The Existing Pre-PDP Era
1. Introduction to SPDI Rules
The Information Technology Act, 2000 (hereinafter, “The IT Act”) as amended by the Information Technology (Amendment) Act, 2008 provides certain provisions relating to personal and sensitive data privacy and protection in India.
Although some provisions under the IT Act aims at regulating the processing of personal data in cyberspace, the primary focus of the IT Act has been on providing information security regulations for the protection of personal and sensitive data in cyberspace.
In adherence to data protection provisions under the IT Act, the Central Government has enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (hereinafter, “The SPDI Rules”). The SPDI Rules encompasses provisions to regulate:
a.Processing of Personal Data/Information and/or Sensitive Personal Data/Information
b.Prescribing security practices and procedures for handling Personal Data/Information and/or Sensitive Personal Data/Information
2. When does the SPDI Rules come into play?
The provisions of the IT Act and SPDI Rules apply to all body corporates collecting, receiving, possessing, storing, dealing or handling the personal information of natural persons in India.
- a. If a body corporate is located in India: SPDI Rules are applicable.
- b. If a body corporate is located outside of India: SPDI Rules are applicable only if the body corporate has a computer, computer system or computer network located in India.
2.1. Who would fall under the definition of ‘Body Corporate’?
The SPDI Rules are applicable only to body corporates and individuals acting on behalf of body corporates.
Any company including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities come within the ambit of ‘body corporate’[1].
This definition is understood to exclude organisations not engaged in commercial or professional activities, for example, NGOs or other think tanks
2.2. Extends only to Indian Nationals
The SPDI Rules protects natural persons residing in India[2]. Therefore, the collection of information/data of a firm, partnership, trust, company, LLP, etc. will not attract data protection requirements under the SPDI Rules.
It is unclear if the SPDI Rules apply to foreign nationals residing in India. As per the popular understanding, the applicability of SPDI Rules is limited to Indian Nationals.
2.3. No Application on Data collected through physical mode
The IT Act and the SPDI Rules are only applicable to information and data collected in cyberspace and have no application on information and data collected through offline/physical modes.
3. Data categorisation under SPDI Rules
The SPDI Rules define Personal Information as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.[3]”
Further, Sensitive Personal Data or Information has been defined as personal information which consists of information relating to[4]:
a. Password
b. Financial information
c.Physical, physiological and mental health conditions
d.Sexual orientation
e.Medical records and history
f.Biometric information
It is pertinent to mention that although the SPDI Rules define “Personal Information”, the rules are majorly focused on protecting “Sensitive Personal Data or Information”.
3.1. Publicly available information exempted
The following information is disregarded as sensitive personal information/data and is excluded from data protection obligations[5]:
a.Information that is freely accessible in the public domain
b.Information availed under the Right to Information Act, 2005.
4. Data Obligations on Body Corporate
Body Corporates or any person on its behalf collecting, receiving, possessing, storing, dealing or handling the sensitive personal information are bound to abide by the obligations discussed below:
4.1. Privacy Policy
Body Corporates while collecting personal information should publish a privacy policy which must include:
a.a clear and easily accessible statement on its practices and policies
b.type of information collected
c.purpose of collection and usage of such information
d.policy on disclosure with third parties
e.reasonable security practices and procedures adopted.
It is important to note that the obligation of publishing a privacy policy is applicable for all types of personal information or data collected and is not limited to the collection of sensitive personal information.
4.2. Consent Letter
Where a body corporate is collecting any sensitive personal data, the body corporate or any person on its behalf is required to obtain consent from the provider of information through a letter, email, fax or any other electronic mode[6].
While obtaining consent, the body corporate should ensure that the provider of information knows[7]:
a.the fact that the information is being collected from them;
b.the purpose of the collection;
c.the intended recipients (eg. third parties with whom the information might be shared); and
d.the name and address of the body corporate or person on behalf of the body corporate who is collecting such information.
The body corporate must take all the steps as reasonable to ensure that the provider of the information knows all the metrics stated above.
4.3. Appointment of Grievance Officer
A body corporate must appoint a grievance officer whose name and contact details are to be published on the website[8]. The grievance officer shall ensure that the grievances and discrepancies of the provider of information are resolved in a time-bound manner and within one month from the date of receiving the grievance.
The SPDI Rules do not stipulate any specific qualifications or eligibility criteria for the appointment of the grievance officer.
4.4. Reasonable Security Practices & Procedures
A body corporate must implement[9]:
a.Reasonable security practices and procedures for handling sensitive personal information;
b.A comprehensively documented information security programme; and
c.Information security policies reflecting managerial, technical, operational and physical security control measures that are in tune with the information assets being protected with the nature of business.
