Reasonable security practices and procedures and sensitive personal data or information
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011
We can not imagine our lives without computers, laptops, mobiles, internet and other gadgets which facilitate us to acquire/share knowledge and help us to be effective communicators. This the positive side of the technology. There is also negative side of technology which is becoming a source for committing cyber crimes such as hacking of computers, stealing of pass words, confidential data, etc. Although Information Technology Act,2000 (ITAct) provides for certain safeguards for data protection and to prevent misuse of data etc., there are still some grey areas which always necessitate changes in the Act or framing of new rules. The focus of this article is on the new rules called “ Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 and their implication.
Background to New Rules:
Section 43 A of IT Act 2000 applies to all bodies corporate which handle sensitive personal information or data in a computer resource. This section provides that if a body corporate is negligent in implementing and maintaining reasonable security practices and procedures and causes loss or gain to any other person, it shall be liable to pay damages to the person affected. It further says that sensitive personal information or data shall be prescribed by the Central Government in consultation with professional bodies or association. However till recently the same has not been notified by the central government. The leakage of credit card number by an Indian BPO Firm prompted the Government to frame and publish the Rules in order to prevent such happenings in future.
Effective date of New rules:
On 11th April 2011, Department of Information and Technology vide notification no. G.S.R. 313(E) notified these Rules 2011. The main objective of these Rules is to ensure protection to sensitive personal data or information provided by individuals to bodies corporate and to prevent its misuse.
Let us examine the implication of Rules on bodies corporate which collect sensitive personal date or information..
What is Sensitive personal data or information ?
The most important aspect of the new rules is that Sensitive personal data or information has been defined by Rule 3. Sensitive personal data or information of a person means such personal information which consists of information relating to;—
I. password;
II. financial information such as Bank account or credit card or debit card or other payment instrument details ;
III. physical, physiological and mental health condition;
IV. sexual orientation;
V. medical records and history.
VI. Biometric information;
VII. any detail relating to the above clauses as provided to body corporate for providing service; and
VIII. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
However information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Privacy Policy to be published on Website:
Every body corporate or any person who on behalf of the body corporate collects, receives, possess, stores, deals or handles data shall provide a privacy policy for handling of or dealing in sensitive personal information. And such policy should be published on web site of the body corporate and must be available for view by provider of information.
The web privacy policy must disclose the following:
· Type of personal or sensitive information collected
· Objective of collection of personal sensitive information and type of information collected and its purpose and usage
· Method used and manner of storing data collected
· Safety procedures, system checks followed for storing and protection of data
· Method and manner of Disclosure of sensitive personal information to any third party is made
· Grievance redressal procedure
Method and manner of Collection of information
Rule 5 lays conditions for collection of information:
· It requires body corporate or any person on its behalf to obtain consent of the provider of information through fax or e-mail before collection of information.
· Option should be given to the person to give or not give personal sensitive information and also option to withdraw his consent.
· Personal sensitive information shall not be collected unless such collection is necessary for a lawful purpose
· It shall be used only for the purpose for which it is collected.
· Body corporate shall appoint a grievance officer
Prohibition on Disclosure of Information to 3rd parties
The new rules provide that disclosure of any sensitive personal information to any third party shall require prior permission of the provider of information. However an exception has been made to provide the information in case the government agency requires it for the purpose of investigation of any cyber crimes. But the Government in such cases shall state that it shall not publish or share it with any other person.
Prohibition on Sharing of Information
There is a prohibition of transfer of sensitive personal information and other data to any other body corporate or a person in India or abroad. Transfer or sharing with other body corporate is permitted provided the other body corporate in the following cases:-
· The receiver has the same level of data protection as that of body corporate and
· Transfer of data is necessary for performance of the lawful contract.
What is reasonable security practices and procedures ?
Rule 8 clarifies that it will be deemed that requirement of reasonable security practices and procedures have been complied with, if the body corporate follows IS/ISO/IEC 27001 standards . Body corporate which follow their own codes of best practices for data protection shall have to get its codes and practice duly approved by notified by the central government for effective implementation.
Conclusion
Even though the IT Act 2000 contains Section 43-A (compensation for failure to provide data safety measures), Section 65(tampering with computer source), Section 66(punishment for hacking), these Rules give clarity in some areas which is earlier was unaddressed. A cursory reading of the rules gives an impression that these Rules are applicable to body corporatea (BPOs /Web companies) which collect data through their web sites. But there are organisation which collect sensitive personal information in physical form from their customers, dealers, employees for lawful purpose or meeting the business obligations. Later on these data and information mostly converted into electronic form and stored in Computer floppies or discs, other storage media. The author is of the view such companies also come under the obligation to comply with the above Rules. It would be prudent frame a web policy and display on Body corporate’s website and comply with the rules in letter and spirit to avoid likely violation and penalty under section 43-A of IT Act,2000.
Author: G.S.Rao, Chief Manager Legal (OCL India Limited)
About Author:
My full name is Rao Gedela Sasibhushana. I am working as Chief Manager (Legal) in a well known cement manufacturing company in Orissa.