The attention of Government has been drawn to news items appearing in a section of media which have commented on some aspects of the Rules framed under section 43A of the Information Technology Act, 2000.
The Department of Information Technology, Ministry of Communications & IT has clarified the position in this regard that these Rules do not provide free access to sensitive personal information. The nature and applicability of these Rules have been clearly specified. The Intent of Rules is to protect sensitive personal information and does not give any undue powers to Government agencies for free access of sensitive personal information. Wide public consultations were held before finalizing the Rules and the Rules have been duly endorsed by the Industry Association.
The Rules under section 43A cast onus on the body corporate to provide policy for privacy and disclosure of information. Any such disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information. The Rules provide for inherent checks-and-balances in the form: (a) that the Government agencies must have been mandated under the law to obtain such information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution and punishment of offences and (b) that any such agency receiving such information has to give an undertaking that the information so obtained shall not be published or shared with any other person. The Government Agencies are required to the follow lawful process and procedures.
Extracts from the InformationTechnology (Reasonable security practices and procedures and sensitive personaldata or information) Rules, 2011:
3. Sensitive personal data or information.” Sensitive personal data or informationof a person means such personal information which consists of information relatingto;•(i) password;(ii) financial information such as Bank account or credit card or debit card orother payment instrument details ;(iii) physical, physiological and mental health condition;(iv) sexual orientation;(v) medical records and history;(vi) Biometric information;(vii) any detail relating to the above clauses as provided to body corporate forproviding service; and(viii) any of the information received under above clauses by body corporatefor processing, stored or processed under lawful contract or otherwise:provided that, any information that is freely available or accessible in publicdomain or furnished under the Right to Information Act, 2005 or any other law for thetime being in force shall not be regarded as sensitive personal data or information forthe purposes of these rules.
4. Body corporate to provide policy for privacy and disclosure of information.” (1) Thebody corporate or any person who on behalf of body corporate collects, receives,possess, stores, deals or handle information of provider of information, shall provide aprivacy policy for handling of or dealing in personal information including sensitivepersonal data or information and ensure that the same are available for view by suchproviders of information who has provided such information under lawful contract.Such policy shall be published on website of body corporate or any person on itsbehalf and shall provide for•(i) clear and easily accessible statements of its practices and policies;(ii) type of personal or sensitive personal data or information collected under rule 3;(iii) purpose of collection and usage of such information;(iv) disclosure of information including sensitive personal data or information asprovided in rule 6;(v) reasonable security practices and procedures as provided under rule 8.
5. Collection of information.” (1) Body corporate or any person on its behalf shallobtain consent in writing through letter or fax or email from the provider of thesensitive personal data or information regarding purpose of usage before collection ofsuch information.(2) Body corporate or any person on its behalf shall not collect sensitivepersonal data or information unless •(a) the information is collected for a lawful purpose connected with a functionor activity of the body corporate or any person on its behalf; and(b) the collection of the sensitive personal data or information is considerednecessary for that purpose.(3) While collecting information directly from the person concerned, the bodycorporate or any person on its behalf shall take such steps as are, in thecircumstances, reasonable to ensure that the person concerned is having theknowledge of •(a) the fact that the information is being collected;(b) the purpose for which the information is being collected;(c) the intended recipients of the information; and(d) the name and address of •(i) the agency that is collecting the information; and(ii) the agency that will retain the information.(4) Body corporate or any person on its behalf holding sensitive personal dataor information shall not retain that information for longer than is required for thepurposes for which the information may lawfully be used or is otherwise requiredunder any other law for the time being in force..(5) The information collected shall be used for the purpose for which it hasbeen collected.(6) Body corporate or any person on its behalf shall permit the providers ofinformation, as and when requested by them, to review the information they hadprovided and ensure that any personal information or sensitive personal data orinformation found to be inaccurate or deficient shall be corrected or amended asfeasible:provided that a body corporate shall not be responsible for the authenticity ofthe personal information or sensitive personal data or information supplied by theprovider of information to such body corporate or any other person acting on behalf ofsuch body corporate.(7) Body corporate or any person on its behalf shall, prior to the collection ofinformation including sensitive personal data or information, provide an option to theprovider of the information to not to provide the data or information sought to becollected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the bodycorporate. Such withdrawal of the consent shall be sent in writing to the bodycorporate. In the case of provider of information not providing or later on withdrawinghis consent, the body corporate shall have the option not to provide goods or servicesfor which the said information was sought.(8) Body corporate or any person on its behalf shall keep the informationsecure as provided in rule 8.(9) Body corporate shall address any discrepancies and grievances of theirprovider of the information with respect to processing of information in a time boundmanner. For this purpose, the body corporate shall designate a Grievance Officer andpublish his name and contact details on its website. The Grievance Officer shallredress the grievances of provider of information expeditiously but within one monthfrom the date of receipt of grievance.
