Are you running a business which uses sensitive information of individuals? If that is the case, this playbook is for you.
Although the Personal Data Protection Bill 2019 is still not a law, there exist the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("I.T. Rules") under the Information Technology Act, 2000. The I.T. Rules govern privacy in India.
Data is sensitive as long as it can identify a person - so corporate data privacy is "not a thing".
They are one of the shortest rules and also one of the less known rules.
For any discussions, please e-mail firstname.lastname@example.org and email@example.com. And remember this is not formal legal advice!
Here are key rules of Indian privacy law:
Implement security practices and standards to keep information secure and document this implementation. The only standard so far recognized by the I.T. Rules is the International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements". This is a legal requirement and so ignored in the market that advising someone to have it comes across as dubious over-compliance.
Do not transfer data overseas – to a person or a company – unless you are sure that country has laws “as strong” as India's and you have consent of the provider of information. This can be achieved by consent forms and disclaimers online.
Have a grievance officer – with his or her contact number and name on website.
Before collecting any sensitive personal information/data, you should give an option to the provider of such information of not giving the information.
If you are holding sensitive personal information, do not retain it for any period longer than which is required for any lawful purpose or legally required.
If the provider of information (i.e. the individual) requests to review/amend his/her information, you should allow him/her to review/amend the information.
If the provider of information withdraws his/her consent (through a request in writing) for collection of sensitive personal information, you should stop collection of such information. Consequentially, you may stop being in business with him/her. A big exception to this is competition law and notably the recent SEBI order in the WhatsApp case.
Keep the information secure as per your documented information security programme and information security policies.