Vijay Dalmia, profile picture
Uploaded byVijay Dalmia
PPT, PDF2,286 views

Reasonable security practices and procedures and sensitive personal data or information rules 2012-presentation

The document summarizes key aspects of data protection law in India. It outlines the Information Technology Act of 2000 and its amendments in 2008 that introduced provisions for protecting personal data. The Ministry of Communications and Information Technology then promulgated the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules in 2011 under these acts. The rules define sensitive personal data and set forth requirements for companies regarding privacy policies, consent, data access, security practices, and more to protect Indian citizens' personal information.

Embed presentation

Downloaded 40 times
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011 Under The (Indian) Information Technology Act, 2000 By Vijay Pal Dalmia, Advocate Partner & Head of Intellectual Property & Information Technology Laws Practice
 Enacted in the year 2000 and was implemented w.e.f. 17th October, 2000.  Important features of this Act :  Recognition to e-transactions, digital signatures, electronic records etc. and also recognise their evidentiary value.  Lists out various computer crimes which are technological in nature.  However, this Act, originally, did not contain any provision for data protection. INFORMATION TECHNOLOGY ACT, 2000
 The IT Act, 2002 was amended in the year 2008.  Section 43A and Section 72A were added by the amendment Act for protection of personal data and information.  Both these provisions are penal in nature, civil and criminal respectively. THE INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008
 Ministry Of Communications And Information Technology (Department Of Information Technology) promulgated these rules (IT Rules 2011), under Section 87 (2)(ob) read with Section 43A.  IT Rules, 2011 came in force on 11th April, 2011.  The Government has come up with further clarifications w.r.t. these Rules by a Press Note Dated 24th August, 2011 to avoid ambiguities (http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf)  Non Compliance of these rules would lead to invocation of Section 43A of The IT Act, 2008 and liability to pay compensation, limits of which have not been fixed. REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES , 2011
 SECTION 72A of IT Act 2008.  In addition to the civil liabilities under Section 43 A ◦ Any person, or ◦ Intermediary ◦ Is liable for punishment  Of imprisonment for term which may extend to  *3 years  Or fine up to INR 5,00,000  Or both ◦ For disclosure of information  In breach of lawful contract.  *(Cognizable offence and Bailable) ( as per Section. 77B)
Where a BODY CORPORATE,  possessing, dealing or handling any sensitive personal data or information  in a computer resource which it owns, controls or operates  is negligent in implementing and maintaining reasonable security practices and procedures  and thereby causes wrongful loss or wrongful gain to any person  such body corporate shall be liable to pay damages by way of compensation to the person so affected. SECTION 43A: COMPENSATION FOR FAILURE TO PROTECT DATA
A body corporate would mean: any company and includes:  a firm,  sole proprietorship or  other association of individuals engaged in • commercial or • professional activities. DEFINITION OF BODY CORPORATE SECTION 43 A –Explanation (i)
 These Rules are applicable only to sensitive personal data or information.  These Rules are applicable only to the following: ◦ body corporate located within India, or ◦ any person located within India, or ◦ body corporate dealing with the data of any person located within India.
Sensitive personal data or information of a ‘person’ means such ‘personal information’ which consists of information relating to: 1. Password; 2. Financial information such as:  Bank account or,  Credit card or debit card or,  Other payment instrument details 3. Physical, physiological and mental health condition; 4. Sexual orientation; Contd… SENSITIVE PERSONAL DATA OR INFORMATION: RULE 3, IT RULES, 2011
5. Biometric information; 6. Any detail relating to the above clauses  as provided to body corporate  for providing service; and 7. Any of the information received under above clauses by body corporate for  processing,  stored or  processed under a lawful contract or otherwise SENSITIVE PERSONAL DATA OR INFORMATION RULE 3 OF THE IT RULES, 2011
Following information is not regarded as sensitive personal data or information: 1. Information freely available or accessible in public domain or, 2. Information furnished under the Right to Information Act, 2005 (RTI) or 3. Information furnished under any other law for the time being in force. EXCEPTIONS:
 Any information that relates to a  ‘natural person’  which either directly or indirectly, in combination with other information available or likely to be available with a body corporate,  is capable of identifying such person. PERSONAL INFORMATION: RULE 2 , IT RULES, 2011
 Security practices and procedure designed to  protect such information from unauthorized • access, • damages, • use, • modification, • disclosure or • impairment, Contd… MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)
Contd… as may be specified in :  an agreement between the parties or;  any law for the time being in force; or  in absence of such agreement or law, such reasonable security practices and procedures,  as may be prescribed by the Central Government. MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)
 Privacy Policy  Consent for collection of data  Collection of data  Use and Retention  Opt Out/Withdrawal  Access and Review of Information  Grievance Mechanism  Limitation on Disclosure of Information  Limitation on Transfer of Information  Reasonable Security Practices and Procedures
 Body corporate or any person on its behalf ◦ collects, receives, possess, ◦ stores, deals or handles  information of provider of information ◦ Providers of information, are those natural persons who provide sensitive personal data or information to a body corporate.  Shall provide a privacy policy for handling of or dealing in ‘sensitive personal data or information’. Contd… PRIVACY POLICY: RULE 4
