Monday, May 20, 2013

Reasonable Security Practices and Procedures and Sensitive Personal Data in India-provisions required

ITA Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information Rules 2011
The Personal Information Security Rules were notified in April 2011 and serve as
the most comprehensive form of data protection in India. The Rules prescribe procedures
and protocol by which body corporate must adhere to. The Rules can be brought in line
with the National Privacy Principles through the following changes:
1. Notice
Existing Provisions
o Privacy Policy: Anybody corporate that collects, receives, possesses, stores,
deals, or handles information must provide a privacy policy that provides for clear
and easily accessible statements of its practices and policies, type of personal or
sensitive personal data or information collected, purpose of collection and usage
of such information, disclosure of information, and reasonable security practices
and procedures. Rule 4
o During Collection: While collecting information directly from the person
concerned the body corporate shall take steps to ensure that the individual knows
that the information is being collected, the purpose for which the information is
being collected, the intended recipients of the information, the name and address
of the agency collecting the information and the agency that will retain the
information. Rule 5(3)
Missing Provisions
o Data Breach: If a data breach occurs, affected individuals must be notified
o Legal Access: If information is legally accessed, the access must be notified at the
close of the investigation.
o Change in privacy policy: Any changes in a body corporate privacy policy
should be notified to the public and the individual.
o Process to access and correct: At the time of collection body corporates must
provide notice of the processes available to data subjects to access and correct
their own personal information.
2. Choice & Consent
Existing Provisions
o Individual Consent: Body corporates must obtain consent in writing through
letter or Fax, or email from the provider of the sensitive personal data or
information regarding purpose of usage before collection. Rule 5(1)
o Right to withdraw and opt in/opt out: Prior to collection of information, body
corporate must provide the individual not to provide the data sought. The provider
of information will have the right to withdraw consent at any time while availing
services. Rule 5(7)
Missing Provisions
o Mandatory provision: When provision of information is mandated by is should
be in compliance with all other National Privacy Principles. Information collected
on a mandatory basis should be anonymized within one year if published in public
3. Collection Limitation
Existing Provisions
o Necessary & Relevant: Body corporate shall not collect sensitive personal data
unless the information is collected for a lawful purpose connected with a function
or activity of the body corporate. The collection of sensitive personal data is
considered necessary for the purpose. Rule 5(2)
4. Purpose Limitation
Existing Provisions
o Definition of Sensitive Personal Data: password, financial information such as
Bank account or credit card or debit card or other payment instrument details,
physical, physiological and mental health conditions, sexual orientation, medical
records and history, biometric information, any detail relating to the above as
provided to body corporate for providing service, any of this information received
by body corporate for processing, stored or processed under lawful contract. Any
information that is available or accessible in public domain or furnished under the
Right to Information Act, 2005 will not be regarded as sensitive personal data. Rule 3
o Retention: The Body Corporate holding sensitive personal data will not retain
that information for longer than is required for the purposes for which the
information may be lawfully used or is required under any other law in force.Rule 5(4)
o Use: The information collected will be used for the purpose for which it has been
collected. Rule 5(5)
Missing Provisions
o Adequate and Relevant: Personal data collected and processed by an
organization must be adequate and relevant to the purposes for which they are
o Change in purpose: If there is a change in purpose, this must be notified to the
data subject.
o Destruction: After personal information has been used in accordance with the
identified purpose, it must be destroyed as per the identified procedures.
o Data Retention: Data retention mandates by the government should be in
compliance with the National Privacy Principles.
5. Access & Correction
Existing Provisions
o Access: Body corporate must permit the providers of information, when
requested, to review the information they had provided and ensure that any
personal information or sensitive personal data or information found to be
inaccurate or deficient shall be corrected or amended as feasible. Rule 5(6)
Missing Provisions:
o Confirmation of personal information: Data subjects should be able to confirm
that an organization holds or is processing information about them.
o Copy of personal information: Data subjects should be able to obtain a copy of
the personal data undergoing processing.
o Limitation to Access: The information may not be given or access permitted if it
is not possible to do so without disclosing information about another person unless
that persona has consented to the disclosure.
6. Disclosure of Information
Existing Provisions
O Consent for Disclosure: Disclosure of sensitive personal data or information by
body corporate to any third party shall require prior permission from the provider
of such information, unless disclosure has been agreed to by contract or is
necessary by legal obligation. Rule 6
o Prohibition on publishing: The body corporate will not publish the sensitive
personal data or information. Rule 6(3)
o Non-disclosure: The third party receiving the sensitive personal data will not
disclose it further. Rule 6(4)
o Transfer of Information: A body corporate may transfer sensitive personal data
to any body, organization, or country that ensures the same level of data
protection. The transfer can only take place for the performance of a lawful
contract or where the transfer has been consented to. Rule 7
Missing Provisions
o Notice of disclosure: Body corporate must provide notice of disclosure to third
o Bound to Principles: All third parties must be bound to the National Privacy
Conflicting Provisions
o Authorized Agencies: Information will be share with Government Agencies
mandated under law without obtaining prior consent for the purposes of
verification of identity, for prevention, detection, investigation including cyber
incidents, prosecution, and punishments of offences. Rule 6
7. Security
Existing Provisions
o Security standards: A body corporate or person must have a comprehensive
documented information security program and information security policies that
contain managerial, technical, operational, and physical security control measures.
In the event of a breach, the body corporate must be able to demonstrate that they
have implemented security control measures. This includes being IS/ISO/IEC
27001 compliant. Rule 8(1)
o Audit: On any annual basis the body corporate must undergo an audit of his/her
reasonable security practices. Rule 8(4)
8. Openness
Missing Provisions
Transparency: Body corporate must make available to the public information
regarding the steps taken to ensure compliance with the National Privacy Principles
9. Accountability
Existing Provisions
· System of Complaints: Body Corporates must address any discrepancies and
grievances of their provider of the information with respect to the processing of
information in a time bound manner. To achieve this, a Grievance Officer must be
appointed to address these grievances. Rule 5(9)
Missing Provisions
o External verification: All processes related to the handling of sensitive personal
information [in addition to security systems] should undergo external verification
on a regular basis.
o Support to Privacy Commissioner: Body corporate should be held responsible
for giving support to the Privacy Commissioner and complying with general/specific
orders of the privacy commissioner.
10. Verification
Existing Provisions:
· Liability of accuracy: A body corporate is not responsible for the authenticity of
the personal information or sensitive personal data or information supplied by the
provider of information. Rule 5(6)
**Source - Report of the Group of Experts on Privacy

1 comment:

  1. Hello Frndz...
    Nice Blog....
    I will Remember your Great this Information! Nice post,it is really very helpful for me.One of the few articles I’ve read today.I’m saying thanks

    body corporate services


Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...