The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011.
We Indians are very social by nature and give very less importance to “Privacy”; let it be our personal privacy or data/corporate privacy. We, by nature want to share everything with everyone, let be our new crush or “details” of our new project at work. But this causes lot of problems in our personal as well professional life. For personal privacy we have no control or “law” to keep check on what we share, but for professional privacy especially of a digital data we have a law called “The Information Technology Act, 2000” (IT Act). Sec. 43 and 43A of the IT Act focuses of “data privacy”.
Sec. 43A of the IT Act, 2000 reads as follows,
“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation. — For the purposes of this section,—
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit;”
Here, it was not defined by the law “What is sensitive personal data or information” and though explanation of “reasonable security practices and procedures” has been provided it is too vague and open for interpretation.
Hence, to address the issue, on February 7, 2011, the Department of Information Technology, published draft rules titled (The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011) in exercise of the powers conferred by Section 87(2) (ob), read with Section 43A of the Information Technology Act, 2000.
Its features are as follows:-
Rule 3 defines Sensitive personal data or information which includes,
Information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :-
(ii) user details as provided at the time of registration or thereafter,
(iii) information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users,
(iv) Physiological and mental health condition,
(v) Medical records and history,
(vi) Biometric information,
(vii) Information received by body corporate for processing, stored or processed under lawful contract or otherwise,
(viii) Call data records.
Provided the information available under the Right to Information Act or any other law shall not be treated as Sensitive personal data or information.
Such policy shall provide for:-
(i) Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
(ii) Purpose, means and modes of usage of such information;
(iii) Disclosure of information as provided in rule 6.
As per Rule 5 person or body corporate collecting information shall state the purpose and necessity of collecting the information. Moreover, while collecting information directly from the individual concerned, the body corporate or any person shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of :-
(a) the fact that the information is being collected,
(b) the purpose for which the information is being collected,
(c) the intended recipients of the information, and
(d) the name and address of :-
(i) the agency that is collecting the information, and
(ii) the agency that will hold the information.
Hence, as per this rule all Companies who outsources their work are under legal obligation to disclose the information about the outsourcing companies to the concerned providers of the information.
The rule also provides that companies or persons holding sensitive personal information shall not keep that information for longer than is required for the purposes for which it is required.
Body corporate or any person shall also provide an option to the provider of the information to opt-in or opt-out.
Rule 6 provides for the manner in which Information should be disclosed to the third party.
It also provides that the Government agencies can collect the Sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences. Provided Government shall also state that the information thus obtained will not be published or shared with any other person.
Rule 7 provides technical requirements for the protection of Sensitive personal information i.e. what constitutes “Reasonable Security Practices and Procedures”.
It provides that, The International Standard IS/ISO/IEC 27001 on “Information Technology –
Security Techniques – Information Security Management System – Requirements” has been adopted by the country. Any person or body corporate implements the said security standards is said to have implemented reasonable security practices and standards. Rule also requires a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected to said to have complied with reasonable security practices and standards.
If any industry association or cluster are following other than IS/ISO/IEC 27001 codes of best practices for data protection shall get their codes approved and notified by the Government.
These draft rules were open to public suggestions till Feb 28 and the deadline is now over. Which means that India will now have its own law defining what ‘personal information’ is and what security practices should be taken for its protection. All said and done, this law also has many shortcomings which hopefully will get sorted out in due course of time.