Privacy Policy shall be published on the website and provide:- • Clear and easily accessible statements of its practices and policies; • Type of personal or sensitive personal data or information collected; • Purpose of collection and usage of such information; • Disclosure of information including sensitive personal data or information; • Reasonable security practices and procedures followed by the corporate. PRIVACY POLICY: RULE 4
 Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with ◦ any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6.  This above exemption is mainly applicable to Data Collection Agencies. Exception  However, Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, is subject to Rules 5 & 6.
RULE 5 (1) o Requires the corporate or any person on its behalf, o before collection of sensitive personal data or information, o to obtain consent in writing through any mode of electronic communication including letter or FAX or email from the ‘provider of the information’ o regarding purpose of usage of such information. CONSENT
RULE 5(3) Requirements in case of collection of information directly from the person concerned: Steps to ensure that the person concerned is having the knowledge of : o The fact that the information is being collected; o The purpose for which the information is being collected; o The intended recipients of the information; and o The name and address of – ◦ the agency that is collecting the information; and ◦ the agency that will retain the information CONSENT
RULE 5 (2) Sensitive personal data or information can be collected only under following two circumstances: 1. For a ‘lawful purpose’  connected with a function or activity of the body corporate or any person on it behalf; and 1. Considered ‘necessary’ for that purpose PURPOSE OF COLLECTION OF INFORMATION
USE - RULE 5(5):  The information collected shall be used  only for the purpose for which it has been collected. RETENTION - RULE 5(4)  A body corporate or its representative  must not retain such information for  longer than is required for the purposes for which the information may lawfully be used. OR  as required under any other law in force. USE AND RETENTION OF INFORMATION
RULE 5(7) : Requires the body corporate to give the provider of information, an option: 1. prior to the collection of the information, to not provide the data or information sought to be collected 2. of withdrawing his consent given earlier to the body corporate.  Withdrawal shall be sent in writing to the body corporate.  the body corporate shall have the option to not provide goods or services for which the said information was sought. OPT OUT/WITHDRAWAL
RULE 5(6) o Providers of information- permitted- to review the information provided by them- as and when requested by them; o Information- if found to be inaccurate or deficient shall be corrected or amended as feasible. o Body corporate NOT responsible for authenticity of the personal information or sensitive personal data or information as supplied by the provider to the body corporate. ACCESS & REVIEW OF INFORMATION
RULE 5(9) o Time bound redressal of any discrepancies and grievances. o Grievance Officer shall be appointed. o Publication of name and contact details of Grievance Officer on website o Redressal of grievances: within one month from the date of receipt of grievance. GRIEVANCE REDRESSAL MECHANISM
RULE 6 Permission of the provider of the information is required before disclosure of information Exceptions: 1. when disclosure is agreed upon in the contract; 2. when disclosure is necessary for compliance of a legal obligation; 3. when disclosure to Government agencies mandated under the law to obtain information. 4. when disclosure to any third party by an order under the law for the time being in force. LIMITATION ON DISCLOSURE OF INFORMATION
RULE 6  Rule 6 also forbids the following: 1. Publication of sensitive personal data or information by body corporate or its representative, 2. Disclosure by third party receiving the sensitive personal data or information from the body corporate. LIMITATION ON DISCLOSURE OF INFORMATION
RULE 7 Transfer allowed to:  another body corporate or a person  in India, or located in any other country. Transfer is allowed only if : 1. other body corporate or person ensures the same level of data protection that is adhered to by the body corporate as provided under these rules. 2. it is necessary for the performance of the lawful contract between the provider of the information and the corporate receiving the information. LIMITATION ON TRANSFER OF INFORMATION
RULE 8  Prescribes standard to be adhered to  by a body corporate, receiving the information, ◦ in the absence of an agreement between the parties; ◦ or any law for the time being in force.  One such prescribed standard: The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”. REASONABLE SECURITY PRACTICES AND PROCEDURES
 Any other Security code, if followed shall be : o Duly approved and Notified o by the Central Government o Audited annually by an independent auditor approved by the Central Government.  In the event of an information security breach – demonstration of implementation of security control measures - by the body corporate. REASONABLE SECURITY PRACTICES AND PROCEDURES
 A body corporate or a person on its behalf shall be deemed to have complied with reasonable security practices and procedures if:  They have implemented such security practices and standards, and  Have a  comprehensive documented information security programme; and  information security policies for: managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business. REASONABLE SECURITY PRACTICES AND PROCEDURES
 IT Act, 2000 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill200 0.pdf  IT (Amendment) Act, 2008 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_ame ndment_act2008.pdf  Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011are available at: http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf  Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000  http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf
THANK YOUTHANK YOU Vaish Associates Advocates Celebrating 43 years of professional excellence 1st & 11th Floors Mohan Dev Building 13, Tolstoy Marg New Delhiǀ ǀ ǀ 110001 (India) Phone: +91 11 42492532 (Direct) Phone: +91 11 42492525 (Board) Mobile: +91 9810081079 Fax: +91 11 23320484 Email: vpdalmia@vaishlaw.com www.vaishlaw.com Intellectual Property & Information Technology Laws Division New Delhi Mumbai Bangalore Gurgaon

