Thursday, March 15, 2012

Data protection laws in India relating to sensitive personal data under IT Act 2000

To ensure data privacy and security, the Government of India inserted Section 43A in the Information Technology Act 2000, to ensure that corporates handling sensitive personal data(as defined in the rules) take adequate precautions, and are subject to certain minimum obligations and liabilities even when not specified in the contract. For this, they framed the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011(read it at the link
http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf ) which gives some comprehensive guidance on the subject. Rule 3 defines sensitive data, with a focus on financial/health records, with a safeguard clause that information accessible in public domain is not considered sensitive.

3. Sensitive personal data or information.— Sensitive personal data or information of
a person means such personal information which consists of information relating to;—
(i) password; (ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ; (iii) physical, physiological and mental health condition;
(iv) sexual orientation; (v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.


Besides the requirement for explicit opt-in consent from individual(that can be withdrawn at any time), privacy policy, restrictions on sending data abroad etc, Rule 8(3) gives a safe harbour of what does reasonable safety practices mean for the purpose of these Rules.
The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis(atleast annually or when significant upgradation takes place!) by entities through independent auditor, duly approved by the Central Government.

As this law applies to all companies, they better be careful else for those not getting audited, proving good faith/due diligence will be difficult

No comments: