Thursday, March 15, 2012

Data protection laws in India relating to sensitive personal data under IT Act 2000

To ensure data privacy and security, the Government of India inserted Section 43A in the Information Technology Act 2000, to ensure that corporates handling sensitive personal data(as defined in the rules) take adequate precautions, and are subject to certain minimum obligations and liabilities even when not specified in the contract. For this, they framed the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011(read it at the link
http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf ) which gives some comprehensive guidance on the subject. Rule 3 defines sensitive data, with a focus on financial/health records, with a safeguard clause that information accessible in public domain is not considered sensitive.

3. Sensitive personal data or information.— Sensitive personal data or information of
a person means such personal information which consists of information relating to;—
(i) password; (ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ; (iii) physical, physiological and mental health condition;
(iv) sexual orientation; (v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.


Besides the requirement for explicit opt-in consent from individual(that can be withdrawn at any time), privacy policy, restrictions on sending data abroad etc, Rule 8(3) gives a safe harbour of what does reasonable safety practices mean for the purpose of these Rules.
The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis(atleast annually or when significant upgradation takes place!) by entities through independent auditor, duly approved by the Central Government.

As this law applies to all companies, they better be careful else for those not getting audited, proving good faith/due diligence will be difficult

Sunday, March 11, 2012

Eagle Travels-exemplary 'customer service' or great disaster management?

Eagle Travels(trade name of 'Falcon Travels Pvt Ltd'-the owner seems having a fetish for birds) was the operator by which I'd booked a 7:45pm bus from Mumbai to Ahmedabad(boarding Sion). I got a call from them apologizing for their having to delay the departure by 2hrs(guess they cancelled that bus due to poor occupancy and booked me to the next bus). Since my arrival at Ahmedabad was not that time sensitive, I decided to carry on and boarded the bus at 9:45pm, but it turned out it was a Surat bound bus which would drop me to Borivali for a 11pm bus from there. At 10pm, the bus broke down at a signal on the Western Express highway near VileParle, and nearly 1hr was lost in pushing the bus/trying to repair etc. Mechanics and a manager came quite quickly and tried to solve the problem.

I was fretting about my connecting bus, but was assured that it would be managed. Suddenly at 11:10pm, I was taken to a sumo where the owner dropped me to the boarding point(while stopping at one of his shops to collect the cash and accounts!), making some small chat etc and apologizing for the delay. After a 15min journey in AC comfort, I reached Borivali where the bus was waiting for me. When I entered it(was allocated the same window seat), the passengers were somewhat irked saying that the bus had waited 30min for me!(dunno what the bus driver told them). Anyways, the bus was quite comfortable(no jerks/great seats) and small things like water etc was provided, and it reached Ahmedabad without incident and just in 9hrs.

I was quite impressed by their holding up the bus for one person(it was their fault but perhaps they could have used some other operator..) and also by the fact that a person from their end was calling me up around 15min/30min before the scheduled boarding to confirm I'd reached. Not sure whether this is standard practice or not, but I did feel I was in competent hands and they had  a great tracking system. Taking me in the AC sumo did do the trick and eased my mood considerably, else I'd all but decided to sue them for deficiency in service! In all, an eventful 2hrs, I lost that much of sleep, but was impressed by how they managed the whole thing. 

10 reasons why I book bus tickets through Redbus

I admit it! The title was my feeble attempt at SEO optimization, but I do really love Redbus. Their customer service and sleek web interface rivals my other favorite e-commerce portal(Flipkart). 
  1. Easy refund-the acid test of any merchant is the ease with which they process your refund/chargeback requests. I had cancelled tickets thrice by Redbus, twice through email and once through phone, and the service was efficient, polite and prompt on all occasions.
  2. 100% effort to get passenger ratings:-I get an emailed survey around 1hr after the scheduled arrival of the bus, requesting for feedback on the operator and Redbus itself. This also leads to ratings you can trust, that will be uncensored, genuine and somewhat exhaustive.
  3. M-tickets:-This is a new innovation, which they did not have to do, but very convenient. It also had the boarding point contact numbers, which can be directly dialled from the message itself.
  4. SMS before bus timing:-I was quite wowed to get a SMS at 3:45pm before my 4:15pm bus, reminding me of the bus, 'from your friends at Redbus' with a smiley! Though probably not needed, it is a good way to reach out!
  5. Sleek website interface:-Loads quite fast, and very user friendly. One can finish a booking in as less as 3min! No unnecessary junk/logins needed.
  6. Periodic offers:-Mostly small amounts(Rs 50/100) but amounts to about 10% of the fare at times on using HDFC/ICICI debit/credit cards.
  7. Bridge to the unorganized bus sector-Do not wish to critique agents, but there is a world of difference between educated young people and the bus agents, and Redbus helps bridge the gap.
  8. Handle refund of differential fare if bus type changes:-Doing this on the bus/even from the boarding point would be inconvenient physically, but Redbus can credit the amount online
  9. Focused and loyal promoters-A venture capitalist who had funded them early on, gave a talk at IIM-A recently, and mentioned that they(Redbus promoters) resisted the temptation to get into ancillary streams like travel packages, hotel bookings etc, and instead are building the bus bookings business. Also, though they now account for a significant share of revenue for many operators especially on 'non popular' routes, they have not hiked the commission upwards.
  10. Prompt and Friendly Customer Service:-I have spoken with their customer service at both Mumbai and Ahmedabad, and have got through quite fast on both occassions in evening peak time. Whether this means lack of complaints/phone service or just awesome Operations Management(remember these guys are from IIM Indore..) is something I do not know.
 Keep up the good work, guys(and gals!)