6. Disclosure of information.” (1) Disclosure of sensitive personal data orinformation by body corporate to any third party shall require prior permission from theprovider of such information, who has provided such information under lawful contractor otherwise, unless such disclosure has been agreed to in the contract between thebody corporate and provider of information, or where the disclosure is necessary forcompliance of a legal obligation:Provided that the information shall be shared, without obtaining prior consentfrom provider of information, with Government agencies mandated under the law toobtain information including sensitive personal data or information for the purpose ofverification of identity, or for prevention, detection, investigation including cyberincidents, prosecution, and punishment of offences. The Government agency shallsend a request in writing to the body corporate possessing the sensitive personal dataor information stating clearly the purpose of seeking such information. TheGovernment agency shall also state that the information so obtained shall not bepublished or shared with any other person.(2) Notwithstanding anything contained in sub-rule (1), any sensitive personaldata or Information shall be disclosed to any third party by an order under the law forthe time being in force.(3) The body corporate or any person on its behalf shall not publish thesensitive personal data or information.(4) The third party receiving the sensitive personal data or information frombody corporate or any person on its behalf under sub-rule (1) shall not disclose itfurther.
7. Transfer of information.-A body corporate or any person on its behalf may transfersensitive personal data or information including any information, to any other bodycorporate or a person in India, or located in any other country, that ensures the samelevel of data protection that is adhered to by the body corporate as provided for underthese Rules. The transfer may be allowed only if it is necessary for the performance ofthe lawful contract between the body corporate or any person on its behalf andprovider of information or where such person has consented to data transfer.
8. Reasonable Security Practices and Procedures.” (1) A body corporate or aperson on its behalf shall be considered to have complied with reasonable securitypractices and procedures, if they have implemented such security practices andstandards and have a comprehensive documented information security programmeand information security policies that contain managerial, technical, operational andphysical security control measures that are commensurate with the information assetsbeing protected with the nature of business. In the event of an information securitybreach, the body corporate or a person on its behalf shall be required to demonstrate,as and when called upon to do so by the agency mandated under the law, that theyhave implemented security control measures as per their documented informationsecurity programme and information security policies.(2) The International Standard IS/ISO/IEC 27001 on Information Technology Security Techniques Information Security Management System Requirements isone such standard referred to in sub-rule (1).(3) Any industry association or an entity formed by such an association, whosemembers are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practicesduly approved and notified by the Central Government for effective implementation.(4) The body corporate or a person on its behalf who have implemented eitherIS/ISO/IEC 27001 standard or the codes of best practices for data protection asapproved and notified under sub-rule (3) shall be deemed to have complied withreasonable security practices and procedures provided that such standard or thecodes of best practices have been certified or audited on a regular basis by entitie sthrough independent auditor, duly approved by the Central Government. The audit ofreasonable security practices and procedures shall be carried out by an auditor atleast once a year or as and when the body corporate or a person on its behalfundertake significant upgradation of its process and computer resource.
