Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2011 Avantha
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011 Under The (Indian) Information Technology Act, 2000 By Vijay Pal Dalmia, Advocate Partner & Head of Intellectual Property & Information Technology Laws Practice
INFORMATION TECHNOLOGY ACT, 2000 Enacted in the year 2000 and was implemented w.e.f. 17th October, 2000. Important features of this Act : Recognition to e-transactions, digital signatures, electronic records etc. and also recognise their evidentiary value. Lists out various computer crimes which are technological in nature. However, this Act, originally, did not contain any provision for data protection.
THE INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008 The IT Act, 2002 was amended in the year 2008. Section 43A and Section 72A were added by the amendment Act for protection of personal data and information. Boththese provisions are penal in nature, civil and criminal respectively.
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES , 2011 Ministry Of Communications And Information Technology (Department Of Information Technology) promulgated these rules (IT Rules 2011), under Section 87 (2)(ob) read with Section 43A. IT Rules, 2011 came in force on 11th April, 2011. Non Compliance of these rules would lead to invocation of Section 43A of The IT Act, 2008 and liability to pay compensation, limits of which have not been fixed.
SECTION 72A of IT Act 2008. In addition to the civil liabilities under Section 43 A ◦ Any person, or ◦ Intermediary ◦ Is liable for punishment Of imprisonment for term which may extend to *3 years Or fine up to INR 5,00,000 Or both ◦ For disclosure of information In breach of lawful contract. *(Cognizable offence and Bailable) ( as per Section. 77B)
SECTION 43A: COMPENSATION FOR FAILURE TO PROTECT DATAWhere a BODY CORPORATE, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person such body corporate shall be liable to pay damages by way of compensation to the person so affected.
DEFINITION OF BODY CORPORATE SECTION 43 A –Explanation (i)A body corporate would mean: any company and includes: a firm, sole proprietorship or other association of individuals engaged in •commercial or •professional activities.
SENSITIVE PERSONAL DATA OR INFORMATION: RULE 3, IT RULES, 2011 Sensitive personal data or information of a „person‟ means such „personal information‟ which consists of information relating to:1. Password;2. Financial information such as: Bank account or, Credit card or debit card or, Other payment instrument details3. Physical, physiological and mental health condition;4. Sexual orientation; Contd…
SENSITIVE PERSONAL DATA OR INFORMATION RULE 3 OF THE IT RULES, 20115. Biometric information;6. Any detail relating to the above clauses as provided to body corporate for providing service; and7. Any of the information received under above clauses by body corporate for processing, stored or processed under a lawful contract or otherwise
EXCEPTIONS: Following information is not regarded as sensitive personal data or information:1. Information freely available or accessible in public domain or,2. Information furnished under the Right to Information Act, 2005 (RTI) or3. Information furnished under any other law for the time being in force.
PERSONAL INFORMATION: RULE 2 , IT RULES, 2011 Any information that relates to a „natural person‟ which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii) Security practices and procedure designed to protect such information from unauthorized • access, • damages, • use, • modification, • disclosure or • impairment, Contd…
MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)Contd…as may be specified in : an agreement between the parties or; any law for the time being in force; or in absence of such agreement or law, such reasonable security practices and procedures, as may be prescribed by the Central Government.
CONSENT RULE 5 (1)o Requires the corporate or any person on its behalf,o before collection of sensitive personal data or information,o to obtain consent in writing through letter or FAX or email from the „provider of the information‟o regarding purpose of usage of such information.
CONSENT RULE 5(3)Requirements in case of collection of information directly from the person concerned: Steps to ensure that the person concerned is having the knowledge of :o The fact that the information is being collected;o The purpose for which the information is being collected;o The intended recipients of the information; ando The name and address of – ◦ the agency that is collecting the information; and ◦ the agency that will retain the information
PURPOSE OF COLLECTION OF INFORMATION RULE 5 (2) Sensitive personal data or information can be collected only under following two circumstances:1. For a „lawful purpose‟ connected with a function or activity of the body corporate or any person on it behalf; and2. Considered „necessary‟ for that purpose
USE AND RETENTION OF INFORMATION USE - RULE 5(5): The information collected shall be used only for the purpose for which it has been collected. RETENTION - RULE 5(4) A body corporate or its representative must not retain such information for longer than is required for the purposes for which the information may lawfully be used. OR as required under any other law in force.
