The document outlines new rules in India for handling personal information and sensitive personal data according to the Information Technology Act, defining these terms and requiring reasonable security practices, consent for collecting sensitive data, and allowing individuals to review and withdraw their information. Companies must appoint grievance officers, and can transfer sensitive data outside India only with consent and if an equal level of protection exists in other countries. Violations of these rules for protecting personal data could result in fines of up to 500 million rupees.

1. Amit Khandelwal Legal Counsel- South East Asia SAS

2. The Rules have emerged from Section 43A of the Information Technology Act, 2000 read with Section 87(2)(oo) of the said Act. Section 43A states: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding Five Crore Rupees , to the person so affected.

3. Personal Information (PI) has been defined as: Any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Sensitive Personal Data or Information (SPDI) has been defined as: (i) password; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise. Information in public domain and information disclosed under Right to Information Act are excluded from SPDI

4. It applies to data or information stored “in computer resource” It applies to personal information irrespective of the nationality of the provider It will be applicable when information is collected in India and transferred to any computer resource outside India It will be applicable when the information is neither collected in India nor stored in India but is dealt or handled in India i.e. accessed from India. BPOs, KPOs, LPOs and captive units will have to comply with privacy laws of outsourcing country and (now) of India!

5. Requirements under the Rules Type of Data Requirements PI and SPDI Create Privacy Policy: Such policy should be made available to the provider of information and it should clearly state: 1. The practices and procedures followed; 2. Type of PI and SPDI which is being collected; 3. Purpose and Usage of such information; 4. Process relating to disclosure of information to third parties; 5. Kind of reasonable security practices and procedures followed in the organization: a. Agreed by parties under an agreement; or b. As may be specified in any law; or c. In the absence of above, there should be a comprehensive documented information security programme and policies or is IS/ISO/IEC 27001 (IT- Security Techniques- Information Security Management System- Requirements) certified. Body Corporate to appoint a Grievance Officer (GO) and publish his name and contact details on its website. Grievance to be resolved within 30 days

6. Type of Data Requirements SPDI Collection, Withdrawal and Transfer of SPDI: 1. Usage: SPDI can be collected only: a. For lawful business purpose; and b. There is a necessity to collect such information Collected SPDI cannot be used/retained for longer than required period. 2. Consent: Body corporate should take prior written consent in the form of a fax, e-mail or letter from the provider of SPDI. Provider has a right to decline consent. 3. Knowledge: The provider of SPDI should be informed about the purpose, the intended recipients, name and address of agency collecting the information. 4. Right of Review and Withdrawal: The provider of SPDI shall have the right to review the information provided by him/her and will have the discretion to withdraw his/her consent. 5. Transfer of SPDI: allowed outside the country provided same level of protection exists. Provider’s consent required

7. Have PI? No End yes No Follow slide 5 yes Follow slide 5 & 6 Have SPDI? End

8. Disclaimer We acknowledge that this presentation is merely an overview and has been prepared by the presenter for your benefit and should not be construed as a legal opinion. It may not be relied upon by any other person for any other purpose, nor is it to be quoted or referred to in any public document or shown to, or filed with any government authority, agency or other official body without presenter’s prior written consent. © 2011 Amit Khandelwal