We value your privacy & take necessary steps to protect your information.
REQUEST A CALLBACK
Data Protection and Privacy is of high importance in the contemporary world. It shields an organisation’s information against fraud, hacking, phishing and identity theft. Any business that wishes to function efficiently must create a data protection plan to secure its data. Nowadays, data protection and privacy have turned into issues of individual rights.
Ensuring Privacy through Protecting Data
According to Article 21 of the Indian Constitution, which was upheld by the Supreme Court in the landmark case of Justice KS Puttaswamy v. Union of India, the right to privacy was recognised as a fundamental right. One of the most important legislations in this domain is The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules).
Issued on 13th April 2011, the SPDI Rules impose strict security requirements on organisations that retain sensitive user personal information. These Rules apply to any corporate body or person located in India.
According to the Security Practices Rules, sensitive personal information must be given to the government entities. As per Rule 3 of the regulations, the following forms of data or information are to be regarded as sensitive personal data:
A person who provides information to a body corporate is known as an information provider. ‘Body Corporate’ has been defined as a company under Clause 11 of Section 2 of the Companies Act, 2013. It states, “body corporate or corporation includes a company incorporated outside India, but does not include -
(i) a co-operative society registered under any law relating to co-operative societies; and
(ii) any other body corporate (not being a company as defined in this Act), which the Central Government may, by notification, specify in this behalf;
According to these rules, information providers have certain rights over sensitive personal information. This information cannot be collected without the providers' consent, and providers have the right to refuse to give consent or to withdraw consent by writing to the body corporate.
A body corporate is prohibited by Rule 6 from publishing or disclosing such data or information to any third party without the approval of the information source. There are two exceptions to this rule, though:
The information provider has the right to check the data at any time and to update it if it turns out to be wrong. The body corporate may not keep the information for any longer than is necessary to fulfill the authorised purpose for which it was obtained, and may only use the information for the purpose for which it was gathered.
Furthermore, there exists a requirement for “Commercial or Professional activities” which essentially states that all personal data that may be collected by an individual or a person who is considered to be engaged in commercial or professional activities, (no distinction as to scope of commercial activity). The 2011 Rules are applicable only on ‘bodies corporate’ which has been defined under Section 43A of IT Act 2000.
Some features of the Body Corporate:
Conclusion
Rules to ensure data privacy, especially in the present, are the need of the hour. That’s why nearly a decade later, a fresh set of rules were introduced to govern the developing cyberspace - The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which shall be discussed next.