REASONABLE SECURITY PRACTICES AND PROCEDURES AND

SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011Under

The (Indian) Information Technology Act, 2000

By

Vijay Pal Dalmia, Advocate Partner & Head of Intellectual Property & Information Technology Laws Practice

Enacted in the year 2000 and was implemented w.e.f. 17th

October, 2000.

Important features of this Act :

Recognition to e-transactions, digital signatures, electronic

records etc. and also recognise their evidentiary value.

Lists out various computer crimes which are technological in

nature.

However, this Act, originally, did not contain any provision for

data protection.

INFORMATION TECHNOLOGY ACT,

2000

The IT Act, 2002 was amended in the year 2008.

Section 43A and Section 72A were added by the

amendment Act for protection of personal data

and information.

Both these provisions are penal in nature, civil and

criminal respectively.

THE INFORMATION TECHNOLOGY

(AMENDMENT) ACT, 2008

Ministry Of Communications And Information Technology

(Department Of Information Technology) promulgated these

rules (IT Rules 2011), under Section 87 (2)(ob) read with

Section 43A.

IT Rules, 2011 came in force on 11th April, 2011.

Non Compliance of these rules would lead to invocation of

Section 43A of The IT Act, 2008 and liability to pay

compensation, limits of which have not been fixed.

REASONABLE SECURITY PRACTICES

AND PROCEDURES AND SENSITIVE

PERSONAL DATA OR INFORMATION)

RULES , 2011

SECTION 72A of IT Act 2008.

In addition to the civil liabilities under Section 43 A

◦ Any person, or

◦ Intermediary

◦ Is liable for punishment

Of imprisonment for term which may extend to

*3 years

Or fine up to INR 5,00,000

Or both

◦ For disclosure of information

In breach of lawful contract.

*(Cognizable offence and Bailable) ( as per Section. 77B)

Where a BODY CORPORATE,

possessing, dealing or handling any sensitive personal

data or information

in a computer resource which it owns, controls or

operates

is negligent in implementing and maintaining reasonable

security practices and procedures

and thereby causes wrongful loss or wrongful gain to any

person

such body corporate shall be liable to pay damages by

way of compensation to the person so affected.

SECTION 43A: COMPENSATION FOR

FAILURE TO PROTECT DATA

A body corporate would mean:

any company and includes:

a firm,

sole proprietorship or

other association of individualsengaged in

•commercial or

•professional activities.

DEFINITION OF BODY CORPORATE

SECTION 43 A –Explanation (i)

Sensitive personal data or information of a „person‟ means

such „personal information‟ which consists of information

relating to:

1. Password;

2. Financial information such as:

Bank account or,

Credit card or debit card or,

Other payment instrument details

3. Physical, physiological and mental health condition;

4. Sexual orientation;

Contd…

SENSITIVE PERSONAL DATA OR

INFORMATION:

RULE 3, IT RULES, 2011

5. Biometric information;

6. Any detail relating to the above clauses

as provided to body corporate

for providing service; and

7. Any of the information received under above clauses by

body corporate for

processing,

stored or

processed

under a lawful contract or otherwise

SENSITIVE PERSONAL DATA OR

INFORMATION

RULE 3 OF THE IT RULES, 2011

Following information is not regarded as sensitive personal

data or information:

1. Information freely available or accessible in public domain

or,

2. Information furnished under the Right to Information Act,

2005 (RTI) or

3. Information furnished under any other law for the time being

in force.

EXCEPTIONS:

Any information that relates to a

„natural person‟

which either directly or indirectly, in combination with other

information available or likely to be available with a body

corporate,

is capable of identifying such person.

PERSONAL INFORMATION:

RULE 2 , IT RULES, 2011

Security practices and procedure designed to

protect such information from unauthorized

• access,

• damages,

• use,

• modification,

• disclosure or

• impairment,

Contd…

MEANING OF REASONABLE SECURITY

PRACTICES AND PROCEDURES

Section 43, Explanation (ii)

Contd…

as may be specified in :

an agreement between the parties or;

any law for the time being in force; or

in absence of such agreement or law,

such reasonable security practices and

procedures,

as may be prescribed by the Central

Government.

MEANING OF REASONABLE SECURITY

PRACTICES AND PROCEDURES

Section 43, Explanation (ii)

Privacy Policy

Consent for collection of data

Collection of data

Use and Retention

Opt Out/Withdrawal

Access and Review of Information

Grievance Mechanism

Limitation on Disclosure of Information

Limitation on Transfer of Information

Reasonable Security Practices and Procedures

Body corporate or any person on its behalf

◦ collects, receives, possess,

◦ stores, deals or handles

information of provider of information

Shall provide a privacy policy for

handling of or dealing in

„personal information including sensitive personal data or

information‟.

Contd…

PRIVACY POLICY: RULE 4

Privacy Policy shall be published on the website and provide:-

• Clear and easily accessible statements of its practices and

policies;

• Type of personal or sensitive personal data or information

collected;

• Purpose of collection and usage of such information;

• Disclosure of information including sensitive personal data

or information;

• Reasonable security practices and procedures followed by

the corporate.

PRIVACY POLICY: RULE 4

RULE 5 (1)

o Requires the corporate or any person on its

behalf,

o before collection of sensitive personal data or

information,

o to obtain consent in writing through letter or FAX

or email from the „provider of the information‟

o regarding purpose of usage of such information.

