May 25, 2011
On April 11, 2011, the Ministry of Communications and Information Technology (Department of Information Technology), Government of India ("IT Ministry"), issued the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Privacy Rules"). The new Data Privacy Rules require "body corporates" to observe certain standards in the collection, maintenance and disclosure of "sensitive personal data or information".
On February 5, 2009, India’s Parliament amended the Information Technology Act, 2000 ("IT Act") and, inter alia, inserted Section 43A into the IT Act. Section 43A of the IT Act requires a body corporate that possesses, deals with or handles any "sensitive personal data or information" in a computer resource which it owns, controls or operates, to maintain "reasonable security practices and procedures". A body corporate which is negligent in doing so and which consequently causes wrongful loss or wrongful gain to any person, must pay damages by way of compensation to the affected person. However, the terms "sensitive personal data or information", and "reasonable security practices and procedures" were not sufficiently defined by the IT Act, and the task of defining these terms was delegated to the Central Government. The new Data Privacy Rules have been issued by the IT Ministry under Section 43A of the IT Act.
Sensitive Personal Data
The Data Privacy Rules give the term "sensitive personal data or information" an exhaustive definition. The term now refers, inter alia, to the following:
(b) Financial information (details relating to bank accounts, credit cards, debit cards, or other payment instruments),
(c) Physical, physiological and mental health conditions,
(d) Sexual orientation,
(e) Medical records and history,
(f) Biometric information.
Collection of Information
Broadly speaking, a body corporate must observe the following standards while collecting sensitive personal data or information:
Disclosure of Information
Sensitive personal data or information can only be disclosed to a third party if prior consent has been obtained from the provider, unless otherwise agreed in the contract between parties, or unless otherwise required by law. Sensitive personal data or information cannot be published by the body corporate.
Reasonable Security Practices and Procedures
A body corporate which has adopted the international standard IS/ISO/IEC 27001 on "Information Technology — Security Techniques — Information Security Management System — Requirements" is deemed to have complied with its obligation to observe "reasonable security practices and procedures". Alternatively, if an industry association does not follow IS/ISO/IEC codes of best practices for data protection, a body corporate that complies with a code of best practice approved and notified by the Central Government will also be deemed to have complied with its obligation to observe "reasonable security practices and procedures". In both cases, the observance of best practices must be certified or audited on an annual basis by an independent auditor approved by the Central Government.
A body corporate will also be considered to have satisfied its obligation to observe "reasonable security practices and procedures" if it has demonstrably implemented a comprehensive documented information security program that contains managerial, technical, operational and physical security control measures commensurate with the information assets being protected, in keeping with the nature of the business.
A body corporate must maintain a policy for dealing not merely with "sensitive personal data or information", but also with "personal information". The term "personal information" means any information that relates to a natural person which is capable of identifying such person (either by itself or in conjunction with other information likely to be available to the body corporate). The policy must be published on the body corporate’s website.
Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. For further details, please contact the Gibson Dunn lawyer with whom you work or the following lawyers in the firm’s Singapore office:
Please also feel free to contact the following co-chairs of the firm’s Information Technology and Data Privacy Practice Group:
M. Sean Royall – Dallas (214-698-3256, firstname.lastname@example.org)
Debra Wong Yang – Los Angeles (213-229-7472, email@example.com)
S. Ashlie Beringer – Palo Alto (650-849-5219, firstname.lastname@example.org)
Alexander H. Southwell – New York (212-351-3981, email@example.com)
© 2011 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.