There are no specific laws governing data privacy exist in India as of now. The statutory provisions regarding the protection of employees’ data are however found in the Information Technology Act, 2000. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Information Technology Rules), which were ratified on April 4, 2011 under Section 43A of the Information Technology Act, provide for security practices and procedures that must be followed by companies that collect, receive, possess, store, deal, or handle any “information,” “personal information” (PI), or “sensitive personal data or information” (SPDI), which is maintained in a computer resource that is owned, controlled, or operated by the company.
For purposes of the Information Technology Act, 2000 and the Information Technology Rules, the following definitions apply:
- “‘data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;”
- “‘information’ includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche;”
- “‘personal information’ means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
- “sensitive personal data or information of a person means such personal information which consists of information relating to:–
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing services; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”
- a clear and easily accessible statement of its practice and policy;
- the type of PI or SPDI collected;
- the purpose of collection and usage of such information;
- the manner of disclosure of such information if it is being disclosed; and
- the reasonable security practices and procedure adopted by company to protect the information collected.
When collecting information directly from the person concerned, a company or any person acting on its behalf must take such steps as are, in the circumstances, reasonable to ensure that the person concerned has knowledge of the following:
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information; and
- the name and address of (i) the agency that is collecting the information and (ii) the agency that will retain the information.
The company must ensure that the information collected is used for the purposes for which it has been collected.
With respect to SDPI, a company or any person collecting information on its behalf must obtain written consent, through letter, fax, or e-mail, from the provider of that data or information, regarding the purpose of its use before collecting SPDI. Further, a company or any person collecting information on its behalf may not collect SPDI except under the following circumstances:
- the information is collected for a lawful purpose connected with a function or activity of the company or any person on its behalf; and
- the collection of the sensitive personal data or information is considered necessary for that purpose.
Prior to collecting any SPDI, the company or any person acting on its behalf must provide an option to the provider not to supply the data for information. A provider of SPDI also has an option to withdraw an earlier consent by sending written notice to the company. In case a provider chooses not to supply SPDI or later withdraws his or her consent, the company has the option not to provide goods or services for which the information was sought.
No company or any other person who is holding SPDI on its behalf is allowed to retain it longer than is required for the purposes for which the SPDI may lawfully be used or is otherwise required under any other law.
The Information Technology Rules also establish the following conditions for the disclosure of SPDI:
- disclosure of SPDI by a company to any third party requires the prior permission of the provider, who has supplied the information under a lawful contract or otherwise, unless the disclosure has been agreed to in a contract between the company and the provider of information, where the disclosure is necessary for compliance with a legal obligation, as mandated in writing by a government agency for the purpose of verifying identity or for preventing, detecting, investigating, prosecuting, or punishing offenses, or pursuant to a legal order;
- neither the company nor any person acting on its behalf may publish SPDI;
- a third party that receives SPDI from the company or person acting on its behalf may not disclose it further.
The Information Technology Rules also provide that a company or other person acting on its behalf may transfer SPDI to any other company or person in India, or located in any other country, that ensures the same level of data protection adhered to by the transferring company and as prescribed by the Information Technology Rules. However, a transfer may be allowed only if it is necessary for the performance of a lawful contract between the company or other person acting on its behalf and the provider, or where the provider has consented to the transfer.
A company or any person acting on its behalf must permit providers of information, as and when they request, to review the information provided and ensure that any PI or SPDI that is found to be inaccurate or deficient is corrected or amended, to the extent feasible. However, a company will not be held responsible for the authenticity of the PI or SPDI supplied by a provider to the company or other person acting on its behalf.
A company or other person acting on its behalf must adopt and implement reasonable security practices and standards and maintain a comprehensive documented information security program and information security policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the information being protected and the nature of the business. In the event of an information security breach, the company must be required to demonstrate that it has implemented security control measures as per their documented information security program and information security policies. The Information Technology Rules recognize two means by which a company can implement reasonable security practices and procedures, as follows:
- by implementing the International Standard ISISO/IEC 27001 on “Information Technology–Security Techniques–Information Security Management System–Requirements”;
- in the case of an industry association or an entity formed by such an association whose members are self-regulating, by following its own codes of best practice for data protection, provided that those codes have been duly approved and notified by the central government for effective implementation.
All companies or persons acting on their behalf also must ensure an audit of their security practices and procedures, which must be carried out by a government-approved independent auditor at least once a year or as and when a company undertakes a significant upgrade of its process or computer resources.
Companies must address any discrepancies and grievances of providers, with respect to the processing of information, in a timely manner. For this purpose, the company must designate a grievance officer, who must expeditiously, i.e., within one month from the date of receipt of grievance, redress any discrepancies and grievances. The name and contact details of the appointed grievance officer must be published on the company’s website.
The government has introduced the Personal Data Protection Bill, 2018 and 2019 which aims to regulate the processing of personal data of individuals (known as data principals) by the government and private entities (data fiduciaries) incorporated in or outside India. Once enacted, this legislation will supersede Section 43A of the Information Technology Act, 2000 and the Information Technology Rules.