PrivacyTraining_ad300x250.Promo1-01
OneTrust_Webcon_BB_300x250_ad_04.25.2016.v5-01

Ponnurangam Kumaraguru

As India becomes a leader in Business Process Outsourcing (BPO), increasing amounts of personal information from other countries are flowing into India. Questions have been raised about the ability of Indian companies to adequately protect this information. Unfortunately, employees of BPO organizations have misused customers' personal information repeatedly. As more and more companies from other countries are conducting business in India, there is increased concern about India's lack of privacy laws. To address these concerns, government officials, organizations and lawmakers are discussing the creation of privacy laws in India that would mandate privacy protections for data from other countries handled by India's outsourcing industry.

As a first step, it is necessary to understand the attitudes toward privacy among Indians.

Under the guidance of Dr. Lorrie Cranor, I conducted an exploratory study during the summer of 2004 to gain an initial understanding of attitudes toward privacy among the Indian high-tech workforce. We carried out a written survey and one-on-one interviews to assess the level of awareness about privacy-related issues and concerns about privacy among a sample of educated people in India. We used the protocol designed by Elaine Newton and Dr. Granger Morgan, also from Carnegie Mellon University, for the one-on-one interviews. We surveyed a total of 407 respondents and the interviews were conducted with 29 subjects.

Our results demonstrate an overall lack of awareness of privacy issues and less concern about privacy in India than in similar studies conducted in the U.S. We summarize our results in the following sections:

General Understanding and Concerns about Privacy
Overall, Indians discussed privacy in terms of only personal space. The survey found that 48 percent of those surveyed related privacy to physical, home and living space. U.S. studies indicate that Americans relate privacy to health and financial information. Typical responses of Indian subjects when asked about privacy were: "Privacy for me is my personal territory" and "personal privacy." One survey question asked subjects to report their level of concern about personal privacy, and another asked subjects to report the level of concern about personal privacy on the Internet. Seventy-six percent of Indian respondents were "very" or "somewhat concerned" about personal privacy and 8 percent were "very" or "somewhat concerned" about personal privacy on the Internet. Comparing our results with other studies conducted in the U.S., we found a lower level of concern among the Indian sample than among Americans.

Awareness of and Concerns about Privacy and Technology
In general, the subjects in India were less aware about privacy related to technologies. Only 17 percent of the subjects mentioned any privacy concerns related to computers. A typical Indian response regarding computerization of data was, "No I don't have any concerns. In fact I feel like you should computerize everything." Many U.S. studies have shown that Americans are wary about computerization of data and unauthorized people accessing their data. Most of the respondents in our studies were unaware about the concept of changing the browser's cookie settings. Similarly, no subject in India mentioned about threats from biometrics and concerns related to Internet privacy. Few subjects mentioned the threat of mobile phones with cameras, which may be attributable to recent incidents related to video voyeurism in India. Overall the behavior of subjects in India can be attributable to the limited technological growth as compared to other developed countries.

Comfort Level of Sharing Different Types of Data
We found significant differences in comfort level across the nine types of personal information surveyed (postal mail address, email address, phone number, age, health and medical history, passport number, annual household income, credit card number and passwords of email/ATM). Respondents were most comfortable sharing their age, email address, and health information with Web sites, in contrast with U.S. attitudes. We suspect this view in India might be because of less discrimination in the professional and social lives on the basis of health information. Medical insurance is not very popular in India among individuals and employers. They were least comfortable sharing credit card numbers, passport numbers, email and ATM passwords and annual income. A common reaction of the subjects in India was, "As an Indian mentality, we always like to share things." Another subject mentioned "my friends and family members know most of my information including financial and medical information." This shows that subjects have different concerns and comfort level for specific data types in both countries. 