CONSENT

RULE 5(3)

Requirements in case of collection of information directly from

the person concerned:

Steps to ensure that the person concerned is having the

knowledge of :

o The fact that the information is being collected;

o The purpose for which the information is being collected;

o The intended recipients of the information; and

o The name and address of –

◦ the agency that is collecting the information; and

◦ the agency that will retain the information

CONSENT

RULE 5 (2)

Sensitive personal data or information can be

collected only under following two circumstances:

1. For a „lawful purpose‟

connected with a function or activity

of the body corporate or any person on it behalf;

and

2. Considered „necessary‟ for that purpose

PURPOSE OF COLLECTION OF

INFORMATION

USE - RULE 5(5):

The information collected shall be used

only for the purpose for which it has been collected.

RETENTION - RULE 5(4)

A body corporate or its representative

must not retain such information for

longer than is required for the purposes for which the

information may lawfully be used. OR

as required under any other law in force.

USE AND RETENTION OF INFORMATION

RULE 5(7) :

Requires the body corporate to give the provider of

information, an option:

1. prior to the collection of the information, to not provide the

data or information sought to be collected

2. of withdrawing his consent given earlier to the body

corporate.

Withdrawal shall be sent in writing to the body corporate.

the body corporate shall have the option to not provide

goods or services for which the said information was

sought.

OPT OUT/WITHDRAWAL

It is noteworthy that, none of the rules talk about

obtaining the consent of the person to whom the

information relates in case the provider the

information is not the person concerned.

For example, where the husband provides the

medical information of the wife, consent of the wife

is not required as per these rules as she is not the

provider of the information. She also does not have

the option of opting out as per Rule 5(7).

OPT OUT/WITHDRAWAL

RULE 5(6)

o Providers of information- permitted- to review the

information provided by them- as and when

requested by them;

o Information- if found to be inaccurate or deficient

shall be corrected or amended as feasible.

o Body corporate NOT responsible for authenticity of

the personal information or sensitive personal data

or information as supplied by the provider to the

body corporate.

ACCESS & REVIEW OF INFORMATION

RULE 5(9)

o Time bound redressal of any discrepancies and

grievances.

o Grievance Officer shall be appointed.

oPublication of name and contact details of

Grievance Officer on website

o Redressal of grievances: within one month from the

date of receipt of grievance.

GRIEVANCE REDRESSAL MECHANISM

RULE 6

Permission of the provider of the information is required

before disclosure of information

Exceptions:

1. when disclosure is agreed upon in the contract;

2. when disclosure is necessary for compliance of a legal

obligation;

3. when disclosure to Government agencies mandated under the

law to obtain information.

4. when disclosure to any third party by an order under the law

for the time being in force.

LIMITATION ON DISCLOSURE OF

INFORMATION

RULE 6

Rule 6 also forbids the following:

1. Publication of sensitive personal data or

information by body corporate or its

representative,

2. Disclosure by third party receiving the

sensitive personal data or information

from the body corporate.

LIMITATION ON DISCLOSURE OF

INFORMATION

RULE 7Transfer allowed to:

another body corporate or a person

in India, or located in any other country.

Transfer is allowed only if :

1. other body corporate or person ensures the same level of

data protection that is adhered to by the body corporate as

provided under these rules.

2. it is necessary for the performance of the lawful contract

between the provider of the information and the corporate

receiving the information.

LIMITATION ON TRANSFER OF

INFORMATION

RULE 8

Prescribes standard to be adhered to

by a body corporate, receiving the information,

◦ in the absence of an agreement between the

parties;

◦ or any law for the time being in force.

One such prescribed standard: The International

Standard IS/ISO/IEC 27001 on “Information

Technology – Security Techniques – Information

Security Management System – Requirements”.

REASONABLE SECURITY PRACTICES

AND PROCEDURES

Any other Security code, if followed shall be :

o Duly approved and Notified

o by the Central Government

o Audited annually by an independent auditor approved by

the Central Government.

In the event of an information security breach –

demonstration of implementation of security

control measures - by the body corporate.

REASONABLE SECURITY PRACTICES

AND PROCEDURES

A body corporate or a person on its behalf shall be deemed to

have complied with reasonable security practices and

procedures if:

They have implemented such security practices and

standards, and

Have a

comprehensive documented information

security programme; and

information security policies for:

managerial, technical, operational and physical

security which are proportionate with the

information assets being protected with the

nature of business.

REASONABLE SECURITY PRACTICES

AND PROCEDURES

IT Act, 2000 is available at:

http://www.mit.gov.in/sites/upload_files/dit/files/downloa

ds/itact2000/itbill2000.pdf

IT (Amendment) Act, 2008 is available at:

http://www.mit.gov.in/sites/upload_files/dit/files/downloa

ds/itact2000/it_amendment_act2008.pdf

Information Technology (Reasonable security practices and

procedures and sensitive personal data or information)

Rules, 2011are available at:

http://www.mit.gov.in/sites/upload_files/dit/files/GSR313

E_10511(1).pdf

1. What is the likelihood of activeenforcement of the new rules?

2. What are the penalties for violationsof the new rules?

3. Do the rules apply only toinformation collected from datasubject in India, or do they also applyto information about data subjectslocated outside India?

Do the rules apply to uses/disclosure ofinformation that occur outside of India, if theinformation was originally collected in India?

Do the rules apply to pseudonymizedinformation?

Is the “provider of the information” in Rule 5referring to the subject, or can this beinterpreted as referring to a third party thatprovides information but who is not the datasubject?

Are there opportunities for furtherclarification/amendment of the new rules?

THANK YOU

Flat # 5-7, 10 Hailey Road, New Delhi, 110001 (India)

Phone: +91 11 42492532 (Direct)

Phone: +91 11 42492525 Ext 532

Mobile :- 9810081079

Fax: +91 11 23320484

email:- vpdalmia@vaishlaw.com

Intellectual Property & Information Technology Laws Division

New Delhi Mumbai Bangalore Gurgaon