Further to our Part I, this Part seeks to outline the key provisions of the first specific legislation in India that sought to address the right to privacy in respect of data protection.

Protection under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Reasonable Security Practices Rules")

Key provisions of the Reasonable Security Practices Rules are provided below:

PERSONAL INFORMATION

The Reasonable Security Practices Rules have defined the terms 'personal information' and 'sensitive personal information' as follows:

'Personal information' means any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. 1

'Sensitive personal data or information' means such personal information which consists of:

  1. Password
  2. Financial information
  3. Physical, psychological and mental health condition
  4. Sexual orientation
  5. Medical records and history
  6. Biometric information
  7. Any detail in respect of the above shared with a body corporate for providing service
  8. Any information in respect of the above received by a body corporate

Further, it has been clarified that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law shall not be considered as sensitive personal information.2

SECURITY PRACTICES AND PROCEDURES TO BE ADHERED TO

1. Privacy Policy

Rule 4 of the Reasonable Security Practices Rules mandate the body corporates or any person who on behalf of the body corporate who collects, receives, possesses, stores, deals or handles personal information to provide a privacy policy. Such privacy policy is to be provided on the website of the body corporate or such other person. Such privacy policy is required to state how such personal information, including sensitive personal data is handled or dealt with and such privacy policy should be available for the viewing of the persons who provide the body corporate or such other person with such data under a lawful contract.

Following should be covered in a privacy policy:

  • The privacy policy should clearly and in a manner that is easily accessible, provide for any statements of the practices and policies of a body corporate or such other person.
  • Type of personal or sensitive personal information or data that is collected by the body corporate or such other person.
  • Purpose of collection and the usage of such information.
  • Disclosure of such information.
  • Compliance of the body corporate or such other person with the reasonable security practices as required under law, i.e. Reasonable Security Practices Rules.

Further, under the Information Technology (Intermediary Guidelines) Rules, 2011, intermediaries are also required to publish such privacy policies for the access or usage of the intermediary's computer resource by any person.3

2. Collection and maintenance of the information

Any sensitive personal information or data can be collected or transferred by a body corporate or any other person on its behalf only after obtaining prior consent from the provider of the information with respect to the purpose for which such information is collected. When the information is collected directly from the person concerned, the body corporate shall ensure that the person concerned is aware that the information is being collected, the purpose for such collection, the intended recipients and the name and address details of the person/agency who shall be collecting and/or retaining the information. Additionally, the provider of such information should be given the option to review the information provided by him from time to time and withdraw such information at any time.4

Further, a body corporate or any other person on its behalf cannot collect any sensitive personal information unless the same is collected for a lawful purpose in connection with the function or activity of the body corporate or such other person. The sensitive personal information should be collected only when it is considered necessary for such purpose and cannot be retained for a longer period than required otherwise under the law for the time being in force.5

The personal information collected may be transferred by the body corporate to any other person in India or outside India if such person ensures the same level of data protection as adhered to by the body corporate under the Reasonable Security Practices Rules, provided that the transfer should be necessary for the performance of the contract and that the provider of the information should have consented for the same.6

Any grievances of the provider of the information are to be addressed by the body corporate through a grievance officer (who is required to be appointed by the body corporate) expeditiously but not longer than within 1 (one) month.

3. Disclosure of the information

The sensitive personal information that is collected by a body corporate cannot be disclosed to any third party without the prior permission of the provider of the information. The obligation to not disclose the sensitive personal information is also extended to the third party who receives the information pursuant to a disclosure of the same by the body corporate. A prior permission to disclose the information shall not be required when such disclosure is already agreed to in a contract between the body corporate and the provider of the information. Further, if the disclosure is necessary to comply with legal obligations, such disclosure may be made without a prior permission of the provider of the information.7

It is evident from the above that any data or information that is collected by the body corporate is required to be obtained and maintained as per the rules. Any violation or non-adherence of the said rules would attract penal provisions of the Act, more particularly, Sections 43A and 72A of the Act. It may be pertinent to note here that Section 72A of the Act makes the breach of privacy a criminal offence. Thus, in order to extend the liability under Section 72A of the Act, the malicious intention of the person or entity disclosing the information will have to be established. In other words, it is to be established that the person or entity disclosing the information had the knowledge that such disclosure would likely result in some wrongful gain or wrongful loss.

Our next post shall outline the right to data protection and individual's right to privacy as provided under various other regulations in India.

Footnotes

1. Rule 2 (i) of the Reasonable Security Practices Rules

2. Rule 3 of the Reasonable Security Practices Rules

3. Rule 3 of the Information Technology (Intermediary Guidelines) Rules, 2011

4. Rule 5 of the Reasonable Security Practices Rules

5. Rule 5 of the Reasonable Security Practices Rules

6. Rule 7 of the Reasonable Security Practices Rules

7. Rule 6 of the Reasonable Security Practices Rules

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.