Trust in Businesses and Government
Overall, we found large differences in willingness to trust organizations and the government with personal information. Researchers have found that privacy-concern levels tend to be correlated with distrust in companies and government. Most of our subjects (86 percent for businesses, 81 percent for governments) were highly trusting, and very few were untrusting (7 percent for businesses, 4 percent for governments). A 2001 Harris Interactive study found that only 10 percent of people in the U.S. have high levels of trust for businesses and 15 percent have high levels of trust for the government. A typical response of an Indian subject was, "I believe in government, 100 percent they will not abuse it." These results suggest that the level of privacy concern among our interview subjects in India was fairly low.

Posting Personal Information
One of the common practices in India is posting personal information publicly. Universities post students' full name and grades on public notice boards on campuses. We found that about half of the respondents were concerned about university grades being posted publicly. Another common practice is publicly posting personal information of travelers at Indian railway stations and in train compartments. The posted information includes last name, first name, age, gender, boarding station, destination, seat number, and a passenger-name record number. We found even lower levels of concern about this practice than of the public posting of grades.

This information is gleaned from an exploratory study to understand the attitudes of Indians toward privacy. We found less concern and awareness about privacy issues among Indians. As discussed by various other studies, we attribute most of this behavior to the cultural aspect in India. Concerns have been raised whether the Indian outsourcing industry can properly protect personal data. Our results suggest that the Indian high-tech workforce may not be sufficiently aware of privacy issues, and that the outsourcing industry and international businesses may need to provide privacy training to their employees. This training could also be a part of the Indian undergraduate education. We see a basic difference in privacy perceptions among Indians and Americans. Indian lawmakers are looking at privacy laws and regulatory programs from different countries. It is important to realize that U.S. laws and programs may not have the same effect if introduced in India.

We believe that a comparison of our results with data from a similar study conducted in the U.S. during the same time would give a better understanding of the differences in the attitudes and awareness in both countries. Although we obtained some interesting results consistent with studies of Indian cultural values, it is important to recognize the limitations of our samples. The results we obtained cannot be generalized to the entire Indian population.

Ponnurangam Kumaraguru is a PhD. student in the COS (Computation Organization and Society) program with the School of Computer Science at Carnegie Mellon University. His research interests range from modeling trust, representing privacy policies in machine readable format, electronic voting, privacy issues related to RFID and to cross-cultural privacy issues. He can be reached at ponguru@cs.cmu.edu.

Complete reports of the studies may be reviewed at http://www.cs.cmu.edu/~ponguru/PET_2005.pdf.
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

 

Awareness of and Concerns about Privacy and Technology
In general, the subjects in India were less aware about privacy related to technologies. Only 17 percent of the subjects mentioned any privacy concerns related to computers. A typical Indian response regarding computerization of data was, "No I don't have any concerns. In fact I feel like you should computerize everything." Many U.S. studies have shown that Americans are wary about computerization of data and unauthorized people accessing their data. Most of the respondents in our studies were unaware about the concept of changing the browser's cookie settings. Similarly, no subject in India mentioned about threats from biometrics and concerns related to Internet privacy. Few subjects mentioned the threat of mobile phones with cameras, which may be attributable to recent incidents related to video voyeurism in India. Overall the behavior of subjects in India can be at-tributable to the limited technological growth as compared to other developed countries.

Comfort Level of Sharing Different Types of Data
We found significant differences in comfort level across the nine types of personal information surveyed (postal mail address, email address, phone number, age, health & medical history, passport number, annual household income, credit card number and passwords of email/ATM). Respondents were most comfortable sharing their age, email address, and health information with Web sites, in contrast with U.S. attitudes. We suspect this view in India might be because of less discrimination in the professional and social lives on the basis of health information. Medical insurance is not very popular in India among individuals and employers. They were least comfortable sharing credit card numbers, passport numbers, email and ATM passwords and annual income. A common reaction of the subjects in India was, "As an Indian mentality, we always like to share things." Another subject mentioned "my friends and family members know most of my information including financial and medical information." This shows that subjects have different concerns and comfort level for specific data types in both countries.
 
