__________ calls for inclusion of data protection from the onset of the designing of systems.
B
Explanation:
The concept of "Privacy by Design" is a core principle emphasized in the DSCI Privacy Framework
(DPF©) and DSCI Assessment Framework for Privacy (DAF-P©). This principle requires that privacy
be integrated into the design specifications and architecture of IT systems and business processes,
right from the start of the development process rather than being added later as an afterthought.
The DSCI Privacy Framework states:
"Privacy by Design is a proactive approach that embeds privacy into the design and operation of IT
systems, networked infrastructure, and business practices. It aims to ensure that privacy is built into
the system by default, thereby preventing privacy-invasive events before they happen."
This ensures data protection is foundational to system architecture and not merely a compliance
requirement added later. This proactive method mitigates risks and enhances user trust by
safeguarding personal information through preventive measures rather than reactive ones.
Which of the following are classified as Sensitive Personal Data or Information under Section 43A of
ITAA, 2008? (Choose all that apply.)
A, B, E, F
Explanation:
According to the DSCI Privacy Framework and as aligned with the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011, under Section 43A of the Information Technology Act, 2008, the following are considered
Sensitive Personal Data or Information (SPDI):
Password
Financial Information (such as bank account or credit card details)
Biometric Information (such as fingerprints, retina scans, etc.)
Medical Records and History
However, Sexual Orientation and Caste and Religious Beliefs are not explicitly included in the list of
SPDI under Section 43A of the ITAA, 2008, though they may be protected under broader privacy
considerations or sectoral regulations.
This classification helps in mandating appropriate security measures to protect such sensitive data,
failure of which can result in compensation for damages to the affected individual due to negligence
by the data processor or controller.
Entities should collect personal information from user that is adequate, relevant and limited to what
is necessary in relation to the purposes for which they are processed. This Privacy Principle is called:
A
Explanation:
According to the DSCI Privacy Framework and aligned with global privacy principles such as those
found in the OECD and APEC frameworks, “Collection Limitation” emphasizes that personal data
should be collected in a manner that is lawful and fair, and should be limited to what is necessary for
the identified purposes.
As per DSCI Assessment Framework for Privacy (DAF-P©), this principle ensures organizations collect
only relevant data by minimizing unnecessary data acquisition, thereby reducing the privacy risks.
The principle mandates:
"Personal data collected should be adequate, relevant, and limited to what is necessary in relation to
the purposes for which they are processed."
This is designed to promote responsible data stewardship and ensure minimal exposure of
individuals’ personal information.
The method of personal data usage in which the users must explicitly decide not to participate.
B
Explanation:
The term “Opt-out” refers to a consent model in which individuals are automatically included in a
data processing activity or program unless they explicitly indicate their desire not to participate.
Under the DSCI Privacy Framework, “Opt-out” is contrasted with “Opt-in,” where explicit affirmative
consent is required before processing.
Opt-out is often implemented through mechanisms like pre-checked boxes or default settings, which
the user can change. This is particularly common in direct marketing scenarios or cookies for
analytics. The DAF-P© considers whether such consent mechanisms align with fairness and
transparency principles.
An entity shall retain personal data only as long as may be reasonably necessary to satisfy the
purpose for which it is processed; or with respect to an established retention period. This privacy
principle is known as?
D
Explanation:
The “Storage Limitation” principle ensures that personal data is retained only for as long as necessary
for the purposes for which it was collected.
The DSCI Privacy Framework and DAF-P© define this principle as:
"Personal data should be kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed."
This prevents over-retention, minimizes risks of data breaches, and complies with legal and
regulatory mandates for data minimization. Retention schedules and secure disposal practices are
assessed under this principle in privacy audits.
What are the Nine Privacy Principles as described in DSCI Privacy Framework (DPF©)?
I) Use Limitation
II) Accountability
III) Data Quality
IV) Notice
V) Preventing Harm
VI) Choice and Consent
VII) Access and Correction
VIII) Data Minimization
IX) Openness
X) Disclosure to Third Parties
XI) Right to be Forgotten
XII) Collection limitation
XIII) Security
A
Explanation:
As per the official DSCI Privacy Framework (DPF©), the framework is built upon a set of nine core
Privacy Principles that are foundational to establishing and assessing privacy initiatives in an
organization. These principles are as follows:
Notice – Individuals must be informed about the collection and use of their personal data.
Choice and Consent – The data subject’s choice must be respected through consent mechanisms.
Collection Limitation – Personal data must be collected only for identified purposes.
Use Limitation – Data should be used only for the purposes specified at the time of collection.
Data Quality – Ensuring data is accurate, complete, and kept up-to-date.
Access and Correction – Data subjects must have access to their data and the ability to correct it.
Security – Adequate protection of personal data against unauthorized access and breaches.
Openness – Organizations must be transparent about their privacy practices.
Accountability – The entity collecting and processing data is responsible for complying with the
principles.
These match exactly with the components listed in option A: I (Use Limitation), II (Accountability), III
(Data Quality), IV (Notice), V (Preventing Harm—not explicitly named in DPF, hence not part of the
standard nine), VI (Choice and Consent), VII (Access and Correction), VIII (Data Minimization), IX
(Openness).
