In April 2011, the Ministry of Communications and Technology has published rules implementing certain provisions of the Information Technology Act, 2008 that deal with the protection of sensitive personal data and security procedures and practices that must be followed by organisations dealing with sensitive personal data
A primary concern which the top management of an entity has to grapple with while outsourcing work to India is with regards to data security. It is evident that data security breaches may not only result in losing umpteen dollars apart from losing of the sensitive data but also the trust of the client. Data security is as essential aspect of the BPO industry.
At present, there is no specific legislation dealing with Data Protection in India. However, India maintains a comprehensive legal framework that deals with data protection. The jurisprudence in relation to data security may indeed be sourced from the Constitution of India. Article 21 of the Constitution of India states that no person shall be deprived of his life or personal liberty except according to the procedures established by law. Judicial Activism has led to the inclusion of privacy among Fundamental Rights. Further, Hon’ble Supreme Court has on various occasions held that personal liberty means a life free from encroachments unsustainable in law. Any unlawful invasion of privacy would make the offender liable to consequences in accordance with the law.
The Indian Penal Code does not specifically address the issues with respect to breach of data privacy. Under the Indian Penal Code, the liability for such breaches must be inferred from related crimes. Section 403 of the Indian Penal Code imposes criminal liability for dishonest misappropriation or conversion of movable property for one’s own use.
Section 43 of the Information Technology Act foresees civil liability in case of data, computer data based theft and may cover computer trespass, unauthorised digital copying, downloading and extraction of data, computer database or information, theft of data held or stored in media, unauthorised transmission of data or program residing within a computer, computer system or computer network, use of spyware etc is not legally permissible. Further, section 72 of the Act states that any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register etc. to any person shall be punished with imprisonment for a term, which may extend to two years or with a fine which may extend to '1 lakh or with both.
At present, there is no specific legislation dealing with Data Protection in India. However, India maintains a comprehensive legal framework that deals with data protection
Companies, primarily the BPO/ Call Centres are making use of the contract laws to secure the data that is circulated within organisations. Agreements such as non circumvention and non disclosure agreements, user license agreements etc. are entered into by them. BPO companies are also using various processes which set out various standards of information security management that restrict the quantity of data that can be made available to the employees of call centres.
Data compilation, being an aspect of copyright laws, the Indian Copyright Act prescribes for punishment in case of an infringement. Further, Section 63B of the Indian Copyright Act provides that any person who unknowingly makes use on a computer of an infringing copy of a computer program shall be punishable for a minimum period of six months and a maximum of three years in prison.
It is pertinent to mention that on April 11, 2011, the Ministry of Communications and Technology published rules implementing certain provisions of the Information Technology Act, 2008 dealing with protection of sensitive personal data and the security practices and procedures which must be followed by organisations dealing with sensitive personal data. The said rules also known as “Data Privacy Rules” refer consistently to ‘sensitive personal data or information’. By personal information, we mean any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available within a body corporate, is capable of identifying such person.
As per the Data Privacy Rules, Sensitive Data defined as personal information which relates to:
Financial information such as Bank account or credit card or debit card or other payment instrument details;
Physical, psychological and mental health condition;
Medical records and history;
Any detail relating to (a) – (f) above received by the body corporate for provision of services; or
Any information relating to (a) – (g) that is received, stored or processed by the body corporate under a lawful contract or otherwise.
Sensitive Data is broadly defined to include data obtained by any method, including lawful contract. It is to be noted that any information which is freely available, accessible in the public domain, or furnished under the Right to Information Act, is excluded from the ambit of the above definition.
Body Corporate has been defined as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The term ‘body corporate’ is not restricted to a ‘body corporate’ established in India but includes a foreign body corporate, an issue of pertinence in the IT-BPO industry. Furthermore, application of the Rules is not limited to Sensitive Data belonging to Indian residents.
The Data Privacy Rules state that prior to collection of Sensitive Data, the body corporate or the Data Processor must obtain prior written consent (by letter, fax or email) from the prospective Provider, regarding the purpose of usage of such data. Further, Sensitive Data must not be collected unless it is for lawful purpose connected with a function of the body corporate, or the Data Processor, and the collection is necessary for that purpose.
While collecting Sensitive Data directly from the Provider, the body corporate or the Data Processor must ensure that the Provider is informed about the following:
(i)the fact that Sensitive Data is being collected;
(ii)the purpose for which it will be used;
(iii)who the intended recipients are;
(iv)which agency is collecting, and
(v)which agency will be retaining, the Sensitive Data.
The Data Privacy Rules state that prior to collection of Sensitive Data, the body corporate or the Data Processor must obtain prior written consent (by letter, fax or email) from the prospective Provider, regarding the purpose of usage of such data
Further, prior to collection of Sensitive Data, the corporation or the Data Processor must ensure that the Provider is given the option of declining to provide the Sensitive Data. A Provider who has already consented to the collection of the Sensitive Data must be able to communicate a withdrawal of consent, in writing, at any time. The Data Privacy Rules however do not detail procedures to be followed by the Provider in exercising his right to access the data.
The Data Privacy Rules implement section 43A of the IT Act. They imply that under section 43A, a body corporate that possesses, deals with or handles Sensitive Data in a computer resource is liable to pay compensation if it is negligent in implementing and maintaining reasonable security practices and procedures and such negligence results in wrongful loss or wrongful gain to any person.
The IT Act does not however, provide for specific penalties for breach of obligations under the Data Privacy Rules relating to ollection, processing, disclosure or transfer of Sensitive Data. Under section 72A of the IT Act, a person who is providing services under a lawful contract, may be liable to imprisonment for a term of up to 3 years or a fine up to '5,00,000 (Rupees Five Lakhs) for disclosure of personal information of any individual: (a) with the intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and (b) without the consent of such individual, or in breach of lawful contract.
The IT Act does not define ‘personal information’. It is however defined in the context of Sensitive Data under the Data Privacy Rules (that implements 43A of the IT Act).
The National Association of Service & Software Companies ("NASSCOM") is India’s national information technology trade group and has been the driving force behind many private sector efforts to improve data security. For example, NASSCOM has created a National Skills Registry which is a centralised database of employees of the IT and BPO (Business Process Outsourcing) industries. This database is for verification (with independent background checks) of the human resources within the industry. Further, a self regulatory organisation has been launched which will establish, monitor and enforce privacy and data protection standards for India’s BPO industry. The organisation has already completed its initial round of funding and the final rollout phase including industry membership is underway.
Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.