OPT OUT/WITHDRAWAL RULE 5(7) : Requires the body corporate to give the provider of information, an option:1. prior to the collection of the information, to not provide the data or information sought to be collected2. of withdrawing his consent given earlier to the body corporate. Withdrawal shall be sent in writing to the body corporate. the body corporate shall have the option to not provide goods or services for which the said information was sought.
OPT OUT/WITHDRAWAL It is noteworthy that, none of the rules talk about obtaining the consent of the person to whom the information relates in case the provider the information is not the person concerned. For example, where the husband provides the medical information of the wife, consent of the wife is not required as per these rules as she is not the provider of the information. She also does not have the option of opting out as per Rule 5(7).
ACCESS & REVIEW OF INFORMATION RULE 5(6)o Providers of information- permitted- to review the information provided by them- as and when requested by them;o Information- if found to be inaccurate or deficient shall be corrected or amended as feasible.o Body corporate NOT responsible for authenticity of the personal information or sensitive personal data or information as supplied by the provider to the body corporate.
GRIEVANCE REDRESSAL MECHANISM RULE 5(9)o Time bound redressal of any discrepancies and grievances.o Grievance Officer shall be appointed. o Publication of name and contact details of Grievance Officer on websiteo Redressal of grievances: within one month from the date of receipt of grievance.
LIMITATION ON DISCLOSURE OF INFORMATION RULE 6 Permission of the provider of the information is required before disclosure of information Exceptions:1. when disclosure is agreed upon in the contract;2. when disclosure is necessary for compliance of a legal obligation;3. when disclosure to Government agencies mandated under the law to obtain information.4. when disclosure to any third party by an order under the law for the time being in force.
LIMITATION ON DISCLOSURE OF INFORMATION RULE 6 Rule 6 also forbids the following:1. Publication of sensitive personal data or information by body corporate or its representative,2. Disclosure by third party receiving the sensitive personal data or information from the body corporate.
LIMITATION ON TRANSFER OF INFORMATION RULE 7Transfer allowed to: another body corporate or a person in India, or located in any other country.Transfer is allowed only if :1. other body corporate or person ensures the same level of data protection that is adhered to by the body corporate as provided under these rules.2. it is necessary for the performance of the lawful contract between the provider of the information and the corporate receiving the information.
REASONABLE SECURITY PRACTICES AND PROCEDURES RULE 8 Prescribes standard to be adhered to by a body corporate, receiving the information, ◦ in the absence of an agreement between the parties; ◦ or any law for the time being in force. One such prescribed standard: The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”.
REASONABLE SECURITY PRACTICES AND PROCEDURES Any other Security code, if followed shall be : o Duly approved and Notified o by the Central Government o Audited annually by an independent auditor approved by the Central Government. In the event of an information security breach – demonstration of implementation of security control measures - by the body corporate.
REASONABLE SECURITY PRACTICES AND PROCEDURES A body corporate or a person on its behalf shall be deemed to have complied with reasonable security practices and procedures if: They have implemented such security practices and standards, and Have a comprehensive documented information security programme; and information security policies for: managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business.
IT Act, 2000 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloa ds/itact2000/itbill2000.pdf IT (Amendment) Act, 2008 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloa ds/itact2000/it_amendment_act2008.pdf Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011are available at: http://www.mit.gov.in/sites/upload_files/dit/files/GSR313 E_10511(1).pdf
1. What is the likelihood of active enforcement of the new rules?2. What are the penalties for violations of the new rules?3. Do the rules apply only to information collected from data subject in India, or do they also apply to information about data subjects located outside India?
Do the rules apply to uses/disclosure of information that occur outside of India, if the information was originally collected in India? Do the rules apply to pseudonymized information? Is the “provider of the information” in Rule 5 referring to the subject, or can this be interpreted as referring to a third party that provides information but who is not the data subject?
Are there opportunities for further clarification/amendment of the new rules?