used for IoT application. Thus, improper events and over four million attempted intrusions into
configuration of such components may lead to security city networks per day.
issues in IoT application.
Malicious Code Injection: In this type of attack, an
attacker injects a spiteful code into some packets to either B. Europe
steal or modify sensitive data.  EU provided ‘Baseline Security Recommendations for
Path based DDoS: The main objective of this attack is to IoT’ detailing the critical attack scenarios, need for
inject malicious code into the packets or replay some security by design and the security gaps in the IoT
packets to the network. It could destroy or destruct an IoT ecosystem, followed by recommendations.
network by sending a huge number of illegitimate packets  ENISA has released two detailed guidelines for cyber
to exhaust network resources via path to a base station. This security of smart cities architecture model for public
attack, therefore, may prevent other objects from sending transport, and security and resilience for smart health
messages to the base. service and infrastructure.
Reprogram Attack: Reprogramming the IoT objects  Certification Framework for Devices, this framework
remotely as done in some environments can be achieved seeks to ensure an EU-wide certification scheme
using a network programming system. Once the consisting of comprehensive rules, technical
programming process is not protected, the attacker could requirements, standards and procedures. This will be
hijack this procedure to control a large part of the network. based on agreement at the EU level on the evaluation
of the security properties of a specific ICT-based
product or service.
C. Risk Analysis, Scenarios and Mitigations
Many attacks have been reported on smart cities all over C. Singapore
the world. We studied many of them and what was their  Internet of Things (IoT) Ecosystem Standards: The
impact on the city. We discuss a few of them in table 2 and Internet of Things Technical Committee (IoTTC)
what could have been done to prevent such attacks. focuses on the standardization needs in IoT
technologies, such as sensor networks, system
interfaces, data management and security. Thus far,
four technical standards on IoT have been published.
V. SMART CITY PUBLIC POLICIES
Globally, countries are working towards thwarting cyber D. Australia
threats against smart cities and are invested in ramping up the
 Guidelines & Best Practices in Smart Cities: In 2018,
security and privacy strategies to protect infrastructure and data.
the Smart Cities Council Australia and New Zealand
Few countries including India have set a precedent by released best practices guide covering the cyber
leapfrogging in taking significant steps on regulations, security standards in 2018.
standards and framework to fortify cyber security for smart  Internet of Things (IoT) Alliance Australia: The IoT
cities environment [36]. In this section, we discuss they key Alliance Australia (IoTAA) works with the objective
learnings form public policy perspective for different countries of accelerating IoT innovation and adoption in
around the world. Australia. Recently, they launched a report, ‘Enabling
the Internet of things for Australia’, detailing the need
A. United States of America for privacy by design, data protection and testing of
IoT devices in the area of smart cities, health, energy,
 The USA government released the Internet of Things etc.
Cyber Security Improvement Act, 2017, to establish
minimum cyber security standards for IoT devices.
 Multiple cyber security capability firms collaborated to E. India
launch a not-for-profit forum ‘Securing Smart Cities’,  Ministry of Housing and Urban Affairs (MoHUA)
which released ‘Cyber Security Guidelines for Smart Guidelines: MoHUA, the Government of India,
City Technology Adoption. released a model framework for cyber security in smart
 NYC Secure is an initiative for citizens of New York cities on 20 May, 2016. It covers the security of smart
City. It includes a free city-sponsored smartphone
 cities across different layers, namely sensor layer, We end our study of cyber security concerns with respect to
communication layer, data layer and application layer. smart city projects around the world, by proposing the
 Draft Personal Data Protection Bill: The Personal Data following layer wise best practices that we segregate under
Protection Bill includes provisions to protect personal two categories: Minimum, that must be adhered to while
data as an essential facet of information privacy. The envisioning & planning a smart city; and Advanced, which are
bill provides guidelines on the data processing good to have and may be followed as per budget and time
grounds, rights of the data principal, penalties and constrains. We also discuss the governance best practices for
exemptions, amongst other areas. The bill aims to smart city security issues.
protect the autonomy of individuals from data privacy
A. Application Layer
violationsby the state and private entities. Once
enforced, the bill will impact how the smart city In this sub section, we enlist the minimum and advanced
information systems store and process best practices from cyber security perspective for the
personal/sensitive data. application layer of smart cities.
