Legal Services India - Law Articles is a Treasure House of Legal Knowledge and information, the law resources is an ever growing database of authentic legal information.
Legal Services India

» Home
Saturday, December 21, 2024

Reasonable security practices and procedures and sensitive personal data or information

Posted in: Computer laws
Sat, May 12, 18, 11:44, 7 Years ago
star star star star star
0 out of 5 with 0 ratings
comments: 1 - hits: 75535
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011

We can not imagine our lives without computers, laptops, mobiles, internet and other gadgets which facilitate us to acquire/share knowledge and help us to be effective communicators. This the positive side of the technology. There is also negative side of technology which is becoming a source for committing cyber crimes such as hacking of computers, stealing of pass words, confidential data, etc. Although Information Technology Act,2000 (ITAct) provides for certain safeguards for data protection and to prevent misuse of data etc., there are still some grey areas which always necessitate changes in the Act or framing of new rules. The focus of this article is on the new rules called “ Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 and their implication.

Background to New Rules:
Section 43 A of IT Act 2000 applies to all bodies corporate which handle sensitive personal information or data in a computer resource. This section provides that if a body corporate is negligent in implementing and maintaining reasonable security practices and procedures and causes loss or gain to any other person, it shall be liable to pay damages to the person affected. It further says that sensitive personal information or data shall be prescribed by the Central Government in consultation with professional bodies or association. However till recently the same has not been notified by the central government. The leakage of credit card number by an Indian BPO Firm prompted the Government to frame and publish the Rules in order to prevent such happenings in future.

Effective date of New rules:
On 11th April 2011, Department of Information and Technology vide notification no. G.S.R. 313(E) notified these Rules 2011. The main objective of these Rules is to ensure protection to sensitive personal data or information provided by individuals to bodies corporate and to prevent its misuse.

Let us examine the implication of Rules on bodies corporate which collect sensitive personal date or information..

What is Sensitive personal data or information ?
The most important aspect of the new rules is that Sensitive personal data or information has been defined by Rule 3. Sensitive personal data or information of a person means such personal information which consists of information relating to;—
I. password;
II. financial information such as Bank account or credit card or debit card or other payment instrument details ;
III. physical, physiological and mental health condition;
IV. sexual orientation;
V. medical records and history.
VI. Biometric information;
VII. any detail relating to the above clauses as provided to body corporate for providing service; and
VIII. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

However information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Privacy Policy to be published on Website:
Every body corporate or any person who on behalf of the body corporate collects, receives, possess, stores, deals or handles data shall provide a privacy policy for handling of or dealing in sensitive personal information. And such policy should be published on web site of the body corporate and must be available for view by provider of information.

The web privacy policy must disclose the following:
· Type of personal or sensitive information collected
· Objective of collection of personal sensitive information and type of information collected and its purpose and usage
· Method used and manner of storing data collected
· Safety procedures, system checks followed for storing and protection of data
· Method and manner of Disclosure of sensitive personal information to any third party is made
· Grievance redressal procedure

Method and manner of Collection of information
Rule 5 lays conditions for collection of information:
· It requires body corporate or any person on its behalf to obtain consent of the provider of information through fax or e-mail before collection of information.
· Option should be given to the person to give or not give personal sensitive information and also option to withdraw his consent.
· Personal sensitive information shall not be collected unless such collection is necessary for a lawful purpose
· It shall be used only for the purpose for which it is collected.
· Body corporate shall appoint a grievance officer

Prohibition on Disclosure of Information to 3rd parties
The new rules provide that disclosure of any sensitive personal information to any third party shall require prior permission of the provider of information. However an exception has been made to provide the information in case the government agency requires it for the purpose of investigation of any cyber crimes. But the Government in such cases shall state that it shall not publish or share it with any other person.

Prohibition on Sharing of Information
There is a prohibition of transfer of sensitive personal information and other data to any other body corporate or a person in India or abroad. Transfer or sharing with other body corporate is permitted provided the other body corporate in the following cases:-

· The receiver has the same level of data protection as that of body corporate and
· Transfer of data is necessary for performance of the lawful contract.

What is reasonable security practices and procedures ?

Rule 8 clarifies that it will be deemed that requirement of reasonable security practices and procedures have been complied with, if the body corporate follows IS/ISO/IEC 27001 standards . Body corporate which follow their own codes of best practices for data protection shall have to get its codes and practice duly approved by notified by the central government for effective implementation.

