Data Privacy Rules Enacted in India

May 25, 2011

On April 11, 2011, the Ministry of Communications and Information Technology (Department of Information Technology), Government of India ("IT Ministry"), issued the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Privacy Rules"). The new Data Privacy Rules require "body corporates"[1] to observe certain standards in the collection, maintenance and disclosure of "sensitive personal data or information".

Background 

On February 5, 2009, India’s Parliament amended the Information Technology Act, 2000 ("IT Act") and, inter alia, inserted Section 43A into the IT Act. Section 43A of the IT Act requires a body corporate that possesses, deals with or handles any "sensitive personal data or information" in a computer resource which it owns, controls or operates, to maintain "reasonable security practices and procedures". A body corporate which is negligent in doing so and which consequently causes wrongful loss or wrongful gain to any person, must pay damages by way of compensation to the affected person. However, the terms "sensitive personal data or information", and "reasonable security practices and procedures" were not sufficiently defined by the IT Act, and the task of defining these terms was delegated to the Central Government. The new Data Privacy Rules have been issued by the IT Ministry under Section 43A of the IT Act. 

Sensitive Personal Data

The Data Privacy Rules give the term "sensitive personal data or information" an exhaustive definition. The term now refers, inter alia, to the following[2]:  

(a)    Passwords,

(b)   Financial information (details relating to bank accounts, credit cards, debit cards, or other payment instruments),

(c)    Physical, physiological and mental health conditions,

(d)   Sexual orientation,

(e)    Medical records and history,

(f)    Biometric information. 

Collection of Information 

Broadly speaking, a body corporate must observe the following standards while collecting sensitive personal data or information:

• Informed Consent: A body corporate must inform a "provider" of sensitive personal data or information of the purpose for which the data will be used, and must obtain the provider’s consent. Consent may be withdrawn in writing.
• Lawful Purpose: Sensitive personal data or information cannot be collected except for a lawful purpose, one that is related to a function or activity carried out by the body corporate. The information must only be collected and used for that purpose.
• Knowledge: A body corporate which collects information directly from the "person concerned", must ensure that the person knows: (i) the fact that the information is being collected, (ii) the purpose for which the information is being collected, (iii) the intended recipients of the information, (iv) the name and addresses of the agency that is collecting the information and the agency which will retain the information.
• Retention: The information can only be retained for as long as is required for the purpose for which the information has been collected.
• Review: Providers of information must be given an opportunity to review the information, and inaccuracies and deficiencies must be corrected as feasible.

Disclosure of Information 

Sensitive personal data or information can only be disclosed to a third party if prior consent has been obtained from the provider, unless otherwise agreed in the contract between parties, or unless otherwise required by law. Sensitive personal data or information cannot be published by the body corporate.  

Reasonable Security Practices and Procedures

A body corporate which has adopted the international standard IS/ISO/IEC 27001 on "Information Technology — Security Techniques — Information Security Management System — Requirements" is deemed to have complied with its obligation to observe "reasonable security practices and procedures". Alternatively, if an industry association does not follow IS/ISO/IEC codes of best practices for data protection, a body corporate that complies with a code of best practice approved and notified by the Central Government will also be deemed to have complied with its obligation to observe "reasonable security practices and procedures". In both cases, the observance of best practices must be certified or audited on an annual basis by an independent auditor approved by the Central Government.

A body corporate will also be considered to have satisfied its obligation to observe "reasonable security practices and procedures" if it has demonstrably implemented a comprehensive documented information security program that contains managerial, technical, operational and physical security control measures commensurate with the information assets being protected, in keeping with the nature of the business.  

A body corporate must maintain a policy for dealing not merely with "sensitive personal data or information", but also with "personal information". The term "personal information" means any information that relates to a natural person which is capable of identifying such person (either by itself or in conjunction with other information likely to be available to the body corporate). The policy must be published on the body corporate’s website.

[1]   "Body corporate" means any company and includes a firm, sole proprietorship or any other association of individuals engaged in commercial or professional activities.

[2]   However, information that is in the public domain, or available under the Right to Information Act, 2005, is excluded from the ambit of the definition.