 The IoT Draft Policy of India discusses the focused
pillars of IoT, namely: Demonstration Centres, 1) Minimum
Capacity Building & Incubation, Standards, R & D and Security Incident and Event Management: Analyse log
Innovation, Incentives & Engagements, Human and event data in real time to provide threat monitoring,
Resource Development, Governance Structure. Many event correlation and incident response.
security principals from an IoT perspective e.g. To Identity and Access Management: The capability to
protect cloud and applications, Safety standards for manage the complete lifecycle of a user and devices. It
sensor and device usage etc. are suggested in this draft may have capabilities of federated identity and role-based
report. access control that automatically matches job roles,
business unit identifiers and locations to their relevant
VI. BEST PRACTICES privilege levels.
Encryption: The message exchange between various
As India is on a journey of envisaging 100 smart cities by applications in the smart city is to be encrypted and
2022, we studied issues of cyber security and data privacy authenticated.
emanating from global implementations and analyzed a
representative sample of RFPs of Indian cities, twelve in total 2) Advanced
out of forty published so far by various states, covering API Management: Applications outside the Data Centre
categories such as matured, average, below average proposals (DC) may talk to the applications hosted in the datacentre
and RFPs from different parts of India. Enlisted below are through only predefined APls with planning, design,
some of the key learnings from the research study on Indian implementation, testing, publication, operation,
RFPs, that must be taken into account while conceptualizing consumption, maintenance, versioning and retirement of
any smart city [21-31]. APIs.
 Security of field equipment and protection of industrial Web Application Firewall: WAF to protect web
software systems must be considered and focus should applications and APIs against external and internal attacks,
not be only on protecting IT infrastructure while monitor and control access to web applications, and
implementing smart city solutions. collect access logs for compliance/auditing and analytics.
 Existing security architectures must be benchmarked Multi Tenancy: While it is necessary to converge
against best international standards. multiple infrastructures into one central platform for ease
 Clear guidelines that the smart city must follow w.r.t. of management, it is recommended that such applications
cyber security and data privacy must be laid down. hosted in the central data centre support multi-tenancy
 In environments where high information security is with adequate authentication and role based access control
required e.g. nuclear power plants, electric power mechanism for each tenant pertaining to their respective
generation etc., data flow must be restricted to uni infrastructure.
directional using data diodes.
 Onus for designing and planning cyber security &
B. Data Layer
privacy requirements of a smart city, must not lie only
with system integrators. Cyber security requirements In this sub section, we enlist the minimum and advanced
of a smart city must be planned holistically in best practices from cyber security perspective for the data
consultation with all stakeholders. Also a SLA must layer of smart cities.
also be defined for cyber security requirements.
 All applications must be tested for performance & 1) Minimum
security. Framework of Data Exchange: Data exchange between
 Continuous monitoring should be done in real time and various sensors and their management applications may
logs be maintained and analyzed for thwarting cyber happen via this layer, thus making it one true source of
attacks. data abstraction, normalization, correlation and enable
further analysis on the same. Adequate security should be
 deployed to protect data layer from data confidentiality critical network of the city hosted managed centrally with
breach and unauthorized access. adequate authentication, authorization and role-based access
control mechanism for each zone/segment.
2) Advanced
Data Loss Prevention: DLP solution may require
D. Sensor Layer
capabilities to secure data both at rest and in motion. To
discover sensitive data within an organization and mitigate In this sub section, we enlist the minimum and advanced
the risk of its loss at the endpoints, in storage and over the best practices from cyber security perspective for the sensor
network. layer of smart cities.
It may have centralized management console, support for
advanced policy definition, event management workflow 1) Minimum
and reporting. Discovery Capability: Asset discovery capability for
operational technology environment is a software-only
product (native Windows or Docker container) that
C. Communication Layer discovers city network topology, device identity, hardware
In this sub section, we enlist the minimum and advanced and software configuration, and data flow. It is to capture
best practices from cyber security perspective for the configuration data that passive scanning may not be able
communication layer of smart cities. to deliver.
Authentication: The process of introducing and on
1) Minimum boarding devices into an IT/OT environment must be
Gateway Protection: The connectivity provisioning via securely controlled while meeting the specific
gateways needs to include elements such as authentication requirements of different OT environments. Capability
with identifiers and its traffic to be encrypted. The may provide several environment alternatives for device
gateway traffic is recommended to be monitored for registration models, including automated device
anomalous behaviour as per city infrastructure registration which enables secure, without manual
functioning. intervention, physical control, or system access to target
Demilitarized Zones: The internet facing part of the data devices.
centre should have a demilitarized zone where all the Hardening: All devices and systems deployed in Smart
customer application servers would be located that are city should be hardened and have the ability to be
customer facing. upgraded remotely for firmware through encrypted image
Network Security Capabilities: The following should be files with authentication mechanism to complete the
implemented in the data centre - firewalls, intrusion operation.
detection & intrusion prevention systems, behavioural Identity and Access Management: Identity and access
analysis systems for anomaly detection, correlation management build for operational
engine, denial of Service prevention device, advanced technologies/sensors/smart devices provides single
persistent threat notification mechanism, federated identity management interpretation of access requests, reporting,
and access management system, data diodes, industrial analytics, and automated provisioning, as contained within
firewalls etc. a centralized directory service for unparalleled control, the
configuration depends upon whether it is isolated i.e.
