DATA PRIVACY UNDER THE INFORMATION TECHNOLOGY ACT,

2000

CASES

Nadeem Kashmiri and HSBC

Karan Bahree and Mphasis

My case - Hyundai

ISSUES

Liability of Company

Protection of data – Concern for

outsourcing industry

Privacy of data – Individual’s concern

SEC. 43A – COMPENSATION FOR FAILURE TOPROTECT DATA

If body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person

Liability – Damages by the way of compensation

ADJUDICATION

For claims upto Rs. 5 Crores –

Adjudicating officer

For claims above Rs. 5 Crores - Civil

courts (Unlimited liability)

WHO IS LIABLE?

Sec.85: Offences by companies

• The company itself, being a legal person;

• The top management including directors; and

• The managers (persons directly responsible for the data)

If it is proved that -

• they had knowledge of a contravention; or

• they have not used due diligence

• that it was caused due to their negligence

ISSUES

What is Sensitive Personal data or Information?

What are Reasonable Security Practices and Procedures?

THE SOLUTION

The Information Technology (Reasonable

security practices and procedures and

sensitive personal data or information)

Rules, 2011

Enforceable from 11th April, 11

To be read with Sec. 43A

SENSITIVE PERSONAL DATA OR INFORMATION

Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

REASONABLE SECURITY PRACTICES

Implementing comprehensive documented

information security programme and

information security policies

Containing –

Managerial, technical, operational and physical

security control measures commensurate with

the information assets held by the person.

Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

REASONABLE SECURITY PRACTICES

The International Standard IS/ISO/IEC 27001 on “Information

Technology – Security Techniques – Information Security

Management System – Requirements” is one such standard

OR

If following other than IS/ISO/IEC codes of best practices for

data protection, shall get it duly approved and notified by

the Central Government OR

An agreement between the parties regarding protection of

“Sensitive Personal Information”

AUDITING

Necessary to get the codes or procedure certified

or audited on regular basis

Needs to be done by the Government Certified

Auditor

Will be known as “Govt. Certified IT Auditor”

Not appointed yet

CERT-IN has empanelled IT Auditors

POLICIES/CLAUSES

COLLECTION OF INFORMATION

About obtaining consent of the information provider

Consent in writing through letter/fax/email from the

provider of the SPDI regarding purpose of usage before

collection of such information

Need to specify –

Fact that SPDI is being collected

What type of SPDI it is

How long SPDI will be held

Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

COLLECTION OF INFORMATION

Provider should know – Purpose of collection

Intended recipients

Details of the agency collecting the information and agency

retaining the information

Body Corporate not to retain information longer than required

Option should be given to withdraw the information provided

SPDI shall be used only for the purpose for which it has been

collected

Shall appoint “Grievance Officer” to address any

discrepancies and grievances about information in a timely

manner – Max. time – One month

PRIVACY AND DISCLOSURE OF INFORMATION POLICY

Policy about handling of SPDI

Shall be published on website or should be available to

view/inspect @ any time

Shall provide for –

Type of SPDI collected

Purpose of collection and usage

Clear and easily accessible statements of IT Sec. practices and policies

Statement that the reasonable security practices and procedures as

provided under rule 8 have been complied

Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

DISCLOSURE

Disclosure –

Prior permission of provider necessary before

disclosure to third party OR

Disclosure clause needs to be specified in the

original contract OR

Must be necessary by law

Third party receiving SPDI shall not disclose it further

Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

TRANSFER OF INFORMATION

Transfer to be made only if it is necessary for

performance of lawful contract

Disclosure clause should be a part of Privacy

and Disclosure Policy

Transferee to ensure same level of data

protection is adhered while and after transfer

Details of transferee should be given to

provider Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

SEC 72(A) (CRIMINAL OFFENCE)

Punishment for Disclosure of information in

breach of lawful contract -

Knowingly or intentionally disclosing “Personal

Information" in breach of lawful contract

IMP – Follow contract

Punishment - Imprisonment upto 3 years or fine

up to 5 lakh or with both (Cognizable but Bailable)

GRAMM–LEACH–BLILEY ACT (GLBA, USA)

Focuses on finance Safeguards Rule - Disclosure of Nonpublic Personal

Information It requires financial institutions to develop a written

information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.

This plan must include – Denoting at least one employee to manage the safeguards, Constructing a thorough risk analysis on each department

handling the nonpublic information, Develop, monitor, and test a program to secure the information,

and Change the safeguards as needed with the changes in how

information is collected, stored, and used.

THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA, USA)

Focus on economic and national security interests

of the United States

Emphasized on "risk-based policy for cost-

effective security“

Responsibility attached to federal agencies, NIST

and the Office of Management and Budget (OMB)

to strengthen information system security

Not mandatory

No penalty for non-compliance

DATA PROTECTION DIRECTIVE (EU)

European Union directive regulating the processing of

personal data within the EU

Protection of individual’s personal data and its free

movement

Coming soon - European Data Protection Regulation

Not mandatory

No penalty for non-compliance

PREAMBLE OF THE IT ACT

Purpose behind enacting IT Act –

To provide legal recognition to e-commerce

To facilitate e-governance

To provide remedy to cyber crimes

To provide legal recognition to digital evidence

o Preamble doesn’t specify that the Act aims @

establishing IT Security framework in India

BENEFITS

Compliance with legislation

No liability on organisation

Increased reliability and security of systems

Systems rationalization

Improved management controls

Improved risk management and contingency

planning

GET IN TOUCHGET IN TOUCH

PHONE

+919623444448

PHONE

+919623444448

EMAIL

CONTACT@SAGARRAHURKAR.COM

EMAIL

CONTACT@SAGARRAHURKAR.COM