3 The Information Technology Act defines the term “information” as follows. Information includes data, messages, text, images, sound, language, codes, computer programs, software and databases, or computer-generated microfilm or microfiche. The 2011 rules follow this definition. The 2011 rules do not provide for sanctions for violations of the 2011 rules. Let`s understand what the SPDI rules and the most important provisions for sensitive personal data are about. The eight types of sensitive personal data listed above in Rule 3 of the 2011 Rules are an exhaustive list, except that information that is freely available or publicly available or provided under the Right to Information Act 2005 or any other law currently in force is not considered sensitive personal data or information within the meaning of the 2011 Rules. Rule 5 Sub-rule 7 provides that the “information provider” also has the possibility to withdraw the consent previously given to the entity. Given that consent to the collection of personal data is only required for sensitive personal data, it can be concluded that this provision only applies to sensitive personal data, although provision 7 allegedly applies to all types of personal data. The withdrawal of consent must be communicated in writing to the entity that collected the information. The 2011 rules are silent on the consequences of withdrawing consent.
Arguably, an entity that stores personal data collected on the basis of consent is obliged to delete that data if consent is withdrawn. 6 The 2011 law classifies “medical records and medical history” as sensitive personal data, but the concept of “health data” is broader. There is no unified data protection legislation that can resolve all ongoing privacy cases and concerns that cannot be resolved by the current Information Technology Act and SPDI Rules 2011. Even the recently introduced Personal Data Protection Act 2019 has many loopholes, such as hostility towards data not covered by the bill, personal information can be accessed without consent in some cases and many others. Since India has not acceded to an international data protection convention such as the GDPR, it needs strict laws to become cyber-resilient, as digital transformation comes with multiple risks and vulnerabilities and facilitates the process of international data transfer. The recognition of the right to privacy is not enough, making it enforceable against both public and private institutions is on the agenda. The ongoing Data Protection Act is currently being drafted and is expected to enter into force shortly. With the evolution of data and the digital space, legislation must evolve, it is high time that we recognize the ineffectiveness of the 2011 SPDI rules that do not meet the needs of 2021 data providers, so a change in this area is needed to better serve the economy and its citizens. As mentioned above, Section 43A of the Information Technology Act requires the maintenance of appropriate security practices and procedures by companies that hold, act, or process sensitive personal data or information. Rule 8 of the 2011 Rules provides that a corporation or a person acting on its behalf is deemed to have followed appropriate security practices and procedures if it has implemented such security practices and standards and has a comprehensive documented information security program and information security policies that include management security controls. technical, operational and physical in accordance with the protective information assets.
Type of transaction. Rule 8(2) provides that International Standard IS/ISO/IEC 27001 “Information technology – Security techniques – Information security management system – Requirements” complies with the above standards. • There is no provision on the collection and processing of children`s data, as children do not have the right to give valid consent and companies are advised to obtain parental or guardian consent, there are no rules to protect children on social media, and children may not be aware of the risks associated with sharing information, so they need extra protection. • The appeal mechanism provided for in the SPDI Rules provides for the possibility of appeal by a complaints commissioner appointed by the body within one month, but the duties and responsibilities of the complaints commissioner are not specified, nor is the procedure for appealing and appointing such a commissioner if the body is based outside India. Rule 4 of the 2011 Rules requires any company (or any person who collects, receives, possesses, stores, trades or processes information from the information provider on behalf of the legal entity) to provide a privacy policy. Such a privacy statement must be visible to those who have provided information to the entity under legal contracts. The Privacy Statement must also be posted on the Company`s website. The privacy policy should clearly state the entity`s practices and policies regarding the collection, receipt, possession, storage, exchange, or processing of information. It should also list the types of personal data or sensitive personal data collected by the entity. In accordance with Article 87(2) in conjunction with Article 43 – A of the Law on Information Technology, the 13.
As of April 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Data or Information) Rules 2011 (“SPDI Rules”) govern sensitive personal data or information and apply to businesses or other persons in India. • The rules allow the export of sensitive data or personal information outside India, provided that the information is in performance of a contract and has been approved by the information provider, provided that the same data protection standards required in India are met, there is no data localization. The RBI requires that all data relating to the processing of cross-border transactions be stored in India and that all records be deleted outside India, even if the payment is made outside India. The information provider must know where the information is stored, and data localization ensures data security, privacy and sovereignty of data from foreign surveillance, effective investigations of crimes committed by law enforcement agencies, and threats to national security. In addition, at a time when every service provider needs data analytics, data warehousing has become a huge business and can support employment. • One of the main problems with the rules and even the IT law is that it does not recognize the rights of data providers such as the right to be forgotten, data portability, opting out of direct marketing and profiling, which are recognized by a majority of countries that adhere to GDPR compliance. • Most importantly, the SPDI rules do not mention procedures to be followed in the event of a data breach or mandatory compliance by companies processing citizens` data, nor corrective measures to be taken to compensate information providers. India currently has no specific privacy and data protection legislation, but largely follows the consent-based regime (similar to other developed jurisdictions) regarding the collection and processing of information which also includes personal data summarized in the applicable rules of the Information Technology Act 2000.