Hence, the correct nine principles according to DPF© are exactly as listed in option A.
The concept of data adequacy is based on the principle of _________.
C
Explanation:
Data adequacy is a concept primarily referenced under international data transfer mechanisms,
especially in GDPR and mirrored in Indian and global privacy frameworks. The idea is that a country
can receive personal data from another country if it ensures an "adequate level of protection".
This level is determined not by exact replication of laws but by their “Essential Equivalence” to the
originating country's standards.
The principle of “Essential Equivalence” means that although the laws do not have to be identical,
they must offer comparable protection in practice. This is the benchmark used by authorities like the
EU Commission and reflected in frameworks including DPF©.
What is a Data Controller?
C
Explanation:
As per the DSCI Privacy Framework and consistent with definitions in APEC and GDPR standards, a
Data Controller (or Personal Information Controller) is defined as:
“A person or organization who controls the collection, holding, processing, or use of personal
information. It includes one who instructs another to do so on its behalf.”
Thus, a data controller determines the “purpose and means” of processing, not merely performing or
facilitating storage or sharing.
This is a central concept to ensuring accountability in privacy frameworks, as the controller is the
primary entity responsible for compliance with data protection principles.
What is a Data Subject? (Choose all that apply.)
A, C
Explanation:
According to the DSCI Privacy Framework and aligned international frameworks such as GDPR and
APEC, a “Data Subject” refers to:
"An identified or identifiable natural person to whom the personal data relates."
This includes individuals whose data is being collected, held, or processed by any entity. Thus:
A (an individual providing their data to avail a service) is a data subject because the data is about
them.
C (an individual whose data/information is processed) directly matches the definition.
Options B, D, and E refer to entities or persons involved in processing or handling the data, not the
individuals to whom the data belongs.
Your district council releases an interactive map of orange trees in the district which shows that the
locality in which your house is located has the highest concentration of orange trees. Does the
council map contain your personal information?
C
Explanation:
Personal Information under DSCI and global frameworks is information relating to an identified or
identifiable individual. Whether the council’s map contains personal data depends on:
If the map, when combined with other information (like land records or property ownership data),
could lead to identifying you as a resident or owner.
Hence, the answer is context-specific. If the map alone doesn't identify you, it's not personal
information. But if combined with additional data, it may lead to your identification, thus qualifying
it as personal information.
This aligns with DPF’s emphasis on “reasonably identifiable” individuals in assessing the scope of
personal data.
In the landmark case _______________ the Honourable Supreme Court of India reaffirmed the
status of Right to Privacy as a Fundamental Right under Part III of the constitution.
C
Explanation:
The landmark judgment in “Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India And Ors”
delivered on August 24, 2017, reaffirmed that:
"The Right to Privacy is protected as an intrinsic part of the Right to Life and Personal Liberty under
Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."
This case is foundational to the development of privacy jurisprudence in India and has guided the
formulation of the Indian Data Protection law.
Which of the following wasn't prescribed as a privacy principle under the OECD Privacy Guidelines,
1980?
C
Explanation:
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)
defined eight core privacy principles:
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
“Data Minimization” was not part of the original 1980 OECD principles. While it is a common privacy
principle today and included in modern frameworks like GDPR and DSCI's DPF, it was not part of the
original OECD set.
Which of the following provisions of Information Technology (Amendment) Act, 2008 deal with
protection of PI or SPDI of Individuals?
A
Explanation:
The Information Technology (Amendment) Act, 2008 introduced critical provisions for data
protection:
Section 43A: Mandates compensation for failure to protect personal data by a body corporate
handling sensitive personal data or information (SPDI).
Section 72A: Imposes penalties for disclosure of information in breach of lawful contracts.
These two sections form the legal basis for protection of personal data under the IT Act in India.
How are privacy and data protection related to each other?
A
Explanation:
According to DSCI Privacy Framework and aligned literature, data protection primarily deals with the
operational and technical safeguards to ensure the confidentiality, integrity, and availability of
personal data. Privacy is a broader concept encompassing the right of individuals to control their
personal information, including legal, social, and ethical dimensions.
Thus, data protection is considered a subset or enabler of the broader right to privacy, supporting its
implementation by managing risks related to data handling and security.
Arrange the following techniques in decreasing order of the risk of re-identification:
I) Pseudonymization
II) De-identification
III) Anonymization
A
Explanation:
According to the DSCI Assessment Framework for Privacy (DAF-P©), the techniques for reducing
identifiability differ in their effectiveness:
Pseudonymization replaces identifiable fields within a data record with artificial identifiers. However,
if additional information (mapping or lookup tables) exists, re-identification is possible.
De-identification removes or masks identifiers, but residual or quasi-identifiers may still allow re-
identification under certain conditions.
Anonymization aims to irreversibly remove any link between the data and the identity of the subject,
thus presenting the least risk of re-identification.
Therefore, when arranged in decreasing order of re-identification risk:
Pseudonymization (highest risk)
De-identification
Anonymization (lowest risk)
This validates option A. I, II as correct.