More Related Content

PPTX
Right to privacy on internet and Data Protection
byatuljaybhaye
 
PPT
Information Technology Act 2000
byVijay Dalmia
 
PPTX
Privacy and Privacy Law in India By Prashant Mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PPTX
Electronic governance
byVibhor Agarwal
 
PPT
Electronic evidence digital evidence in india
byAdv Prashant Mali
 
PPTX
Copyright issues in cyberspace
byatuljaybhaye
 
PPTX
Right to privacy – a bird’s eyeview
byjoydev majumdar
 
PPTX
Right of Private Defence
byBhargav Dangar
 
Right to privacy on internet and Data Protection
byatuljaybhaye
 
Information Technology Act 2000
byVijay Dalmia
 
Privacy and Privacy Law in India By Prashant Mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Electronic governance
byVibhor Agarwal
 
Electronic evidence digital evidence in india
byAdv Prashant Mali
 
Copyright issues in cyberspace
byatuljaybhaye
 
Right to privacy – a bird’s eyeview
byjoydev majumdar
 
Right of Private Defence
byBhargav Dangar
 

What's hot

PPTX
Privacy in India: Legal issues
bySagar Rahurkar
 
PPTX
Privacy right under it act, 2000 and under other law
byDr. Nitya Nand Pandey
 
PPTX
it act 2000
byvirtualatall
 
PPTX
Information Technology Act 2000
byTirthankar Sutradhar
 
PDF
ch 1 Bhartiya Sakshya Adhiniyam 2023 (BSA) Definitions
byDr. Vikas Khakare
 
PPTX
Laws governing the internet service provider & there rights and liabilities
byGaurav Chordia
 
PPT
It act 2000
byRishav Mishra
 
PPTX
Electronic signature
bySonu Mishra
 
PPTX
E contracting in india
byatuljaybhaye
 
PPTX
E contracts and validity of e contracts in India
byKajalRandhawa
 
PPT
Evolution of competition law in india
bySrishtiBansal20
 
PPT
Types of electronic contracts
byVijay Dalmia
 
PPTX
Supplemental proceedings (sec. 94 95) CPC,1908
byAMITY UNIVERSITY RAJASTHAN
 
DOCX
Limitation act. questions
byA K DAS's | Law
 
PDF
Sebi insider trading
byGautam Singh
 
PPTX
Temporary injunction
byMudit Jain
 
PPT
attestation
byAnandakrishnan Suresh
 
PPTX
Family law II
byCHANDERPRABHU JAIN COLLEGE OF HIGHER STUDIES & SCHOOL OF LAW
 
PPTX
forms, extent & cause of poloice deviance
byChaitanya Limbachiya
 
PPTX
Llyods Bank case
byMohammed Haroon
 
Privacy in India: Legal issues
bySagar Rahurkar
 
Privacy right under it act, 2000 and under other law
byDr. Nitya Nand Pandey
 
it act 2000
byvirtualatall
 
Information Technology Act 2000
byTirthankar Sutradhar
 
ch 1 Bhartiya Sakshya Adhiniyam 2023 (BSA) Definitions
byDr. Vikas Khakare
 
Laws governing the internet service provider & there rights and liabilities
byGaurav Chordia
 