4.4.1 What are the standard security practices permitted under the SPDI Rules?
A body corporate shall be deemed to have complied with reasonable security practices and procedures if they adopt[10]:
a.The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”; or
b.Any code of best practices duly approved & notified by the Central Government.
4.4.2 Periodic Auditing of Reasonable Security Practices & Procedures
The SPDI Rules stipulate that an audit of reasonable security practices and procedures should be carried by an auditor at least once a year or as and when the body corporate undertakes significant up-gradation of its process and computer resource[11].
The auditor or an auditing entity must be duly approved by the Central Government.
5. Principles relating to Processing
The SPDI Rules impose certain limitations on the collection of sensitive personal information or data as tabled below:
5.1. Purpose Limitation
The sensitive personal information collected must be for a lawful purpose connected with the function or activity of the body corporate[12] and must be used for the purpose for which it has been collected[13].
5.2. Data Minimisation
The collection of sensitive personal information must be essential/necessary for the purpose for which the information is being collected and such purpose should be connected with the business activity of the body corporate[14].
5.3. Storage Limitation
The body corporate or the person on its behalf must not hold/store the sensitive personal data for longer than required for the purpose for which the information has been collected[15].
6. Disclosure with Third Parties
Before disclosing/sharing sensitive personal data or information with any third party, the body corporate shall require the prior consent of the provider of information[16]. Such consent can be escaped in the following circumstances:
- Where the provider of information has already consented to such disclosure in the contract entered between the body corporate and provider[17].
- Where the disclosure is necessary for compliance with a legal obligation[18].
- Where the disclosure is being made to a Government Agency mandated under law to obtain such information[19].
- Where the disclosure is directed by any order under any law[20].
Publication of sensitive personal information by the body corporate or by the third party receiving the information is strictly prohibited[21].
7. Transfer of Information
A body corporate can transfer sensitive personal data to another body corporate located in India or any other country under any of the following circumstances[22]:
- The receiving entity adheres to the same level of data protection security measures as adhered by the body corporate transferring the information; or
- The transfer is necessary for the performance of a lawful contract between the provider of information and body corporate.
8. Compensation & Penalties
Negligence or failure by a body corporate dealing with sensitive personal information in implementing and maintaining reasonable security practices and procedures as prescribed under the SPDI Rules is liable to pay damages[23]. These damages are uncapped and are dependent on the facts of each case.
Imprisonment of not more than three years, a fine of INR 5,00,000 or both have been prescribed for disclosing personal information in breach of lawful contract or without data subject’s consent[24].
9. Why is the enactment of the PDP Bill necessary for India?
The SPDI Rules are aimed at protecting sensitive personal data collected in cyberspace. They do not apply to information collected through offline mode. Further, apart from the obligation of publishing a privacy policy, there are no data protection measures applicable for the protection of personal information that is not sensitive personal information.
Additionally, the lack of a dedicated national regulator under the IT Act and SPDI Rules has led to the substandard implementation of these data protection provisions.
With India becoming a global economy and data protection dialogues exponentially increasing, there is an urgent need to upgrade the data protection laws of India.
……………………………………………………..
Authored by Samya Gupta
Samya is a lawyer practising in IP & Technology Law and works with Tsaaro as a Privacy Consultant.
[1] Explanation (i), Section 43A, IT Amendment Act, 2008.
[2] Press Release, Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under Section 43A, IT Act, 2000.
[3] Rule 2(1)(i), SPDI Rules, 2011.
[4] Rule 3, SPDI Rules, 2011.
[5] Proviso to Rule 3, SPDI Rules, 2011.
[6] Rule 5(1), SPDI Rules, 2011.
[7] Rule 5(3), SPDI Rules, 2011.
[8] Rule 5(9), SPDI Rules, 2011.
[9] Rule 8, SPDI Rules, 2011.
[10] Rule 8(3), SPDI Rules, 2011.
[11] Rule 8(3), SPDI Rules, 2011.
[12] Rule 5(2)(a), SPDI Rules, 2011.
[13] Rule 5(5), SPDI Rules, 2011.
[14] Rule 5(2)(b), SPDI Rules, 2011.
[15] Rule 5(4), SPDI Rules, 2011.
[16] Rule 6, SPDI Rules, 2011.
[17] Rule 6 (1), SPDI Rules, 2011.
[18] Rule 6 (1), SPDI Rules, 2011.
[19] Proviso to Rule 6 (1), SPDI Rules, 2011.
[20] Rule 6 (2), SPDI Rules, 2011.
[21] Rule 6 (3) & (4), SPDI Rules, 2011.
[22] Rule 7, SODI Rules, 2011.
[23] Section 43A, IT Amendment Act, 2008.
[24] Section 72A, IT Act, 2000.
Recent Comments