Let's Build a Responsible Cyber Society




Sensitive Personal Information under Sec 43A

After ITA 2008 was notified on October 27, 2009, and more than 15 months of deliberations, a draft regulation has been released by MCIT on Sensitive Personal Information under Section 43A with a request for public comments to be sent to grai@mit.gov.in before 28th February 2011.

This is an important notification which has effect on "Privacy" and "Data Protection" issues which the industry is concerned with. It may also determine liabilities in cases of violations of Sec 43A.

A Brief summary of the recommendations is provided here for general information of the public.

1. Definition of Sensitive Personal Information:

There was lot of interest on how GOI would define "Sensitive Personal Information" and whether it would follow the principles of the Data Protection Act of UK/EU and the draft Bill on Personal Data Protection which is with the Government.

The definition adopted is as follows:

Sensitive Personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of

i) Password

ii) user details as provided at the time of registration or thereafter

iii) information related to financial information such as Bank account/credit card/debit card/other payment instrument details of the users

iv)physiological and mental health condition

v)Medical records and history

vi)Biometric information

vii) information received by body corporate for processing, stored or processed under lawful contract or otherwise

viii) call data records

The definition covers financial and health data which is globally recognized as sensitive. It also covers information security related information such as passwords. It also covers the telecom company data such as call records and UID related data such as biometric information as well as the data collected by portals.

We may also observe that both "Body Corporate" as well as "Intermediary" is included in the definition so that there need not be an unnecessary confusion about whether the two are to be distinguished for the purpose of this definition. It also covers the BPOs who receive information for processing.

The definition appears reasonably comprehensive and covers all the relevant types of information relevant to Privacy protection.

2. Policy Based Control

The data collector is expected to draft a privacy policy and make it known to the data provider. Such policy should provide for the types of information collected, purpose, means and usage of such information and disclosure terms.

3.Consent Essential: Collection of information shall be backed by the consent of the data owner and shall be for lawful purpose connected with the activity and should be considered necessary. The information shall not be kept longer than necessary.

This provision takes into account the principles covered under the international privacy norms of minimum and purpose oriented collection.

3.User Control: One of the important provisions is that the body corporate shall permit the users to "Review" the information collected and modify the same wherever necessary. The body corporate shall also maintain a proper grievance Redressal mechanism to address user's grievances.

4. Disclosure: Data disclosure requires "permission" from the data owner except when it is disclosed to a government agency for the purpose of verification of identity or for prevention, detection, investigation, prosecution and punishment of offences or under an order from a Court.

5.Security Obligation: The Body corporate shall keep the information "Secure". Such measures would be considered reasonable if they have "comprehensive documented information security program" and "policy" that contain "managerial", "technical", "operational" and "physical security" control measures that are commensurate with the information assets being protected. Such measures shall be demonstrated when called for by an agency mandated under the law when any security breach occurs.

ISO 27001 code is one of the approved codes and any industry cluster which is following other than IS/ISO/IEC 27001 codes of best practices for data protection shall get their codes of best practices approved by the Government.

Users should note that ISO 27001 implementation in many companies is only on paper and not in practice. Though this guideline has placed reliance on ISO 27001, its compliance needs to be proved on the ground to constitute compliance under this guideline.


February 20, 2011

Any Comments on this article can be sent to naavi@vsnl.com


Draft Guideline-Sensitive Personal Information


 Comments are Welcome at naavi@vsnl.com