2) Advanced demilitarized or connects with external systems such as
Network Segmentation/Zoning: The data centre is to be cloud.
segmented into multiple network zones with each zone having
a dedicated functionality e.g. all sensors for one operational 2) Advanced
domain may connect to the data centre in different dedicated Sensor Network Security: Isolated networks is to be marked
zones, and the internet facing side of the data centre is with identifiable boundaries. A program of boundary scanning
recommended to be in another zone. All the sensors in the will help to identify leaks with ease. Map the consequences of
Smart city should connect to a completely separate network. violating the network separation, if violations occur, clear
Wireless layer of the Smart City Network may be segmented significances should be established. All sensors deployed as
for public and utility networks by using Virtual Private part of IT and OT based systems in the smart cities may
Networks (VPNS) or separate networks in the wired core, so communicate with only authorized wireless network, and do
that any traffic from the internet users is not routed into the not connect to the rogue networks. All traffic from the sensors
sensor networks and vice-versa. in the smart city to the application servers is recommended to
Network Flow Visibility: From a network security be encrypted with SSL and authenticated prior to sending any
perspective all information that flows on the network should information. The data at rest and in transit must be encrypted.
be encrypted to ensure safety and privacy of confidential data. Secure Remote Administration: Securing remote access is
Wireless broadband plan and architecture for the specific city an integral part of any defence-in-depth strategy, the
may be prepared. foundation of creating usable guidance as it pertains to control
Role Based Access: While it is necessary to systems environments must include both users and the
converge/segment multiple network zones into one central technology to be accessed remotely. Common elements, such
platform for ease of management, it is recommended that such
as users, roles, existing technology and architecture types, can ACKNOWLEDGMENT
be reviewed and their attributes can be leveraged. The preferred spelling of the word “acknowledgment” in
E. Security Governance American English is without an “e” after the “g.” Use the
In this sub section, we enlist the minimum and advanced singular heading even if you have many acknowledgments.
best practices from security governance perspective of smart Avoid expressions such as “One of us (S.B.A.) would like to
cities. thank ... .” Instead, write “F. A. Author thanks ... .” In most
cases, sponsor and financial support acknowledgments are
1) Minimum placed in the unnumbered footnote on the first page, not here.
Security Governance: The entire Information
Technology (IT) infrastructure deployed as part of Smart
city should follow standards, policies, frameworks like REFERENCES
below and as applicable and appropriate.
 Data Privacy and Information Security Policy [1] "Stories tagged ‘Smart Cities’", Nextcity.org, 2018. [Online].
 Information Security Management: ISO 27001 Available: https://nextcity.org/daily/tags/tag/smart%20cities.
[Accessed: 28- Nov- 2018].
 Business Continuity Management: ISO 22301 [2] "The most insightful stories about Smart Cities", Medium.com,
 Sustainable Cities and Communities: ISO 37120 2018. [Online]. Available: https://medium.com/tag/smart -cities.
 Security Controls for Cloud Security: ISO 27017 [Accessed: 28- Nov- 2018].
 Cloud Privacy Protection: ISO 27018 [3] ITU-T Focus Group on Smart Sustainable Cities, "Setting the
framework for an ICT architecture of a smart sustainable city", ITU-T,
 Smart City Standards: BSI PAS 180, BSI PAS 181, 2015.
BSI PAS 182 [4] The British Standards Institution, "Smart cities – Vocabulary", BSI
 Wi-Fi access - PEAP (Protected Extensible Standards Limited, 2014.
[5] P. Budde, "Smart Cities of Tomorrow", in Cities for Smart
Authentication Protocol), 3rd Generation Partnership Environmental and Energy Future: Impacts on Architecture and
Project (3GPP) Technology, S. Rassia and P. Pardalos (Eds.), Ed. Springer, 2014, pp. 9-
 DSCI Privacy and Security Framework 21.
[6] European Cyber Security Organisation (ECSO), "Smart Cities and
Smart Buildings Sector Report: Cyber security for the smart cities
The reference architecture of Information Technology sector", 2018.
