Coupon Accepted Successfully!


Regulations related to Data Security

Data protection and Privacy on the Internet under Indian Law

Is data protection relevant for businesses?

Indian law imposes certain obligations on entities which collect certain kinds of personal information of individuals which is considered to be ‘sensitive’. The obligations may apply to e-commerce websites, banks, employers, hospitals, and other entities, if they collect personal information of users. Primarily, data protection law in India regulates the kinds of information that is collected, the purpose for which it may be collected, the manner of collection of the information and the conditions necessary for its disclosure or transfer to another entity.

The obligations for data protection have been mentioned in the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). The obligations under the IT Act and the SPDI Rules are applicable to body corporates, which includes companies, firms, or any association of individuals engaged in commercial activities that involve collection of sensitive personal data or information. Thus, a partnership firm which collects sensitive data will have to comply with the SPDI Rules.

  1. The rules are not applicable when data is collected or processed by an individual, e.g. a proprietorship business. 
  2. The SPDI Rules are also not applicable to Indian companies which collect and process data of foreign nationals – e.g. UK or US citizens.
This is as per a Press Note issued by the Ministry of Communications & Information Technology on 24 August 2011 (Press Note), which was issued to clarify doubts regarding applicability of data protection obligations under Indian law to information (of foreigners) collected and processed by Indian outsourcing companies.
  1. The rules will apply only to data that pertains to individuals, i.e. natural persons. The Press Note clarifies that the rules will be applicable if sensitive personal data or information is provided by natural persons.
What is sensitive personal data or information?

Personal information relating to the following categories is considered to be sensitive as per the SPDI Rules:
  • a password
  • financial information such as bank account, credit card, debit card or other payment instrument details
  • physical, physiological and mental health condition
  • sexual orientation;
  • medical records and history;
  • biometric information;
  • any detail relating to the above clauses as provided to body corporate for providing service; and
  • any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Obligations to protect data for a business

Under Indian law, SPDI can be collected only if:
  1. the purpose for which the information is collected is lawful and is connected with a function or activity that the body corporate carries out, and
  2. the collection of such information is necessary.
For example, if you agree to pay a supplier by cheque on the first of every month (for the next six months), he cannot legitimately ask for your credit card details (over the internet), because the collection is not necessary as you have agreed to pay by cheque.

Note: SPDI Rules will not be applicable to any information collected over a medium which is not governed by the IT Act – e.g. information collected on a physical logbook at the reception of a hotel.

In addition, under the IT Act, a body corporate which collects, processes or handles sensitive personal data or information is responsible for implementing and maintaining ‘reasonable security practices and procedures’ to protect the data. Failure to maintain such security practices on part of the body corporate will make it liable to pay compensation if wrongful gain or loss is caused to any person (there is no limit specified in the SPDI rules on the quantum of compensation).

We explain below the procedure for collection, transfer and disclosure of data, and the security practices that must be maintained by an organization to ensure the requisite level of data protection under Indian law.
  1. Procedure for collection of information
Manner of obtaining consent - A body corporate must get prior consent from the provider of information. This consent can be collected through letter or fax or email. The person concerned should be aware of the fact that the information is being collected, the purpose for which it is being collected, the intended recipients of the information and the address of the agency that is collecting the information and the agency that is going to retain the information. Further, the provider of information should be able to review the information that they provide and they should have the option to correct any inaccuracy or deficiency.

Grievance handling – A body corporate must appoint a Grievance Officer to address any discrepancies or grievances that any provider may have with respect to processing of information.

Retention of information - The information cannot be retained for a period longer than is required. It can only be used for the purpose for which it was collected in the first place, and no other purpose.

Option to withdraw consent/ not provide information - An option should be made available to the information provider not to provide the data or the information that is required to be collected. The provider should also be given the choice to withdraw the consent which had been given earlier. This withdrawal shall be in writing. 
  1. Implementation of a privacy policy
Under the Rules, a body corporate is required to implement a privacy policy for handling and dealing with user information including SPDI. The policy should ensure that the provider can view the information so provided. The policy should have provisions which address the following issues
  1. The policy should mention the type of personal information or SPDI that is to be collected
  2. It should specify purpose of collection and the usage of the information that is collected
  3. It should contain provisions regarding disclosure of the information that is being collected
  1. Procedure for disclosure of information
Any disclosure of SPDI requires prior consent from the provider of informationexcept under the following circumstances:
  • Disclosure to third parties under certain legal obligations: a) When such disclosure has been provided for under a lawful contract or b) if the disclosure is necessary for the compliance of a legal obligation, or c) pursuant to an order under the law for the time being in force.
The recipient of information cannot disclose the same further. SPDI cannot be published in any other manner. 
  • Disclosure to government agencies: SPDI may be disclosed to government agencies mandated under law to obtain information for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences, under the following conditions: 
  1. if the Government agency has sent a written request to the body corporate stating the purpose of seeking the information, and
  2. if it has assured that the information obtained will not be published or shared with any other person.
  1. Transfer of information
Transfer of personal information and SPDI by a body corporate to any other body corporate or person in India, or located in any other country can be carried out only if the other entity ensures the same level of data protection as is adhered to by the body corporate. This is an important provision for mergers and acquisitions (“M&A”) transactions – if a company is merging into another company, or selling of a division to another company, the new company must ensure the same level of data protection.

This provision is also relevant to cloud computing services. Early stage businesses often avail the services of cloud computing providers for various backend processes. The cloud computing provider may either be in India itself, or it may have a global presence. In such cases, user data is collected by the service provider, but processed by another entity (or even outside India). In such cases, the collecting entity must ensure (by inserting such a clause in the cloud computing agreement) that sensitive information is subject to the same data protection requirements as observed by the collecting entity as per Indian law.
  1. Security levels for protection of data
As per the IT Act, a body corporate can be held liable for negligence in implementing and maintaining ‘reasonable security practices and procedures’ to protect sensitive personal data or information.  ‘Reasonable security practices and procedures’ are defined to mean security practices designed to protect information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified (i) in an agreement between the parties, or (ii) under any law, or (iii) in the absence of such agreement or law, such reasonable security practice as may be prescribed by the Central Government.
  • Information security programme and policy – As per the SPDI Rules, a body corporate must have an information security programme and information security policy. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate that they have implemented security control measures as per their documented information security programme and information security policies.
The International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" has been prescribed as one of the standards which may be followed by entities in implementing security practices and procedures. If an entity follows any other standard, it will be required to demonstrate that its measures qualify as ‘reasonable containing security practices and procedures’ in the event of a breach.
  • Audits - The SPDI Rules prescribe that entities that implement IS/ISO/IEC 27001 or similar best practices should be audited on a regular basis by an independent auditor approved by the Central Government such an audit should be carried out at least once a year. 
  1. Punishment for breach of confidentiality
The IT Act criminalizes disclosure of confidential information obtained pursuant to a contract by any person (including an intermediary) with the intention of causing wrongful loss or gain with imprisonment up to three years and a fine of up to INR 500,000.

Test Your Skills Now!
Take a Quiz now
Reviewer Name