It act 2000
byRishav Mishra
 
Electronic signature
bySonu Mishra
 
E contracting in india
byatuljaybhaye
 
E contracts and validity of e contracts in India
byKajalRandhawa
 
Evolution of competition law in india
bySrishtiBansal20
 
Types of electronic contracts
byVijay Dalmia
 
Supplemental proceedings (sec. 94 95) CPC,1908
byAMITY UNIVERSITY RAJASTHAN
 
Limitation act. questions
byA K DAS's | Law
 
Sebi insider trading
byGautam Singh
 
Temporary injunction
byMudit Jain
 
attestation
byAnandakrishnan Suresh
 
Family law II
byCHANDERPRABHU JAIN COLLEGE OF HIGHER STUDIES & SCHOOL OF LAW
 
forms, extent & cause of poloice deviance
byChaitanya Limbachiya
 
Llyods Bank case
byMohammed Haroon
 

Viewers also liked

PDF
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
byVijay Dalmia
 
PPT
Contempt of court
byAltacit Global
 
PDF
Give a brief account of development of legal
byCheshta Sharma
 
PDF
Adaptive Internal Clock Synchronization
byZbigniew Jerzak
 
PPT
Culture, Economy, Community: A Cultural Plan for Chatham-Kent
byEmily Robson
 
PPT
Saint valentine’s story
byanacarietta
 
PPTX
20090325 Presentatie Abn Amro E Channels Waw Slideshare
byJorden Lentze
 
PDF
Integration
byHaitham El-Ghareeb
 
PPT
Pertemuan Struktural Desember 2008 Baru
bypuskesmas mojoagung
 
PDF
ThesisXSiena: The Content-Based Publish/Subscribe System
byZbigniew Jerzak
 
PPT
Shn Overview Updated 2009 06 P31 36
byjoaovox
 
PPTX
Marketing research of the future
byKristof De Wulf
 
PDF
Improve Your Health
byhenryvoc
 
PPT
Determining Your Community's Competitive Advantage For The Creative Sector
byEmily Robson
 
PDF
Shn, permaculture pilot, 2008 april, 21 30
byjoaovox
 
PDF
Shn, permaculture pilot, 2008 april, 21 30
byjoaovox
 
PDF
Shn, permaculture pilot, 2008 april, 1 10
byjoaovox
 
PPT
Milieu
byguest817a65
 
PDF
Jim Crotty Photography Of Summer 2006
byPicture Ohio, LLC
 
PPT
Milieu
byguest05f81
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
byVijay Dalmia
 
Contempt of court
byAltacit Global
 
Give a brief account of development of legal
byCheshta Sharma
 
Adaptive Internal Clock Synchronization
byZbigniew Jerzak
 
Culture, Economy, Community: A Cultural Plan for Chatham-Kent
byEmily Robson
 
Saint valentine’s story
byanacarietta
 
20090325 Presentatie Abn Amro E Channels Waw Slideshare
byJorden Lentze
 
Integration
byHaitham El-Ghareeb
 
Pertemuan Struktural Desember 2008 Baru
bypuskesmas mojoagung
 
ThesisXSiena: The Content-Based Publish/Subscribe System
byZbigniew Jerzak
 
Shn Overview Updated 2009 06 P31 36
byjoaovox
 
Marketing research of the future
byKristof De Wulf
 
Improve Your Health
byhenryvoc
 
Determining Your Community's Competitive Advantage For The Creative Sector
byEmily Robson
 
Shn, permaculture pilot, 2008 april, 21 30
byjoaovox
 
Shn, permaculture pilot, 2008 april, 21 30
byjoaovox
 
Shn, permaculture pilot, 2008 april, 1 10
byjoaovox
 
Milieu
byguest817a65
 
Jim Crotty Photography Of Summer 2006
byPicture Ohio, LLC
 
Milieu
byguest05f81
 

Similar to Reasonable security practices and procedures and sensitive personal data or information rules 2012-presentation

PPT
Data Privacy in India and data theft
byAmber Gupta
 
PDF
Regulatory Compliance under the Information Technology Act, 2000
byn|u - The Open Security Community
 
PPT
Data protection in_india
byAltacit Global
 
PPT
Compliance audit under the Information Technology Act, 2000
bySagar Rahurkar
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
byTushar Rajput
 
PPTX
Popi act presentation
byKholisile Mazaza
 
PPTX
Data Privacy Protection Competrency Guide by a Data Subject
byJohn Macasio
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
PPTX
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
PPT
Legal aspects of IT security
byAdv Prashant Mali
 
PPTX
Data privacy Legislation in India
byLATHA H C
 
PPTX
Law and Data Protection.pptx by Dr. M.K.
byManishChoudhary246763
 
PDF
An Indian Outline on Database Protection
bySinghania2015
 
PDF
Ppt
byGareth Badrian
 
PDF
Startups - data protection
byMathew Chacko
 
PPTX
POPI Seminar FINAL
byImraan Kharwa
 
PPT
Legal aspects of IT Security-at ISACA conference 2011
byAdv Prashant Mali
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PPT
969_powerpoint_on_data_protection.ppt
bysheryl90
 
PPTX
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
byProf. (Dr.) Tabrez Ahmad
 
Data Privacy in India and data theft
byAmber Gupta
 
Regulatory Compliance under the Information Technology Act, 2000
byn|u - The Open Security Community
 