(IT) infrastructure in Smart city suggested by National [7] CISCI, CNBC TV18, moneycontrol, "Digitizing India Smart Cities."
Institute of Standards and Technology (NIST) serves as a [8] NIST and its partners, "A Consensus Framework for Smart City
Architectures (IES-City Framework)", 2018.
common starting point for system planning while [9] Deloitte, "Smart Cities: The importance of a smart ICT infrastructure for
promoting interoperable functional building blocks, which smart cities", 2017.
are required in a smart city. [10] GSM Association, "Keys to the Smart City", 2016.
Cyber Incident Management: Cyber Incident [11] National Institute of Urban Affairs, m2mpaper.com, "Smart Cities in
India - the role of m2m + iot."
Management teams need to be set up to manage and [12] S. Talari, M. Shafie-khah, P. Siano, V. Loia, A. Tommasetti and J.
mitigate the cyber incidents and risks for the smart city. Catalão, "A Review of Smart Cities Based on the Internet of Things
All the information on incidents be shared regularly with Concept", Energies — Open Access Journal of Energy Research,
the respective Computer Emergency Response Team Engineering and Policy (Published Online by MDPI), vol. 10, no. 4,
2017.
(CERT) of the country and designated cyber security [13] NIST, "NIST Smart City Framework", 2016.
incidence response teams of the smart city and take help to [14] NIST, "Cyber Security Framework", 2016.
mitigate and recover from the incidents. [15] ENISA, "ENISA Smart City Cyber Security", 2017.
Processes and Procedures for Secure Disposal: [16] Cloud Security Alliance, "Securing Smart Cities", 2017.
[17] I. Al Mallouhi and R. Daluwakgoda, "Securing Smart City Platforms
Consisting of elements such as secure device disposal, IoT, M2M, Cloud and Big Data", in RSA Conference, Abu Dhabi, 2015.
inventory removal, data purging, data archival and records [18] A. Bartoli, J. Hernandez-Serrano, M. Soriano, M. Dohler, A. Kountouris
management etc. and D. Barthel, "Security and Privacy in your Smart City", in Barcelona
Smart Cities Congress, Barcelona, 2011.
[19] Trend Micro Forward-Looking Threat Research (FTR) Team, "Securing
2) Advanced
Smart Cities: Moving Toward Utopia with Security in Mind", Trend
Security Testing: All applications, ICT and sensing layer Micro, 2017.
including sensors should undergo vulnerability assessment [20] CISCO, "Cisco Kinetic Security Technical Paper", 2018.
and penetration testing before deployment and prior to every [21] Ahmedabad Smart City, "RFP I", 2018.
[22] Pune Smart City, "RFP II", 2018.
version change/upgrade. In case of no changes, a yearly [23] Bhopal Smart City, "RFP IV", 2018.
vulnerability assessment and penetration should be conducted. [24] Agra Smart City, "RFP V", 2017.
[25] Rajkot Smart City, "RFP VI", 2018.
[26] Gandhinagar Smart City, "RFP VII", 2018.
[27] Varanasi Smart City, "RFP VIII", 2018.
[28] Ranchi Smart City, "RFP IX", 2017.
APPENDIX [29] Cochin Smart City, "RFP X", 2017.
[30] Shirdi Smart City, "RFP XI", 2018.
Appendixes, if needed, appear before the acknowledgment. [31] Faridabad Smart City, "RFP XII", 2018.
[32] Z. Baig, P. Szewczyk, C. Valli, P. Rabadia, P. Hannay, M. Chernyshev,
M. Johnstone, P. Kerai, A. Ibrahim, K. Sansurooah, N. Syed and M.
 Peacock, "Future challenges for smart cities: Cyber-security and digital [35] A. AlDairi and L. Tawalbeh, "Cyber Security Attacks on Smart
forensics", Digital Investigation, vol. 22, pp. 3-13, 2017. Cities and Associated Mobile Technologies", Procedia Computer
[33] S. Ijaz, M. Shah, A. Khan and M. Ahmed, "Smart Cities: A Survey on Science, vol. 109, pp. 1086-1091, 2017.
Security Concerns", International Journal of Advanced Computer [36] DSCI and PwC, "Creating Cyber Secure Smart Cities", 2018.
Science and Applications, vol. 7, no. 2, 2016.
[34] I. Barara, "Technology Evangelist", Technology Evangelist. [Online].
Available: https://technologyevaneglist.wordpress.com. [Accessed:
28- Nov- 2018].