background image
56
T H E P R I M E R U S P A R A D I G M
Data Privacy and Protection of
Sensitive Personal Data
Preethi Sharma is an associate at S Eshwar Consultants House of
Corporate & IPR Laws. She specializes in contract management and
employment law, as well as handles writ litigation and arbitrations.
S Eshwar Consultants House of
Corporate & IPR Laws
No 37/57, 53rd Street, 9th Avenue
Chennai, India 600083
+91 44 42048235 Phone
+91 44 42048335 Fax
preethisharma@eshwars.com
www.eshwars.com
Preethi Sharma
As a global forerunner in the Information
Technology (IT) industry, data privacy
and protection laws have assumed more
importance than ever before in India. The
department of information technology,
under the ministry of communication
and information technology ­ the nodal
ministry administering The Information
Technology Act, 2000 ("IT Act") ­ has
put in place The Information Technology
(reasonable security practices and
procedures and sensitive personal data or
information) Rules, 2011 ("Rules 2011"),
pursuant to powers to make rules (S.
43A read with S. 87 of the IT Act). The
Rules 2011 read with the departmental
clarification dated August 24, 2011,
govern the aspects relating to sensitive
personal data or information (SPD).
Personal Information
Any information that relates to a natural
person, which either directly or indirectly,
in combination with other information
available or likely to be available with a
corporate body, is capable of identifying
such person.
Sensitive Personal Data or
Information
Personal information considered sensitive
is that consisting of information relating to:
·
password;
·
financial information such as bank
account or credit/debit card/other
payment instrument details;
·
physical, physiological and mental
health condition;
·
sexual orientation;
·
medical records and history;
·
biometric information;
·
detail relating to above clauses
as provided to body corporate for
providing service; and
·
information received under above
clauses by body corporate for
processing, stored or processed under
lawful contract or otherwise.
Exceptions: information freely available/
accessible in public domain/furnished
under Right to Information Act, 2005/other
laws in force.
Applicability of the Rules 2011
The Rules 2011 are applicable to a
corporate body (any company including
a firm, sole proprietorship or other
association of individuals engaged in
commercial or professional activities) or
any person located within India (Entity).
As per the clarification dated August
24, 2011, the provisions of the Rules
2011 relating to collection and disclosure
of SPD are not applicable to an Entity
providing services relating to collection,
storage, dealing or handling of SPD under
contractual obligation with any legal entity
located within or outside India. Entities
providing services to the provider of
information (being natural persons) under
a contractual obligation directly with them
however are bound by all provisions of
Rules 2011.
Dos and Don'ts for Entities for
Use and Protection of SPD
Dos:
1. Provide for a policy for privacy,
disclosure and reasonable security
practices and procedures for handling
or dealing of the SPD.
2. The policy should be clear and easily
accessible to providers of information.
Asia Pacific