Data protection in_india
byAltacit Global
 
Compliance audit under the Information Technology Act, 2000
bySagar Rahurkar
 
Unit 6 Privacy and Data Protection 8 hr
byTushar Rajput
 
Popi act presentation
byKholisile Mazaza
 
Data Privacy Protection Competrency Guide by a Data Subject
byJohn Macasio
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
Legal aspects of IT security
byAdv Prashant Mali
 
Data privacy Legislation in India
byLATHA H C
 
Law and Data Protection.pptx by Dr. M.K.
byManishChoudhary246763
 
An Indian Outline on Database Protection
bySinghania2015
 
Ppt
byGareth Badrian
 
Startups - data protection
byMathew Chacko
 
POPI Seminar FINAL
byImraan Kharwa
 
Legal aspects of IT Security-at ISACA conference 2011
byAdv Prashant Mali
 
3A – DATA PROTECTION: ADVICE
byCFG
 
969_powerpoint_on_data_protection.ppt
bysheryl90
 
Itechlaw conferene presentation 15th feb 2013 the quest over identity the iss...
byProf. (Dr.) Tabrez Ahmad
 

More from Vijay Dalmia

PDF
Reasonable security practices and procedures and sensitive personal data or i...
byVijay Dalmia
 
PPTX
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
byVijay Dalmia
 
PPT
Information Technology Policy for Corporates - Need of the Hour
byVijay Dalmia
 
PPT
IPR Enforcement in India through Criminal Measures - By Vijay Pal Dalmia
byVijay Dalmia
 
PPTX
Taxation of Cryptocurrencies – Virtual Digital Assets in India-VPDalmia.pptx
byVijay Dalmia
 
PPTX
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia Advocate
byVijay Dalmia
 
PPT
LAW OF THE SEMICONDUCTOR INTEGRATED CIRCUITS IN INDIA By Vijay Pal Dalmia
byVijay Dalmia
 
PPT
Indian approach on bitcoins, cryptocurrencies and blockchain – legal practica...
byVijay Dalmia
 
PPTX
Enforcement Of Intellectual Property Rights Through Customs
byVijay Dalmia
 
PDF
Process of criminal trial in india
byVijay Dalmia
 
PPT
Ipr enforcement in india
byVijay Dalmia
 
PPTX
Police Remand- Judicial Remand & Default Bail-Vijay Pal Dalmia Advocate.pptx
byVijay Dalmia
 
PPT
Indian Approach On Bitcoins-cryptocurrencies- Blockchain Legal Practical Pe...
byVijay Dalmia
 
PPTX
Wills in the indian perspective
byVijay Dalmia
 
PPT
Patent law and Indian perspective
byVijay Dalmia
 
PDF
Guide for de-mystifying law of trade mark enfocrement and litigation in india
byVijay Dalmia
 
PPTX
White Collar Crime by Vijay Pal Dalmia.pptx
byVijay Dalmia
 
PDF
Sanction for prosecution of offences under chapter xii of the income tax act
byVijay Dalmia
 
PPTX
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
byVijay Dalmia
 
PDF
Law of Tele-medicine in India
byVijay Dalmia
 
Reasonable security practices and procedures and sensitive personal data or i...
byVijay Dalmia
 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
byVijay Dalmia
 
Information Technology Policy for Corporates - Need of the Hour
byVijay Dalmia
 
IPR Enforcement in India through Criminal Measures - By Vijay Pal Dalmia
byVijay Dalmia
 
Taxation of Cryptocurrencies – Virtual Digital Assets in India-VPDalmia.pptx
byVijay Dalmia
 
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia Advocate
byVijay Dalmia
 
LAW OF THE SEMICONDUCTOR INTEGRATED CIRCUITS IN INDIA By Vijay Pal Dalmia
byVijay Dalmia
 
Indian approach on bitcoins, cryptocurrencies and blockchain – legal practica...
byVijay Dalmia
 
Enforcement Of Intellectual Property Rights Through Customs
byVijay Dalmia
 
Process of criminal trial in india
byVijay Dalmia
 
Ipr enforcement in india
byVijay Dalmia
 
Police Remand- Judicial Remand & Default Bail-Vijay Pal Dalmia Advocate.pptx
byVijay Dalmia
 
Indian Approach On Bitcoins-cryptocurrencies- Blockchain Legal Practical Pe...
byVijay Dalmia
 
Wills in the indian perspective
byVijay Dalmia
 
Patent law and Indian perspective
byVijay Dalmia
 
Guide for de-mystifying law of trade mark enfocrement and litigation in india
byVijay Dalmia
 
White Collar Crime by Vijay Pal Dalmia.pptx
byVijay Dalmia
 
Sanction for prosecution of offences under chapter xii of the income tax act
byVijay Dalmia
 
