Legislative Context
Section 43A of the IT Act establishes civil liability for a failure to protect data when a duty to do so exists with a body corporate dealing with sensitive personal data or information. Three conditions are laid out:
- The body corporate possesses, handles, or deals with âsensitive personal data or information.â
- Such handling is done through a computer resource which the body control owns, controls or operates.
- Wrongful loss or gain is caused with relation to such data/computer resource because the body corporate did not implement adequate security practices.
Now of course, certain major questions arise: what is sensitive personal data or information? What would constitute âadequate security practicesâ? Would the presence of a breach automatically mean that the security procedures implemented were not adequate? The SPDI Rules were implemented to answer these questions.
Sensitive Personal Data or Information ("SPDI")
Personal data or information essentially refers to such information that relates to a natural person that, directly or along with information that may likely be accessible to a body corporate (including information in the public domain), can be used to identify the natural person in question (Rule 2(1)(i)).
Building on this, SPDI is outlined underlined under Rule 3, which broadly may be categorised as financial information, physio-biological (including medical) information and passwords. This would include information related to the above as well (such as the security questions needed to remember passwords). Since Rule 3 acts as a trigger, as a result of which certain organizations are subject to higher standards of data protection, judicious interpretation becomes important. More importantly, as provided under S.43A, the standards set out here apply only to body corporates, and not to natural persons.
Collection of SPDI
The following conditions must be mandatorily fulfilled at the time of collection of SPDI:
- Informed consent: Prior to collecting SPDI, all body corporates should clearly inform the owners of the data (from whom data collection is happening) about why such data is being collected, and what their privacy policy is (i.e., how they handle the data, how storage and sharing of such data happens, for how long will this data be stored, etc.). This should be explained in a simple, accessible manner (Rule 4). Following this, the body corporate (or authorised representative) has to collect consent of the person from whom such SPDI is collected (Rule 5(1)).
- Absolute necessity: Rule 5(2) goes further to state that SPDI can only be collected, if: (a) SPDI is collected for lawful purposes in connection with the functioning of the body corporate, and (b) Collection of SPDI is considered necessary for such purposes. Naturally, questions about the scope of phrases such as âconnected to a function or activity of the body corporate,â and âconsidered necessaryâ is subject to case-by-case analysis.
Data Retention
With respect to data retention, the following considerations must be followed:
- Retention of SPDI must not exceed the period necessary for lawful use unless otherwise mandated by law (Rule 5(4)). The data collected must only be used for the purpose for which it was collected (Rule 5(5)).
- Rule 5(7)Â entitles data principals to refuse to provide SPDI or withdraw consent at any time. Withdrawal must be in writing, and it enables the body corporate to deny service if the information is essential. This rule creates an opt-out mechanism, though it has not been enforced on a large enough scale.
- The Rules also provide data review and correction rights (Rule 5(6)), allowing individuals to verify and amend inaccuracies in data shared. However, the owner of the data is the one who should ensure that the data with the body corporate post-amendment is accurate.
Data Sharing
If SPDI is to be shared, the following is mandatory:
- If the data is to be shared, prior consent (in writing/fax/email) of the provider of such information is mandatory. This permission is not necessary if the data is to be shared with government agencies which are given permission under the law to collect SPDI for purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. However, to exercise this power, government agencies are required to send a notice to the collector of the SPDI outlining what data they need and why (Rule 6).
- Rule 7 states that data transfers to different organizations, whether domestic or international can only be done subject to 2 conditions: (a) such transfer of data is necessary for performance of the terms in the contract, and; (b) the receiving organization has the same level of protection as the body corporate (which is presumably compliant with the SPDI Rules).
Reasonable Security Practices
The SPDI Rules recognize IS/ISO/IEC 27001 â âInformation Technology â Security Techniques â Information Security Management System â Requirementsâ as one of the recognized standards of Information Security practices. It is necessary that the body corporate implement and adequately document the technical, managerial and procedural standards through information security policies, as may be necessary.
In case of self-regulating entities that follow procedures other than IS/ISO/IEC 27001, the question of whether their Information Security practices are compliant with Rule 8 shall be subject to due approval from the Central Government.
Further, audits ensuring compliance with reasonable best practices shall be performed once a year or upon significant upgradation of systems/computer resource and process.
Made with Bullet