Conclusion
Even though the IT Act 2000 contains Section 43-A (compensation for failure to provide data safety measures), Section 65(tampering with computer source), Section 66(punishment for hacking), these Rules give clarity in some areas which is earlier was unaddressed. A cursory reading of the rules gives an impression that these Rules are applicable to body corporatea (BPOs /Web companies) which collect data through their web sites. But there are organisation which collect sensitive personal information in physical form from their customers, dealers, employees for lawful purpose or meeting the business obligations. Later on these data and information mostly converted into electronic form and stored in Computer floppies or discs, other storage media. The author is of the view such companies also come under the obligation to comply with the above Rules. It would be prudent frame a web policy and display on Body corporate’s website and comply with the rules in letter and spirit to avoid likely violation and penalty under section 43-A of IT Act,2000.

Author: G.S.Rao, Chief Manager Legal (OCL India Limited)

About Author:
My full name is Rao Gedela Sasibhushana. I am working as Chief Manager (Legal) in a well known cement manufacturing company in Orissa.

Legal Services India

Comments

There are no comments for this article.
Only authorized users can leave comments. Please sign in first, or register a free account.
Share
Sponsor
About Author
admin
Member since Feb 20, 2018
Location: India
Following
User not following anyone yet.
You might also like
Is the freedom of speech and expression being misused or is internet the new platform to stage the views of the world’s largest democracy.
The policy to hamper the illegal use of app data and social media is a necessity. Illegal acquisition of data from the CA and YouTube Kids’ app for monetizing made it compulsory to launch a stringent privacy policy. The implementation of COPPA and GDPR can prove a milestone is abandoning malicious data acquisition.
Another word for cyberspace is the virtual world a place in which computer programs function and data moves. Terrorism is a much used term, with many definitions. For the purposes of this project,
On October 28, 1998, then-President Clinton signed the Digital Millennium Copyright Act (DMCA) into law.
On-line Legal Dispute Resolution itself denotes that the person who is interested to get his dispute resolved on-line without approaching personally either an arbitrator or a mediator
Liability of network service providers / intermediaries, for the offence of cyber pornography under section 67 of the I.T. Act, 2000
Licenses are far more prevalent in the intangible world as compared to the real world.
The cyber-crime is on the surge. The copyright law can combat it. Clearly state the copyright policy to your users. Lock the content of your eCommerce website under the encryption lock.
National Digital Communications Policy 2018 - It is hoped that this policy will facilitate the unleashing of the creative energies of citizens, enterprises and institutions in India; and play a seminal role in fulfilling the aspirations of all Indians for a better quality of life.
If you are a developer with experience in Salesforce, it is evident that you must be skilled and confident by now. Now, you are a professional when it comes to the cleaning and organizing of production metadata.
Startups and their success depend on a variety of things. Yet, even in the face of adversity, they always seem to succeed when other businesses seem to fail.
tightening of rules governing social media and streaming companies, requiring them to take down contentious content quicker, appoint grievance redressal officers and assist probe.
t really warms the innermost cockles of my heart to see that the Centre has in a bold, balanced and brilliant move weeks after a long spat with Twitter very rightly
The article talks about the liability of Internet Intermediaries
In this Article I have discussed about various type of cyber crimes and different types of ways of hacking, phishing, etc. and I have also discussed about some safety measures which one can follow to save himself/ herself from cyber frauds or from any other harm which one can face on the Internet.
Is the freedom of speech and expression being misused or is internet the new platform to stage the views of the world's largest democracy.
Niyaz Ahmad Khan vs U.P that the use of cyberspace by some people to vent out their anger and frustration by travestying the Prime Minister, key figures holding the highest office in the country, or any other individual is abhorrent and it violates the right to reputation of others.
Christian Louboutin SAS vs Shoe Boutique – SHUTIQ that: Accuracy and reliability of AI generated data is still in the grey area.
Seagate Technology LLC vs Daichi International has issued a slew of directions for the sale of used and refurbished hard disk drives (HDDs). There cannot be even an iota of doubt that it is these directions that constitute the cornerstone of this notable judgment.
Dharmendra vs UP expressed its utmost concern and deepest dismay over the pathetic and poor quality of shoddy investigation by the Uttar Pradesh police into cases of sharing and circulating non-consensual images, particularly of women
It must be disclosed here that the Division Bench comprising of Hon’ble Sri Justice Ananda Sen and Hon’ble Smt Justice Anubha Rawat Choudhary who authored this notable judgment had passed the order after hearing a Public Interest Litigation
Top