Home > Articles > Take On Board > It's Time To Be

It's Time To Be Compliant

By - Supratim Chakraborty
Update: 2014-05-07 02:28 GMT

...with the Rules which are but a baby step towards the achievement of the mammoth task of "data privacy" and "data protection" News Headlines "Website of a multinational internet corporation reportedly hacked and more than 453,000 login credentials stolen" "Network of a major video game company reportedly intruded and details from approximately 77 million accounts stolen" ...

...with the Rules which are but a baby step towards the achievement of the mammoth task of "data privacy" and "data protection"

News Headlines

    • "Website of a multinational internet corporation reportedly hacked and more than 453,000 login credentials stolen"

    • "Network of a major video game company reportedly intruded and details from approximately 77 million accounts stolen"

    • "Website of a major news channel reportedly hacked and stole personal details published on a file sharing website"

With uncontrolled growth in internet usage and enormous amount of data being transmitted at the click of a button, Indian regulators have woken up to the concepts of "data privacy" and "data protection". These concepts were given focussed attention through provisions such as Section 43-A (compensation for failure to protect data) and Section 72-A (punishment for disclosure of information in breach of lawful contract) of the Information Technology Act, 2000 ("Act"). Section 43-A of the Act concentrates on compensation for negligence in implementing and maintaining "reasonable security practices and procedures" in relation to "sensitive personal data or information" and Section 72-A of the Act spells out punishment for disclosure of "personal information" in breach of lawful contract or without the information provider's consent.

Reasonable Security Practices and Procedures


Section 43-A of the Act defines "reasonable security practices and procedures" to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force...


Distinction between Section 43-A and Section 72-A of the Act

Particulars

Section 43-A

Section 72-A

Liability onBody corporateAny person
Information involvedSensitive personal data or informationPersonal information
Procurement of the informationPossessing, dealing or handling, in any mannerProcured whilst providing services under the terms of lawful contract
OffenceNegligence in implementing and maintaining "reasonable security practices and procedures" thereby causing wrongful loss or wrongful gainDisclosure of "personal information" to another person without the consent of the person concerned or in breach of lawful contract
Mens rea (criminal intention or knowledge)Not ApplicableElement of mens rea should be present
PenaltyDamagesImprisonment for a term which may extend to three years or fine which may extend to INR 0.5 million or both



With the advent of Section 43-A of the Act, business houses started taking a re-look at their contractual arrangements to ensure that commensurate data security practices and procedures are put in place and such practices and procedures are well documented in the agreements they enter into.


On 13th April, 2011, the Ministry of Communications and Information Technology ("MCIT") notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Rules").


The Rules stipulated that the requirement of maintaining "Reasonable Security Practices and Procedures" would be satisfied if a body corporate implements security practices and standards and has comprehensive documented ‘information security programmes and policies' that are commensurate with the information assets being protected.


The Rules set out that International Standard IS/ISO/IEC 27001 relating to "Information Technology-Security Techniques-Information Security Management System-Requirements" is one such standard ("Stipulated Standard") which could be implemented by a body corporate. If any industry association etc. is following standards other than the Stipulated Standard for data protection, they need to get their codes ("Codes") approved and notified by the Central Government.

The Rules also state that the body corporates which have implemented the Stipulated Standard or Codes need to get the same certified or audited by independent auditors, who have been approved by the Central Government. This audit has to be carried out by such an auditor at least once a year or as and when there is a significant upgradation of processes and computer resources.

Sensitive Personal Data or Information


Section 43-A of the Act defines "reasonable security practices and procedures" to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force

The Rules identify the following personal information as Sensitive Personal Data or Information ("SPDI"):

    • Passwords;

    • Financial information such as bank account or credit card or debit card or other payment instrument details;

    • Physical, physiological and mental health condition;

    • Sexual orientation;

    • Medical records and history;

    • Biometric information;

    • Any detail relating to the above as provided to a body corporate for providing service; and

    • Any information received under the above by a body corporate for processing, stored or processed under lawful contract or otherwise

Personal Information


The Rules also define "Personal Information" as information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.

Press Note of 24th August, 2011


Though the Rules were promulgated to codify the imminent requirements of "data privacy" and "data protection", its language gave rise to certain interpretational issues and ambiguities. Divergent interpretation of the Rules started putting business houses in difficulty and exposed them to the danger of non-compliance.


