provide for:
procedures policy; and
grievance officer.
email or any mode of electronic commu-
nication from providers of information;
information knows that information is
being collected, purpose of collection,
recipients of the data and the name and
address of the agency collecting and
retaining the information;
review their information and give
an opportunity to amend or correct
any deficiency or inaccuracy (Entity
possessing SPD is not responsible for
its authenticity);
to provide the information or withdraw
consent already given and in the event
that consent is not given or withdrawn
opt not to provide goods or services;
with regard to processing of information
in a time bound manner;
shall expeditiously or within one month
of receipt of grievance (whichever is
earlier), redress such grievance.
unless such disclosure has been agreed
to between them or where the disclosure
is necessary for compliance of a legal
obligation. [Exception: disclosure to
government agencies mandated under
law to for verification of identity, or for
prevention, detection, investigation
and punishment of offences.]
such country ensures the same level
of data protection that is adhered to by
the transferor as provided under the
Rules 2011, and only if the transfer
is necessary for the performance of a
lawful contract between the transferee
or any other person on its behalf and the
provider of information or where such
person has consented for data transfer.
from unauthorized access, damage, use,
modification, disclosure or impairment,
as may be specified in an agreement
between Entity and the provider of
information or may be specified in
any law for the time being in force [an
Entity shall be considered to have com-
plied with the above requirement if it
has implemented its security practices
and standards and has a comprehen-
sive documented information security
program and information security poli-
cies that contain managerial, techni-
cal, operational and physical security
control measures, commensurate to the
information protected].
·
lawful purpose connected with function
or activity of your entity and unless the
collection is considered necessary for
that purpose.
required.
are a third party receiving SPD from an
Entity.
which, possesses, deals with or handles
any SPD in a computer resource which it
owns, controls or operates, shall be liable
to pay damages, not exceeding Rs. 5 crore
(approx. USD 0.8 million) to the person
adversely affected, for negligence in
implementing and maintaining reasonable
causing wrongful loss or wrongful gain to
any person.
Penalty for fraudulent or dishonest
use of electronic signature, password or
other unique identification feature of any
person (identity theft), is imprisonment
for a maximum of three years and fine of
Rs. 1 lakh. Contravention of any rules
or regulations under the IT Act, for the
contravention of which no penalty is
separately provided, attracts penalty or
compensation not exceeding Rs. 25,000/-.
penalty, the central government is required
to appoint an adjudicating officer to inquire
into the purported offence and decide on
the penalty and/or compensation. The
proceedings are quasi-judicial in nature.
There is an express bar on civil courts'
original jurisdiction.
In adjudging quantum of compensation,
the factors to be given due regard to are the
amount of:
quantifiable) made as a result of the
default;
by paying compounding fee limited
to maximum penalty leviable for the
contravention.
central government
place a legal framework for the protection
of SPD. So far there has not been an
occasion to test the effectiveness of these
Rules 2011, and in addition a lot needs to
be done for creating awareness amongst
Entities that need to implement the
provisions of these Rules 2011.