Trust in Businesses and Government
Overall, we found large differences in willingness to trust organizations and the government with personal information. Researchers have found that privacy-concern levels tend to be correlated with distrust in companies and government. Most of our subjects (86 percent for businesses, 81 percent for governments) were highly trusting, and very few were untrusting (7 percent for businesses, 4 percent for governments). A 2001 Harris Interactive study found that only 10 percent of people in the U.S. have high levels of trust for businesses and 15 percent have high levels of trust for the government. A typical response of an Indian subject was, "I believe in government, 100 percent they will not abuse it." These results suggest that the level of privacy concern among our interview subjects in India was fairly low.

Posting Personal Information

One of the common practices in India is posting personal information publicly. Universities post students' full name and grades on public notice boards on campuses. We found that about half of the respondents were concerned about university grades being posted publicly. Another common practice is publicly posting personal information of travelers at Indian railway stations and in train compartments. The posted information includes last name, first name, age, gender, boarding station, destination, seat number, and a passenger-name record number. We found even lower levels of concern about this practice than of the public posting of grades.

This information is gleaned from an exploratory study to understand the attitudes of Indians toward privacy. We found less concern and awareness about privacy issues among Indians. As discussed by various other studies, we attribute most of this behavior to the cultural aspect in India.

Concerns have been raised whether the Indian outsourcing industry can properly protect personal data. Our results suggest that the Indian high-tech workforce may not be sufficiently aware of privacy issues, and that the outsourcing industry and international businesses may need to provide privacy training to their employees. This training could also be a part of the Indian undergraduate education. We see a basic difference in privacy perceptions among Indians and Americans. Indian lawmakers are looking at privacy laws and regulatory programs from different countries. It is important to realize that U.S. laws and programs may not have the same effect if introduced in India. 

We believe that a comparison of our results with data from a similar study conducted in the U.S. during the same time would give a better understanding of the differences in the attitudes and awareness in both countries. Although we obtained some interesting results consistent with studies of Indian cultural values, it is important to recognize the limitations of our samples. The results we obtained cannot be generalized to the entire Indian population.

Ponnurangam Kumaraguru is a PhD. student in the COS (Computation Organization and Society) program with the School of Computer Science at Carnegie Mellon University. His research interests range from modeling trust, representing privacy policies in machine readable format, electronic voting, privacy issues related to RFID and to cross-cultural privacy issues (specifically in the third world countries like India). He can be reached at ponguru@cs.cmu.edu. Complete reports of the studies may be reviewed at http://www.cs.cmu.edu/~ponguru/PET_2005.pdf. nation. Companies at the stage of seeking authorization from CNIL must be prepared that data protection officials could deny the request.
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it 

Conclusion

These suggested adjustments will not solve all conflicting issues between SOX and CNIL decisions. However, both sides of the Atlantic may find grounds for a compromise. The CNIL acknowledged that businesses cannot solve conflict of laws alone and therefore brought this conflict to the attention of the SEC, the French government and the European Commission. A dialogue started recently among the CNIL President, Alex Türk, and SEC representatives, to define an acceptable system under the two regimes, including a solution to preserve the confidentiality or anonymity of whistle-blowers. It is evident that this conflict is not solely a "French issue." Very recently, the Belgian data protection authority received a complaint from trade unions against Fortis AG. And that's not all. The issue will likely receive pan-European attention, as the article 29 Working Party (gathering representatives of all EU data protection authorities) is considering the topic.

Chief privacy officers would be well-advised to take a strong look at the internal compliance mechanisms of their groups, while following closely the evolving international debate.

Pascale E. Gelly is an attorney registered with the Paris Bar specializing in Data Protection legal issues, as well as New Technologies and Intellectual Property Law. Gelly can be reached at +33.1.44.77.88.11 or at pg@pascalegelly.com.

 


Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»