Sensitive Personal Information under Sec 43A
After ITA 2008 was notified on October 27, 2009, and more than 15 months of
deliberations, a draft regulation has been released by MCIT on Sensitive
Personal Information under Section 43A with a request for public
comments to be sent to grai@mit.gov.in
before 28th February 2011.
This is an important notification which has effect on "Privacy" and "Data
Protection" issues which the industry is concerned with. It may also
determine liabilities in cases of violations of Sec 43A.
A Brief summary of the recommendations is provided here for general
information of the public.
1. Definition of Sensitive Personal Information:
There was lot of interest on how GOI would define "Sensitive Personal
Information" and whether it would follow the principles of the Data
Protection Act of UK/EU and the draft Bill on Personal Data Protection
which is with the Government.
The definition adopted is as follows:
Sensitive Personal data or information of a person shall include
information collected, received, stored, transmitted or processed by
body corporate or intermediary or any person, consisting of
i) Password
ii) user details as provided at the time of registration or thereafter
iii) information related to financial information such
as Bank
account/credit card/debit card/other payment instrument details of the
users
iv)physiological and mental health condition
v)Medical records and history
vi)Biometric information
vii) information received by body corporate for processing, stored or
processed under lawful contract or otherwise
viii) call data records
The definition covers financial and health data which is globally
recognized as sensitive. It also covers information security related
information such as passwords. It also covers the telecom company data
such as call records and UID related data such as biometric information
as well as the data collected by portals.
We may also observe that both "Body Corporate" as well as "Intermediary" is
included in the definition so that there need not be an unnecessary
confusion about whether the two are to be distinguished for the purpose
of this definition. It also covers the BPOs who receive information for
processing.
The definition appears reasonably comprehensive and covers all the relevant
types of information relevant to Privacy protection.
2. Policy Based Control
The data collector is expected to draft a privacy policy and make it known
to the data provider. Such policy should provide for the types of
information collected, purpose, means and usage of such information and
disclosure terms.
3.Consent Essential: Collection of information shall be backed by
the consent of the data owner and shall be for lawful purpose connected
with the activity and should be considered necessary. The information
shall not be kept longer than necessary.
This provision takes into account the principles covered under the
international privacy norms of minimum and purpose oriented collection.
3.User Control: One of the important provisions is that the body
corporate shall permit the users to "Review" the information collected
and modify the same wherever necessary. The body corporate shall also
maintain a proper grievance Redressal mechanism to address user's
grievances.
4. Disclosure: Data disclosure requires "permission" from the data
owner except when it is disclosed to a government agency for the purpose
of verification of identity or for prevention, detection, investigation,
prosecution and punishment of offences or under an order from a Court.
5.Security Obligation: The Body corporate shall keep the information
"Secure". Such measures would be considered reasonable if they have
"comprehensive documented information security program" and "policy"
that contain "managerial", "technical", "operational" and "physical
security" control measures that are commensurate with the information
assets being protected. Such measures shall be demonstrated when called
for by an agency mandated under the law when any security breach occurs.
ISO 27001 code is one of the approved codes and any industry cluster which
is following other than IS/ISO/IEC 27001 codes of best practices for
data protection shall get their codes of best practices approved by the
Government.
Users should note that ISO 27001 implementation in many companies is only
on paper and not in practice. Though this guideline has placed reliance
on ISO 27001, its compliance needs to be proved on the ground to
constitute compliance under this guideline.
Naavi
February 20, 2011
Any Comments on this article can be sent to
naavi@vsnl.com
Reference:
Draft Guideline-Sensitive Personal Information
Comments are Welcome at
naavi@vsnl.com