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
byVijay Dalmia
 
Law of Tele-medicine in India
byVijay Dalmia
 

Recently uploaded

PDF
Legal Strategies for Startup Success MA final.pdf
byRoger Royse
 
PPTX
950559454-Benami-Amendment-Act-2016.pptx
byDhrumilRanpura1
 
PDF
Lecture on the provisions of the Anti-hazing Law
byshyllock
 
PDF
Taxation- Introduction.pdfnknshqhsuqslmqsiisn
byKylaLimpiada
 
PDF
McDowell Law Firm: The Services We Offer
byJosh Mcdowell
 
PPTX
Business Associations additional intro powerpoint
byGarrettHalydier1
 
PDF
Lessons from Korea’s Platform Competition Regulation Saga
bySangyun Lee
 
PPTX
Criminal Defense Your First Step Toward Justice in California.pptx
byjc4justice1
 
PDF
DR. OLIVER MASSMANN - DOING BUSINESS AND INVESTING IN VIETNAM
byDr. Oliver Massmann
 
PPTX
Documents Required for Trademark Registration in India
bylegalxcode
 
PPTX
GROUP 1 - ELECTRONIC COMMERCE ACT OF 2000.pptx
bydadaygonza
 
PDF
AHP-Data-dec-20-29-1.pdf AHP Pravin Togaria
bysabranghindi
 
PDF
TISS-Student.pdf Students warned Judges Court
bysabranghindi
 
PDF
Danielle Oliveira New Jersey - A Central Figure In New Jersey Criminal Justice
byDanielle Oliveira New Jersey
 
PDF
Professional Journey and Achievement - Adv. Olengurumwa
byOnesmo Olengurumwa
 
PPTX
Documentary Requirements for Copyright Registration in India
bylegalxcode
 
PPTX
The Role of a Criminal Defense Lawyer in San Diego’s Justice System.pptx
byKG LAW SD, APC
 
PPTX
RA-229 Jose Rizal - The Life and work of rizal
byMarcAnthonyLouisParb1
 
PPTX
L5 Lawlessness - Cover.pptx ududu hshhs
by21jkaur
 
Legal Strategies for Startup Success MA final.pdf
byRoger Royse
 
950559454-Benami-Amendment-Act-2016.pptx
byDhrumilRanpura1
 
Lecture on the provisions of the Anti-hazing Law
byshyllock
 
Taxation- Introduction.pdfnknshqhsuqslmqsiisn
byKylaLimpiada
 
McDowell Law Firm: The Services We Offer
byJosh Mcdowell
 
Business Associations additional intro powerpoint
byGarrettHalydier1
 
Lessons from Korea’s Platform Competition Regulation Saga
bySangyun Lee
 
Criminal Defense Your First Step Toward Justice in California.pptx
byjc4justice1
 
DR. OLIVER MASSMANN - DOING BUSINESS AND INVESTING IN VIETNAM
byDr. Oliver Massmann
 
Documents Required for Trademark Registration in India
bylegalxcode
 
GROUP 1 - ELECTRONIC COMMERCE ACT OF 2000.pptx
bydadaygonza
 
AHP-Data-dec-20-29-1.pdf AHP Pravin Togaria
bysabranghindi
 
TISS-Student.pdf Students warned Judges Court
bysabranghindi
 
Danielle Oliveira New Jersey - A Central Figure In New Jersey Criminal Justice
byDanielle Oliveira New Jersey
 
Professional Journey and Achievement - Adv. Olengurumwa
byOnesmo Olengurumwa
 
Documentary Requirements for Copyright Registration in India
bylegalxcode
 
The Role of a Criminal Defense Lawyer in San Diego’s Justice System.pptx
byKG LAW SD, APC
 
RA-229 Jose Rizal - The Life and work of rizal
byMarcAnthonyLouisParb1
 
L5 Lawlessness - Cover.pptx ududu hshhs
by21jkaur
 

Reasonable security practices and procedures and sensitive personal data or information rules 2012-presentation

