Organized and communicated in a coherent and meaningful manner
Data is converted into information and information is converted into knowledge.
Data protection is aimed at protecting the informational privacy of individuals
database protection protect the creativity and investment put into the compilation, verification and presentation of databases.
A database can be technically explained as machine readable compilation of information.
The world’s first computer specific statute was enacted in the form of a Data Protection Act, in the German state of Hesse, in 1970.
No specific legislation on private data or information
Data can be protected through
Constitution of India
Information technology Act 2000
Database can be protected through
Copyright Act, 1957
Information Technology Act, 2000
The Information Technology Act, 2000, Sec. 2(1)(o)
‘ data’ means a representation of information , knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed , is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
EXISTING LEGAL FRAMEWORK FOR DATA PROTECTION IN INDIA
Indian Contract Act,1872
One firm can bind another so as to refrain from revealing data without authorization, to protect privacy of data, as well as the terms and conditions of the use and processing of data.
The Information Technology Act, 2000
(1) Section 43 deals with penalties for damage to computer, computer system etc. (2) Section 65 deals with tampering with computer source documents. (3) Section 66 deals with hacking with computer system. (4) Section 72 deals with penalty for breach of confidentiality and privacy.
IT Amendment Act, 2008
Requires all foreign corporations with offshore Indian service partners to maintain “ reasonable security practices and procedures” when handling “ sensitive personal data ”
Section 43A;Compensation for failure to protect data
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person , such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
Does not define the phrase reasonable security practices, and procedures.
Determined in the following order:
As defined between the parties by mutual agreement or
As specified in any law for the time being in force or
To be specified by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Disclosure of information in breach of lawful contract
any person including an intermediary who;
while providing services under the terms of lawful contract;
has secured access to any material containing personal information about another person;
with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain;
without the consent of the person concerned, or in breach of a lawful contract;
such material to any other person; and
shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.
Does not address the territorial applicability of these provisions. Therefore it can be safely concluded that when data is transferred outside the territories of India it gets no legal protection.
The US Position:
Safe Harbour Principles (SHP)”
To protect information and its privacy, free flow of information and to promote e-commerce.
Notice need to be given to the data subject (consumer) explaining the need to collect data
what it will be used and how will it be used, who will have access to it and how the data will be kept secured
The consumer should be provided access to data and to validate the personal information, or to rectify it, alter it or to delete any erroneous information.
Every Third Party to whom data is sent should comply with SHP.
THE UK POSITION
Data Protection Act, 1998
There should be fair and lawful processing of data.
Data Controllers should ensure that data is used only for lawful and specified purposes and should not carry out any processing which is incompatible with those purposes.
Data Controller should hold only personal data that is adequate and relevant and not excessive in relation to the purpose for which it is held
All personal data are accurate and up to date.
Personal data shall not be kept for longer than necessary for the specified purpose or purposes.
Processing of personal data should be carried out in accordance with the rights of the data subjects under the Act.
Adequate, appropriate, technical and organisational measures should be taken against unauthorised or unlawful processing and accidental loss, destruction or damage to the personal data.
Data Controllers are obligated not to transfer data to countries that do not have adequate level of data protection.
In June 2005, ‘The Sun’ newspaper claimed that one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each.
Call-center employee in Bangalore peddling credit card information to fraudsters who stole US$398,000 from British bank accounts
The Data Security Council of India
self-regulatory initiative of NASSCOM
Enable IT companies to provide a high standard of security and data protection by adopting best practices.
Develop, monitor and enforce an appropriate security and data protection
Standard for the Indian IT industry that would be adequate
Cost effective, adaptable and comparable with global standards.
Build capacity to provide security certification for organizations.
Create a common platform to promote the sharing of knowledge about
information security and foster a community of security professionals and firms.
Create awareness among industry professionals and other stakeholders about security and privacy issues.
National Do Not Call Register
Telecom Regulatory Authority of India (TRAI) had taken steps to curb unsolicited commercial calls.
Subscribers would be called upon to register their telephone numbers free of cost.