Technology, Media & Telecommunications

News
India - New data security laws and rules for sensitive personal information
27 May 2011
India has recently
India has recently implemented new regulations aimed at data security issues but which may, in practice, take effect
as a broader set of privacy rules, including an obligation to get consent to process certain types of information. The
practical implications of these new rules are set out in further detail below.
The original Information Technology Act
The Information Technology Act 2000 (IT Act) of India was originally passed to provide legal recognition for ecommerce and sanctions for computer misuse but did not have any express provisions regarding data security. As a
result, breaches of data security could result in prosecutions of the individuals who hacked into the system, under
Sections 43 and 66 of the IT Act, but did not provide other remedies, for example against the organisation who
originally held that information.
Introduction of new data security laws
Accordingly, the IT (Amendment) Act 2008 (Amendment Act) was passed and incorporated two new sections into
the IT Act: Section 43A and Section 72A, to provide a remedy to persons who have suffered or are likely to suffer a
loss on account of that persons personal data not having been adequately protected.
Under Section 43A, bodies corporate can be liable if they are negligent in implementing and maintaining
reasonable security practices and procedures to protect sensitive personal data or information.
The term body corporate is not limited to companies and includes a firm, sole proprietorship or other association of
individuals engaged in commercial or professional activities. Arguably most entities that are undertaking any
commercial or professional activities can be brought within this definition and can be held liable under this rule.
In contrast, the term reasonable security practices or procedures is subject to a less precise definition being those
security practices and procedures which are contractually specified or are specified in any law. In the absence of
such contract or law, reasonable security practices or procedures mean those security practices and procedures
which are prescribed by the central government in consultation with such professional bodies or associations as the
central government may deem fit.

Finally, while the term sensitive personal data or information is central to these provisions it was not defined in
Section 43A and instead was to be prescribed by central government.
New data security regulations
The missing detail in Section 43A was finally provided by the Information Technology (Reasonable security practices
and procedures and sensitive personal data or information) Rules 2011 (Sensitive Personal Data Rules) which
were issued in April 2011. Summarised below are the key changes brought in by the Sensitive Personal Data Rules
Sensitive personal data or information defined - The Sensitive Personal Data Rules define sensitive personal
data or information of a person to include information about:

passwords;

financial information such as bank accounts, credit and debit card details;

physiological and mental health condition, medical records;

biometric information;

information received by body corporate under lawful contract or otherwise;

user details as provided at the time of registration or thereafter; and

call data records.

Information that is freely available in the public domain or accessible under the Right to Information Act, 2005 or any
other law will not be regarded as sensitive personal data or information. It is interesting to note that, shorn of any
historical baggage, the Sensitive Personal Data Rules specify information that is more likely to be of direct concern to
individuals (e.g. passwords and financial data) than some types of sensitive personal information identified in the
European Data Protection Directive.
Obligation to provide privacy notices - A body corporate or person processing personal data on its behalf is also
required to implement a privacy policy for handling and dealing in user information including sensitive personal
information. The privacy policy must cover the following three areas:

the type of personal information being collected; and

the purpose, means and modes of usage of such information.

This privacy policy must be made available to those providing information to the body corporate under a contract. For
example, if the personal information is being collected through a website, it is possible to simply include the link to the
privacy policy on the website.
Consent to collect and disclose sensitive personal information - The change that has attracted the most
attention is the requirement that a body corporate must get consent from the provider of information for the purpose
for which the information is being collected and the means and modes of use of such information. Sensitive personal
information must also be collected for a lawful purpose connected with a function or activity of the body and the
collection of information must be necessary for that purpose.
The key issue to note here is that consent must come from the person who provided the information and not
compulsorily from the individual to whom the information relates. This makes the rule much less burdensome than
might be originally envisaged. For example, where the processing of sensitive personal information is outsourced to a
service provider in India, the service provider has to only seek the consent from its customer who is the provider of
information vis-a-vis the service provider. Whether that customer must, in turn, obtain the consent of the individual
from whom the information relates depends on the data protection laws that apply to the customer in the jurisdiction
where the information is being collected.
A body corporate is also required to obtain permission from the provider of information prior to disclosing the
information to a third party. However, there is an exception for disclosures to government agencies for the purpose of
verification of identity, or for prevention, detection, investigation, prosecution and punishment of offences. A third party
receiving information from a body corporate is obliged to not disclose the information further.
Rules for collection of sensitive personal information - The Sensitive Personal Data Rules also set out certain
dos and donts that a body corporate has to adhere to while collecting information directly from individuals.
For a valid consent to be obtained, the individual must be made aware of the fact that the information is being
collected and the purpose for the same, the intended recipients of the information and the name and address of the
agency which will collect and hold the information.
Reasonable security practices and procedures - Finally, the Sensitive Personal Data Rules set out what measures
constitute reasonable security practices and procedures for the purposes of Section 43A of the IT Act. A body
corporate must implement security practices and procedures which include a comprehensive documented
information security programme and information security policies. The information security policies should contain
managerial, technical, operational and physical security control measures that are commensurate with the information
assets being protected.
Organisations following IS/ISO/IEC 27001 codes shall be deemed to have implemented reasonable security practices
and procedures. Industry associations or industry clusters that follow security standards other than IS/ISO/IEC 27001
codes are required to get the same approved by the government.
Conclusion

Section 43A of the IT Act was the subject of some criticism when first introduced because of its wide scope covering
all body corporates and the lack of clarity on the definition of sensitive personal data and the security practices to be
employed with respect to the protection of such sensitive personal data.
The Sensitive Personal Data Rules are an attempt to clarify the scope of Section 43A by providing a definition for
sensitive personal data and information and laying down standards with respect to reasonable security practices
that have to be adopted by a body corporate. Questions have been raised on whether the Sensitive Personal Data
Rules go beyond their mandate under Section 43A of the IT Act and attempt to implement a broad set of privacy
rules. The additional obligations imposed by these rules are likely to pose some difficulties for industry players,
particularly those from jurisdictions which do not have a data protection regime.