Technology Law Analysis
June 18, 2011
Government notifies Rules with respect to Protection of Data under the Information Technology Act, 2000
The Government of India recently notified the “Reasonable security practices and procedures and sensitive personal data or information Rules, 2011” (“Rules”) under Section 43A of the Information Technology Act, 2000 (“ITA”). These Rules have been made effective from April 11, 2011. Earlier, in October 27, 2009 the Parliament inserted Section 43A in the ITA, which addressed issues in relation to data security and privacy but its implementation was not effective till the notification of the current Rules.
Section 43A of the ITA inter alia deals with protection of data in electronic medium1 by providing that when an body corporate2 is negligent in implementing and maintaining ‘reasonable security practices and procedures’ in relation to any ‘sensitive personal data or information’ which it possesses, deals or handles in a computer resource which it owns, controls or operates and such negligence causes wrongful loss or wrongful gain to any person, such entity shall be liable to pay damages by way of compensation to the person so affected.
The expressions ‘sensitive personal data or information’ and ‘reasonable security practices and procedures’ were not defined in the ITA, but are now defined in the Rules.
Thus, going forward, outsourcing companies / banks / business captives and any other companies who deal, posses or handle personal information and/ or sensitive personal data shall need to adhere to these Rules.
In the below analysis, we have discussed the nature of information the Rules intend to protect and the mechanism contemplated by the Government for the same.
THE SCOPE OF THE RULES
Section 43A applies to data or information “in a computer resource”. The Rules do not apply to information in the purely physical domain e.g. when information (whether or not such information is sensitive or personal) is collected in physical form and is not processed in / stored in / transmitted through an electronic/ computer media.
The Rules define “Personal Information and “Sensitive personal data or information” to mean as follows:
· “Personal Information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person
· “Sensitive personal data or information” means such personal information which consists of information relating to;—
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force is not to be regarded as sensitive personal data or information.
The definition of ‘personal information’ is wider than ‘sensitive personal data or information’ (SPDI). The definition of SPDI is in the nature of an exhaustive list of items. Hence, no other information apart from the one listed above, would be considered as SPDI. It is interesting to note that Section 43A only included SPDI within its ambit, but some of its provisions of the Rules have been made applicable to ‘Personal Information’.
It is pertinent to note that these Rules apply to personal information irrespective of the nationality of the provider of the information; thus information provided not only by Indian nationals but also by nationals in different jurisdictions, whose information is stored, dealt or handled by a corporate entity in a computer resource in India would attract the provisions of the ITA. The applicability is driven by the location of computer resource in India, as can be seen from the wording of Section 43A of the ITA read with the Rules.
These Rules will also be applicable in circumstances where the information is collected in India and is transferred to any computer resource outside India and also in cases where the information is neither collected nor stored in India, but is dealt with or handled in India e.g. even accessed from India. Thus, typical outsourcing businesses where personal information of foreign nationals is transferred to Indian entity(ies) who deal or handle such information, would henceforth attract the provisions of the ITA.
MECHANISM FOR PROTECTION OF PERSONAL INFORMATION AND SENSITIVE PERSONAL DATA OR INFORMATION.
Being the only Indian statute which specifically addresses personal information/data security, the industry had welcomed the progressive amendments made to the IT Act in the year 2009, which introduced Section 43A. After notification of the Rules however, concerns have been raised about their implementation.
Section 43A of the Act punishes a body corporate that is negligent in implementing / maintaining reasonable security practices while possessing, dealing or handling sensitive personal data or information in a computer resource which it owns, controls or operates and whereby such negligence causes wrongful loss or wrongful gain to any person.
The Rules, apart from specifying reasonable security practices and procedures, have also specified additional compliance requirements. It may be argued that these additional compliances are beyond the purview of Section 43A and therefore, for non-compliance penalty under Section 43A should not apply. Further, the operative part of Section 43A is linked with a negligent act which causes wrongful loss or wrongful gain to any person. Thus unless there is any wrongful loss or wrongful gain to any person, sanction under Section 43A would not get attracted.
Although the Rules are reformatory, they leave certain room for interpretation and it is hoped that the Government will soon come out with some clarification(s) to throw light on the existing discrepancies as discussed in the above analysis.
1 Section 43A of ITA. Compensation for failure to protect data Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.
Explanation: For the purposes of this section
(i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
2 A company includes a firm, sole proprietorship, association of individuals engaged in commercial or professional activities. The definition of body corporate specifically excludes
3 Part 4 of the Data Protection Rules
4 Part 5 of the Data Protection Rules
5 Information is defined under the IT Act as : “information" includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche”
6 Part 6 and 7 of the Data Protection Rules
7 Part 8 of the Data Protection Rules
The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.