background image
W I N T E R 2 0 1 4
57
3. The policy is to be published on the
Entity's website. The policy should
provide for:
·
type of SPD collected;
·
purpose of collection and usage;
·
disclosure policy;
·
reasonable security practices and
procedures policy; and
·
name and address of designated
grievance officer.
4. With regard to collection of SPD:
·
obtain prior consent in writing by fax,
email or any mode of electronic commu-
nication from providers of information;
·
state purpose of usage;
·
take steps to ensure that provider of
information knows that information is
being collected, purpose of collection,
recipients of the data and the name and
address of the agency collecting and
retaining the information;
·
use the information for purpose collected;
·
permit providers of information to
review their information and give
an opportunity to amend or correct
any deficiency or inaccuracy (Entity
possessing SPD is not responsible for
its authenticity);
·
give an option before collecting data not
to provide the information or withdraw
consent already given and in the event
that consent is not given or withdrawn
opt not to provide goods or services;
·
keep the information secure;
·
address grievances and discrepancies
with regard to processing of information
in a time bound manner;
·
designate a Grievances Officer who
shall expeditiously or within one month
of receipt of grievance (whichever is
earlier), redress such grievance.
5. Take prior consent from the provider
of information for disclosure of SPD
unless such disclosure has been agreed
to between them or where the disclosure
is necessary for compliance of a legal
obligation. [Exception: disclosure to
government agencies mandated under
law to for verification of identity, or for
prevention, detection, investigation
including cyber incidents, prosecution
and punishment of offences.]
6. Transfer SPD to any Entity in India or
located in any other country, only if
such country ensures the same level
of data protection that is adhered to by
the transferor as provided under the
Rules 2011, and only if the transfer
is necessary for the performance of a
lawful contract between the transferee
or any other person on its behalf and the
provider of information or where such
person has consented for data transfer.
7. Implement security practices and
procedures designed to protect SPD
from unauthorized access, damage, use,
modification, disclosure or impairment,
as may be specified in an agreement
between Entity and the provider of
information or may be specified in
any law for the time being in force [an
Entity shall be considered to have com-
plied with the above requirement if it
has implemented its security practices
and standards and has a comprehen-
sive documented information security
program and information security poli-
cies that contain managerial, techni-
cal, operational and physical security
control measures, commensurate to the
information protected].
Don'ts:
·
SPD cannot be collected unless it is for
lawful purpose connected with function
or activity of your entity and unless the
collection is considered necessary for
that purpose.
·
SPD cannot be retained for longer than
required.
·
SPD cannot be published.
·
SPD cannot be disclosed further if you
are a third party receiving SPD from an
Entity.
Protection of SPD
S. 43A of the IT Act provides that an Entity
which, possesses, deals with or handles
any SPD in a computer resource which it
owns, controls or operates, shall be liable
to pay damages, not exceeding Rs. 5 crore
(approx. USD 0.8 million) to the person
adversely affected, for negligence in
implementing and maintaining reasonable
security practices and procedures thereby
causing wrongful loss or wrongful gain to
any person.
Penalty for fraudulent or dishonest
use of electronic signature, password or
other unique identification feature of any
person (identity theft), is imprisonment
for a maximum of three years and fine of
Rs. 1 lakh. Contravention of any rules
or regulations under the IT Act, for the
contravention of which no penalty is
separately provided, attracts penalty or
compensation not exceeding Rs. 25,000/-.
Adjudication Procedure
In the event of offense giving rise to
penalty, the central government is required
to appoint an adjudicating officer to inquire
into the purported offence and decide on
the penalty and/or compensation. The
proceedings are quasi-judicial in nature.
There is an express bar on civil courts'
original jurisdiction.
In adjudging quantum of compensation,
the factors to be given due regard to are the
amount of:
·
gain of unfair advantage (wherever
quantifiable) made as a result of the
default;
·
loss caused as a result of the default;
·
repetitive nature of default.
Contravention can be compounded
before or after institution of adjudication;
by paying compounding fee limited
to maximum penalty leviable for the
contravention.
Jurisdictional Hierarchy
·
Adjudicating officer appointed by
central government
·
Cyber Appellate Tribunal
·
High Court
·
Supreme Court
Conclusion
With the Rules 2011, India has put in
place a legal framework for the protection
of SPD. So far there has not been an
occasion to test the effectiveness of these
Rules 2011, and in addition a lot needs to
be done for creating awareness amongst
Entities that need to implement the
provisions of these Rules 2011.