  • 1.
    REASONABLE SECURITY PRACTICESAND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011 Under The (Indian) Information Technology Act, 2000 By Vijay Pal Dalmia, Advocate Partner & Head of Intellectual Property & Information Technology Laws Practice
  • 2.
     Enacted inthe year 2000 and was implemented w.e.f. 17th October, 2000.  Important features of this Act :  Recognition to e-transactions, digital signatures, electronic records etc. and also recognise their evidentiary value.  Lists out various computer crimes which are technological in nature.  However, this Act, originally, did not contain any provision for data protection. INFORMATION TECHNOLOGY ACT, 2000
  • 3.
     The ITAct, 2002 was amended in the year 2008.  Section 43A and Section 72A were added by the amendment Act for protection of personal data and information.  Both these provisions are penal in nature, civil and criminal respectively. THE INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008
  • 4.
     Ministry OfCommunications And Information Technology (Department Of Information Technology) promulgated these rules (IT Rules 2011), under Section 87 (2)(ob) read with Section 43A.  IT Rules, 2011 came in force on 11th April, 2011.  The Government has come up with further clarifications w.r.t. these Rules by a Press Note Dated 24th August, 2011 to avoid ambiguities (http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf)  Non Compliance of these rules would lead to invocation of Section 43A of The IT Act, 2008 and liability to pay compensation, limits of which have not been fixed. REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES , 2011
  • 5.
     SECTION 72Aof IT Act 2008.  In addition to the civil liabilities under Section 43 A ◦ Any person, or ◦ Intermediary ◦ Is liable for punishment  Of imprisonment for term which may extend to  *3 years  Or fine up to INR 5,00,000  Or both ◦ For disclosure of information  In breach of lawful contract.  *(Cognizable offence and Bailable) ( as per Section. 77B)
  • 6.
    Where a BODYCORPORATE,  possessing, dealing or handling any sensitive personal data or information  in a computer resource which it owns, controls or operates  is negligent in implementing and maintaining reasonable security practices and procedures  and thereby causes wrongful loss or wrongful gain to any person  such body corporate shall be liable to pay damages by way of compensation to the person so affected. SECTION 43A: COMPENSATION FOR FAILURE TO PROTECT DATA
  • 7.
    A body corporatewould mean: any company and includes:  a firm,  sole proprietorship or  other association of individuals engaged in • commercial or • professional activities. DEFINITION OF BODY CORPORATE SECTION 43 A –Explanation (i)
  • 8.
     These Rulesare applicable only to sensitive personal data or information.  These Rules are applicable only to the following: ◦ body corporate located within India, or ◦ any person located within India, or ◦ body corporate dealing with the data of any person located within India.
  • 9.
    Sensitive personal dataor information of a ‘person’ means such ‘personal information’ which consists of information relating to: 1. Password; 2. Financial information such as:  Bank account or,  Credit card or debit card or,  Other payment instrument details 3. Physical, physiological and mental health condition; 4. Sexual orientation; Contd… SENSITIVE PERSONAL DATA OR INFORMATION: RULE 3, IT RULES, 2011
  • 10.
    5. Biometric information; 6.Any detail relating to the above clauses  as provided to body corporate  for providing service; and 7. Any of the information received under above clauses by body corporate for  processing,  stored or  processed under a lawful contract or otherwise SENSITIVE PERSONAL DATA OR INFORMATION RULE 3 OF THE IT RULES, 2011
  • 11.
    Following information isnot regarded as sensitive personal data or information: 1. Information freely available or accessible in public domain or, 2. Information furnished under the Right to Information Act, 2005 (RTI) or 3. Information furnished under any other law for the time being in force. EXCEPTIONS:
  • 12.
     Any informationthat relates to a  ‘natural person’  which either directly or indirectly, in combination with other information available or likely to be available with a body corporate,  is capable of identifying such person. PERSONAL INFORMATION: RULE 2 , IT RULES, 2011
  • 13.
     Security practicesand procedure designed to  protect such information from unauthorized • access, • damages, • use, • modification, • disclosure or • impairment, Contd… MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)
  • 14.
    Contd… as may bespecified in :  an agreement between the parties or;  any law for the time being in force; or  in absence of such agreement or law, such reasonable security practices and procedures,  as may be prescribed by the Central Government. MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)
  • 15.
     Privacy Policy Consent for collection of data  Collection of data  Use and Retention  Opt Out/Withdrawal  Access and Review of Information  Grievance Mechanism  Limitation on Disclosure of Information  Limitation on Transfer of Information  Reasonable Security Practices and Procedures
  • 16.
     Body corporateor any person on its behalf ◦ collects, receives, possess, ◦ stores, deals or handles  information of provider of information ◦ Providers of information, are those natural persons who provide sensitive personal data or information to a body corporate.  Shall provide a privacy policy for handling of or dealing in ‘sensitive personal data or information’. Contd… PRIVACY POLICY: RULE 4
  • 17.
    Privacy Policy shallbe published on the website and provide:- • Clear and easily accessible statements of its practices and policies; • Type of personal or sensitive personal data or information collected; • Purpose of collection and usage of such information; • Disclosure of information including sensitive personal data or information; • Reasonable security practices and procedures followed by the corporate. PRIVACY POLICY: RULE 4
  • 18.
