Reasonable Security Practices and Procedures for Gathering Handling and Transferring
Sensitive Personal Data or Information :
Section 43 A of the Information Technology Act (“IT Act”) and rules framed under it prescribe for methods, procedures and standards in which any sensitive information can be obtained from a third party and the manner in which such information shall be stored in computer resources.
As per Section 43 A of the IT Act, any company possessing, handling, dealing with any sensitive personal data or information in computer shall maintain reasonable security practices and procedures and shall be liable to pay damages and compensation if any wrongful loss or gain is caused to anyone.
The term ‘Sensitive Personal Data or Information’ (“Information”) has been defined under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”) which consists of information relating to;—
I. Password which means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information
II. Financial information such as Bank account or credit card or debit card or other payment instrument details ;
III. Physical, physiological and mental health condition;
IV. Sexual orientation;
V. medical records and history;
VI. Biometric information, which means the technologies that measure and analysis human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes;
VII. Any detail relating to the above clauses as provided to body corporate for providing service; and
VIII. Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
The Rules further prescribes for obligation of the companies with respect to manner of collection of Information; disclosure of Information; transfer of Information and reasonable security practices and procedures. The detailed obligations of the Body Corporates with respect to Sensitive and Personal Data or Information are as follows:
(i) Clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or Information collected;
(iii) purpose of collection and usage of such Information;
(iv) disclosure of Information including sensitive personal data or Information (as provided below);
(v) reasonable security practices and procedures (as provided below).
2. Obligation of Body Corporate with regard to Collection of Information
a. The company must obtain a written consent from the provider of the Information either through e-mail or fax;
b. The company shall not obtain any Information from the provider unless the Information is collected is for a lawful purpose connected with a function or activity of the company and is considered necessary for that purpose;
c. The company while collecting Information shall ensure that the person disclosing the Information has knowledge that such Information is being collected; the purpose for which the Information is being collected; and the name of the agency which is collecting the Information;
d. Company holding Information shall not retain that Information for longer than is required for the purposes for which the Information was collected or is required under the law and that the Information must be used only for the purpose for which it was collected;
e. Company should permit the providers of Information, as and when requested by them, to review the Information they had provided and ensure that any personal Information or sensitive personal data or
f. The company must provide an option to the providers of the Information with an option to not disclose the Information which is being sought by the company. In the event any provider of Information fails to disclose the Information sought, the company may refuse to sell its goods and services to such persons;
g. The company shall address any discrepancies and grievances of their provider of the Information with respect to processing of Information in a time bound manner. For this purpose, the company shall designate a grievance officer and publish his name and contact details on its website. The grievance officer shall redress the grievances or provider of Information expeditiously but within one month ' from the date of receipt of grievance;
3. Obligation of company with Disclosure of Information by company to any Third party
a. Disclosure of Information by company to any third party shall require prior permission from the provider of such Information, who has provided such Information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the company and provider of Information, or where the disclosure is necessary for compliance of a legal obligation.
Provided that the Information can be shared by the company, without obtaining prior consent from provider of Information, with Government agencies mandated under the law to obtain Information including sensitive personal data or Information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.
4. Obligation of company with Respect to Transfer of Information
A company may transfer any Information to any other company or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the company as per the IT Act. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the company and provider of Information or where the provider of Information has consented to data transfer.
5. Obligation of company with Respect to Reasonable Security Practices and Procedure
a. A company shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security program and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the company shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies.
b. The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard which is recognized as reasonable security standards as per the Rules.
c. Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection, shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.