On 24th August, 2011, the MCIT released a press note ("Press Note") which clarified a number of provisions of the Rules. Among others, the Press Note clarified that the Rules relate to SPDI and are applicable to the body corporate (i.e. organisation) or any person located in India. The Press Note exempted outsourcing companies in India from the provisions of collection and disclosure, as set out under the Rules. Though the Press Note did not provide answers to all the open issues, it was hailed as a welcome step by business houses.

Other Requirements under the Rules


In the backdrop of the legislative developments elaborated above, it will be helpful to now take a look at the requirements under the Rules.


Collection of SPDI


The Rules provide that a body corporate should obtain prior consent from the information provider regarding purpose of usage of the SPDI. The information should be collected only if required for a lawful purpose connected with functioning of the body corporate and if collection of such information is necessary. The body corporate is also required to take reasonable steps to ensure that the information provider knows that the information is being collected, the purpose of collecting such information, the intended recipients and the name and address of the agency collecting and retaining the information. The information should be used only for the purpose for which it is collected and should not be retained for a period longer than required.


The body corporate is required to permit the information provider to review/amend the SPDI and give an option to withdraw consent at any time, in relation to the information so provided. In case of withdrawal of consent, the body corporate has the option not to provide the goods or services for which the concerned information was sought.


Transfer of SPDI


A body corporate may transfer SPDI to body corporate(s), located anywhere, who ensure(s) the same/equal level of data protection that is adhered to by the body corporate as per the Rules. However, the transfer may be permitted only if the same is necessary for the performance of lawful contract between the body corporate and information provider or where such an information provider has consented to the transfer.


Disclosure to Third Party


Apart from applicable legal obligations or information sought by governmental agencies, a body corporate is required to obtain permission from the information provider, prior to disclosure of such information to a third party, unless such disclosure has been agreed to in a contract between the parties.

The concepts of "data privacy" and "data protection" are at a nascent stage in India, business houses have started acknowledging their importance

Privacy Policy


The Rules require that a body corporate handling SPDI shall provide a privacy policy. Such privacy policy should contain the details such as:

    • Type of information collected

    • Purpose for collection of information

    • Disclosure policy

    • Security practices and procedures followed, etc.

The privacy policy is required to be made available to information providers and is required to be clearly published on the website of the body corporate.


Grievance Officer


The Rules stipulate that a body corporate is required to designate a grievance officer to address grievances of its information providers and should publish the name and contact details of such a grievance officer on its website. The grievance officer is required to redress the grievances within one month of receipt of complaint.

Conclusion


Though the concepts of "data privacy" and "data protection" are at a nascent stage in India, business houses have started acknowledging their importance. The risk and actual instances of misuse of data have resulted in heightened attention towards these aspects and businesses have started aligning themselves with the law steadily.


It is clear that framers of the Rules have attempted to adopt ideas from jurisdictions which have longstanding and mature data protection regulations. However, the Rules are only an initial step towards achievement of the mammoth task of "data privacy" and "data protection". It is only through rigorous self-governance by industries and stringent implementation of the law by the regulator that we can expect "data privacy" and "data protection" to be a reality. It is time to be compliant for our own benefit.

Disclaimer - The views of the author are personal, and should not be considered as those of the firm.

 

Similar News

Corporate Social Responsibility: Exclusions from statutory obligation
Proceedings against Personal Guarantors in NCLT Current Situation
Parental Alienation India Joins Family Courts Around the World to Fight Child Emotional Abuse
Enhanced Role of Audit Committee in Listed Companies – An Evaluation
Continuous Up skilling The Road from LLM to CS
Reformation of Construction Law in India
Analysing Recent Amendments To FDI Policy For The Space Sector
Traversing Turbulence During Airline’s Insolvency
Earnout Alchemy: The Art Of Unlocking Value In Business Transfers
Customer First: RBI Mandates Key Facts Statement For Loans: A Step Towards Transparent Borrowing
Direct Listing Of Equity Shares Of Indian Companies On International Exchange Of GIFT IFSC Permitted
Cross Border Transactions – An In-house Perspective