The document outlines new rules in India for handling personal information and sensitive personal data according to the Information Technology Act, defining these terms and requiring reasonable security practices, consent for collecting sensitive data, and allowing individuals to review and withdraw their information. Companies must appoint grievance officers, and can transfer sensitive data outside India only with consent and if an equal level of protection exists in other countries. Violations of these rules for protecting personal data could result in fines of up to 500 million rupees.
6. Type of Data Requirements SPDI Collection, Withdrawal and Transfer of SPDI: 1. Usage: SPDI can be collected only: a. For lawful business purpose; and b. There is a necessity to collect such information Collected SPDI cannot be used/retained for longer than required period. 2. Consent: Body corporate should take prior written consent in the form of a fax, e-mail or letter from the provider of SPDI. Provider has a right to decline consent. 3. Knowledge: The provider of SPDI should be informed about the purpose, the intended recipients, name and address of agency collecting the information. 4. Right of Review and Withdrawal: The provider of SPDI shall have the right to review the information provided by him/her and will have the discretion to withdraw his/her consent. 5. Transfer of SPDI: allowed outside the country provided same level of protection exists. Provider’s consent required
7. Have PI? No End yes No Follow slide 5 yes Follow slide 5 & 6 Have SPDI? End
India had been criticized by the western world of not having a proper data privacy law in place. Our corporates (esp. outsourcing industry) used to really face difficulties in getting business in India. So with lot of persuasion from Industry forums like NASSCOM, our parliament finally in 2009 was able to include section 43A in the Information Technology Act which partially cater to the need of the hour. But the job was not over, Section 43A did provide the skeleton to the inception of privacy laws in India but the detailed Rules were still to be formed. These Rules were formulated and finally were notified in April 2011.
It is notable that Section 43A defined terms like Body Corporate, Reasonable Security Practices and Procedures, it did not define imp terms like Personal Information and SPDI. These terms were left for CG to define in consultation with Industry forums.8ugub
Again it is noteworthy that section 43A clearly states that when SPDI