The landmark judgment in “Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India And Ors” delivered on August 24, 2017, reaffirmed that:

" The Right to Privacy is protected as an intrinsic part of the Right to Life and Personal Liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. "

This case is foundational to the development of privacy jurisprudence in India and has guided the formulation of the Indian Data Protection law.

According to the DSCI Assessment Framework for Privacy (DAF-P©), the techniques for reducing identifiability differ in their effectiveness:

Pseudonymization replaces identifiable fields within a data record with artificial identifiers. However, if additional information (mapping or lookup tables) exists, re-identification is possible.

De-identification removes or masks identifiers, but residual or quasi-identifiers may still allow re-identification under certain conditions.

Anonymization aims to irreversibly remove any link between the data and the identity of the subject, thus presenting the least risk of re-identification.

Therefore, when arranged in decreasing order of re-identification risk:

Pseudonymization (highest risk)

De-identification

Anonymization (lowest risk)

This validates option A. I, II as correct.

The DSCI Assessment Framework for Privacy (DAF‑P©) outlines that the Privacy Third Party Assessment is conducted in two phases:

Initial Assessment – High-level review of privacy practices and process readiness

Detailed Assessment – In-depth evaluation of privacy implementation and evidence review

This phased approach allows assessors to identify maturity gaps early and gather comprehensive evidence in the second phase.

==============

This scenario represents a major non-conformity under DAF‑P©. Lack of detailed visibility into personal information across business functions and processes suggests a foundational weakness in the privacy program. This absence of specific knowledge impairs risk assessment, control implementation, and compliance alignment — key elements for a robust privacy framework.

While training third-party organizations is a relevant privacy governance function, it is not a primary technical or operational consideration when implementing data security solutions.

The other options (A, B, and C) directly relate to core security architecture, system-level controls, and data governance — all essential for privacy protection at a system level.

Hence, D is least likely to be considered in technical implementation.

==============

According to the DSCI Assessment Framework for Privacy (DAF-P©), risk-based prioritization is essential in planning privacy assessments. Organizations are advised to consider parameters such as the degree of harm from a potential privacy breach, the involvement of processes that handle sensitive personal data (e.g., PHI or biometrics), technology solutions that may affect privacy, and the extent of third-party involvement. These help determine the areas with high privacy risks needing immediate attention.

C (business-related IP) is typically an information security concern, not a privacy concern unless it involves personal data.

==============

All the mechanisms listed—Binding Corporate Rules (BCRs), Adequacy Decisions, and Standard Contractual Clauses (SCCs)—are recognized tools for lawful cross-border data transfers under global privacy regulations like the GDPR and are incorporated by reference into Indian privacy practices.

BCRs are internal rules adopted by multinational groups.

Adequacy Decisions are determinations that another jurisdiction provides an adequate level of data protection.

SCCs are pre-approved contract templates for data transfers.

These approaches ensure continued protection of personal data outside of national borders.

==============

According to the DSCI Assessment Framework for Privacy (DAF‑P©), the total duration for completing the assessment, from the initial kickoff to the final report submission to DSCI, must be concluded within a two-week period. This timeline ensures the assessment stays current and reflects the organization ' s real-time privacy status during certification.

==============

Pseudonymized data is defined as:

“Personal data that has been processed so that it can no longer be attributed to a specific data subject without the use of additional information.”

This definition matches exactly with the statement in the question. It is different from anonymization, where the data cannot be re-associated with an individual at all.

==============