     Any suchbody corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with ◦ any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6.  This above exemption is mainly applicable to Data Collection Agencies. Exception  However, Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, is subject to Rules 5 & 6.
  • 19.
    RULE 5 (1) oRequires the corporate or any person on its behalf, o before collection of sensitive personal data or information, o to obtain consent in writing through any mode of electronic communication including letter or FAX or email from the ‘provider of the information’ o regarding purpose of usage of such information. CONSENT
  • 20.
    RULE 5(3) Requirements incase of collection of information directly from the person concerned: Steps to ensure that the person concerned is having the knowledge of : o The fact that the information is being collected; o The purpose for which the information is being collected; o The intended recipients of the information; and o The name and address of – ◦ the agency that is collecting the information; and ◦ the agency that will retain the information CONSENT
  • 21.
    RULE 5 (2) Sensitivepersonal data or information can be collected only under following two circumstances: 1. For a ‘lawful purpose’  connected with a function or activity of the body corporate or any person on it behalf; and 1. Considered ‘necessary’ for that purpose PURPOSE OF COLLECTION OF INFORMATION
  • 22.
    USE - RULE5(5):  The information collected shall be used  only for the purpose for which it has been collected. RETENTION - RULE 5(4)  A body corporate or its representative  must not retain such information for  longer than is required for the purposes for which the information may lawfully be used. OR  as required under any other law in force. USE AND RETENTION OF INFORMATION
  • 23.
    RULE 5(7) : Requiresthe body corporate to give the provider of information, an option: 1. prior to the collection of the information, to not provide the data or information sought to be collected 2. of withdrawing his consent given earlier to the body corporate.  Withdrawal shall be sent in writing to the body corporate.  the body corporate shall have the option to not provide goods or services for which the said information was sought. OPT OUT/WITHDRAWAL
  • 24.
    RULE 5(6) o Providersof information- permitted- to review the information provided by them- as and when requested by them; o Information- if found to be inaccurate or deficient shall be corrected or amended as feasible. o Body corporate NOT responsible for authenticity of the personal information or sensitive personal data or information as supplied by the provider to the body corporate. ACCESS & REVIEW OF INFORMATION
  • 25.
    RULE 5(9) o Timebound redressal of any discrepancies and grievances. o Grievance Officer shall be appointed. o Publication of name and contact details of Grievance Officer on website o Redressal of grievances: within one month from the date of receipt of grievance. GRIEVANCE REDRESSAL MECHANISM
  • 26.
    RULE 6 Permission ofthe provider of the information is required before disclosure of information Exceptions: 1. when disclosure is agreed upon in the contract; 2. when disclosure is necessary for compliance of a legal obligation; 3. when disclosure to Government agencies mandated under the law to obtain information. 4. when disclosure to any third party by an order under the law for the time being in force. LIMITATION ON DISCLOSURE OF INFORMATION
  • 27.
    RULE 6  Rule6 also forbids the following: 1. Publication of sensitive personal data or information by body corporate or its representative, 2. Disclosure by third party receiving the sensitive personal data or information from the body corporate. LIMITATION ON DISCLOSURE OF INFORMATION
  • 28.
    RULE 7 Transfer allowedto:  another body corporate or a person  in India, or located in any other country. Transfer is allowed only if : 1. other body corporate or person ensures the same level of data protection that is adhered to by the body corporate as provided under these rules. 2. it is necessary for the performance of the lawful contract between the provider of the information and the corporate receiving the information. LIMITATION ON TRANSFER OF INFORMATION
  • 29.
    RULE 8  Prescribesstandard to be adhered to  by a body corporate, receiving the information, ◦ in the absence of an agreement between the parties; ◦ or any law for the time being in force.  One such prescribed standard: The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”. REASONABLE SECURITY PRACTICES AND PROCEDURES
  • 30.
     Any otherSecurity code, if followed shall be : o Duly approved and Notified o by the Central Government o Audited annually by an independent auditor approved by the Central Government.  In the event of an information security breach – demonstration of implementation of security control measures - by the body corporate. REASONABLE SECURITY PRACTICES AND PROCEDURES
  • 31.
     A bodycorporate or a person on its behalf shall be deemed to have complied with reasonable security practices and procedures if:  They have implemented such security practices and standards, and  Have a  comprehensive documented information security programme; and  information security policies for: managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business. REASONABLE SECURITY PRACTICES AND PROCEDURES
  • 32.
     IT Act,2000 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill200 0.pdf  IT (Amendment) Act, 2008 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_ame ndment_act2008.pdf  Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011are available at: http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf  Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000  http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf
  • 33.
    THANK YOUTHANK YOU VaishAssociates Advocates Celebrating 43 years of professional excellence 1st & 11th Floors Mohan Dev Building 13, Tolstoy Marg New Delhiǀ ǀ ǀ 110001 (India) Phone: +91 11 42492532 (Direct) Phone: +91 11 42492525 (Board) Mobile: +91 9810081079 Fax: +91 11 23320484 Email: vpdalmia@vaishlaw.com www.vaishlaw.com Intellectual Property & Information Technology Laws Division New Delhi Mumbai Bangalore Gurgaon