Are you running a business which uses sensitive information of individuals? If that is the case, this playbook is for you.
Although the Personal Data Protection Bill 2019 is still not a law, there exist the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("I.T. Rules") under the Information Technology Act, 2000. The I.T. Rules govern privacy in India.
Data is sensitive as long as it can identify a person - so corporate data privacy is "not a thing".
They are one of the shortest rules and also one of the less known rules.
For any discussions, please e-mail srishti.ojha@veristlaw.com and umang.arya@veristlaw.com. And remember this is not formal legal advice!
Here are key rules of Indian privacy law:
Implement security practices and standards to keep information secure and document this implementation. The only standard so far recognized by the I.T. Rules is the International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements". This is a legal requirement and so ignored in the market that advising someone to have it comes across as dubious over-compliance.
Do not transfer data overseas – to a person or a company – unless you are sure that country has laws “as strong” as India's and you have consent of the provider of information. This can be achieved by consent forms and disclaimers online.
Take prior permission (fine print/stick in privacy policy) when disclosing sensitive information to another. There is silence on timing- so privacy policies have this deemed consent construct which means the consent should be before taking information.
Have a grievance officer – with his or her contact number and name on website.
Have a clear privacy policy – It should contain points such as clear statement of the organization’s policies and practices, the purpose of data collection and usage thereof, security practices and procedure, and type of personal or sensitive personal information collected.
If you are collecting sensitive personal information, take written consent from provider of such information detailing the purpose and usage of such information. Here again a privacy policy or online consents suffice.
Before collecting any sensitive personal information/data, you should give an option to the provider of such information of not giving the information.
You can only collect sensitive personal information if that is for “lawful purpose” connected with organization’s function and the collection is necessary for that purpose. Work this into your privacy policy.
If you are holding sensitive personal information, do not retain it for any period longer than which is required for any lawful purpose or legally required.
If the provider of information (i.e. the individual) requests to review/amend his/her information, you should allow him/her to review/amend the information.
If the provider of information withdraws his/her consent (through a request in writing) for collection of sensitive personal information, you should stop collection of such information. Consequentially, you may stop being in business with him/her. A big exception to this is competition law and notably the recent SEBI order in the WhatsApp case.
Keep the information secure as per your documented information security programme and information security policies.
Comments