SlideShare a Scribd company logo

Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2011 Avantha

Vijay Dalmia, profile picture
Vijay Dalmia

The document outlines the Indian Information Technology Act, 2000 and its amendments, particularly focusing on data protection measures implemented through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules establish guidelines for handling sensitive personal data, define penalties for non-compliance, and emphasize the need for reasonable security practices to protect such data. It also details consent requirements, privacy policies, grievance mechanisms, and limitations on data disclosure and transfer.

TechnologyEducation
1 of 35
Downloaded 141 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011 Under The (Indian) Information Technology Act, 2000 By Vijay Pal Dalmia, Advocate Partner & Head of Intellectual Property & Information Technology Laws Practice
INFORMATION TECHNOLOGY ACT, 2000  Enacted in the year 2000 and was implemented w.e.f. 17th October, 2000.  Important features of this Act :  Recognition to e-transactions, digital signatures, electronic records etc. and also recognise their evidentiary value.  Lists out various computer crimes which are technological in nature.  However, this Act, originally, did not contain any provision for data protection.
THE INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008  The IT Act, 2002 was amended in the year 2008.  Section 43A and Section 72A were added by the amendment Act for protection of personal data and information.  Boththese provisions are penal in nature, civil and criminal respectively.
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES , 2011  Ministry Of Communications And Information Technology (Department Of Information Technology) promulgated these rules (IT Rules 2011), under Section 87 (2)(ob) read with Section 43A.  IT Rules, 2011 came in force on 11th April, 2011.  Non Compliance of these rules would lead to invocation of Section 43A of The IT Act, 2008 and liability to pay compensation, limits of which have not been fixed.
 SECTION 72A of IT Act 2008.  In addition to the civil liabilities under Section 43 A ◦ Any person, or ◦ Intermediary ◦ Is liable for punishment  Of imprisonment for term which may extend to  *3 years  Or fine up to INR 5,00,000  Or both ◦ For disclosure of information  In breach of lawful contract.  *(Cognizable offence and Bailable) ( as per Section. 77B)
SECTION 43A: COMPENSATION FOR FAILURE TO PROTECT DATA Where a BODY CORPORATE,  possessing, dealing or handling any sensitive personal data or information  in a computer resource which it owns, controls or operates  is negligent in implementing and maintaining reasonable security practices and procedures  and thereby causes wrongful loss or wrongful gain to any person  such body corporate shall be liable to pay damages by way of compensation to the person so affected.
DEFINITION OF BODY CORPORATE SECTION 43 A –Explanation (i) A body corporate would mean: any company and includes:  a firm,  sole proprietorship or  other association of individuals engaged in •commercial or •professional activities.
SENSITIVE PERSONAL DATA OR INFORMATION: RULE 3, IT RULES, 2011 Sensitive personal data or information of a „person‟ means such „personal information‟ which consists of information relating to: 1. Password; 2. Financial information such as:  Bank account or,  Credit card or debit card or,  Other payment instrument details 3. Physical, physiological and mental health condition; 4. Sexual orientation; Contd…
SENSITIVE PERSONAL DATA OR INFORMATION RULE 3 OF THE IT RULES, 2011 5. Biometric information; 6. Any detail relating to the above clauses  as provided to body corporate  for providing service; and 7. Any of the information received under above clauses by body corporate for  processing,  stored or  processed under a lawful contract or otherwise
EXCEPTIONS: Following information is not regarded as sensitive personal data or information: 1. Information freely available or accessible in public domain or, 2. Information furnished under the Right to Information Act, 2005 (RTI) or 3. Information furnished under any other law for the time being in force.
PERSONAL INFORMATION: RULE 2 , IT RULES, 2011  Any information that relates to a  „natural person‟  which either directly or indirectly, in combination with other information available or likely to be available with a body corporate,  is capable of identifying such person.
MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)  Security practices and procedure designed to  protect such information from unauthorized • access, • damages, • use, • modification, • disclosure or • impairment, Contd…
MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii) Contd… as may be specified in :  an agreement between the parties or;  any law for the time being in force; or  in absence of such agreement or law,  such reasonable security practices and procedures,  as may be prescribed by the Central Government.
 Privacy Policy  Consent for collection of data  Collection of data  Use and Retention  Opt Out/Withdrawal  Access and Review of Information  Grievance Mechanism  Limitation on Disclosure of Information  Limitation on Transfer of Information  Reasonable Security Practices and Procedures
PRIVACY POLICY: RULE 4  Body corporate or any person on its behalf ◦ collects, receives, possess, ◦ stores, deals or handles  information of provider of information  Shall provide a privacy policy for  handling of or dealing in  „personal information including sensitive personal data or information‟. Contd…
PRIVACY POLICY: RULE 4 Privacy Policy shall be published on the website and provide:- • Clear and easily accessible statements of its practices and policies; • Type of personal or sensitive personal data or information collected; • Purpose of collection and usage of such information; • Disclosure of information including sensitive personal data or information; • Reasonable security practices and procedures followed by the corporate.
CONSENT RULE 5 (1) o Requires the corporate or any person on its behalf, o before collection of sensitive personal data or information, o to obtain consent in writing through letter or FAX or email from the „provider of the information‟ o regarding purpose of usage of such information.
CONSENT RULE 5(3) Requirements in case of collection of information directly from the person concerned: Steps to ensure that the person concerned is having the knowledge of : o The fact that the information is being collected; o The purpose for which the information is being collected; o The intended recipients of the information; and o The name and address of – ◦ the agency that is collecting the information; and ◦ the agency that will retain the information
PURPOSE OF COLLECTION OF INFORMATION RULE 5 (2) Sensitive personal data or information can be collected only under following two circumstances: 1. For a „lawful purpose‟  connected with a function or activity of the body corporate or any person on it behalf; and 2. Considered „necessary‟ for that purpose
USE AND RETENTION OF INFORMATION USE - RULE 5(5):  The information collected shall be used  only for the purpose for which it has been collected. RETENTION - RULE 5(4)  A body corporate or its representative  must not retain such information for  longer than is required for the purposes for which the information may lawfully be used. OR  as required under any other law in force.
OPT OUT/WITHDRAWAL RULE 5(7) : Requires the body corporate to give the provider of information, an option: 1. prior to the collection of the information, to not provide the data or information sought to be collected 2. of withdrawing his consent given earlier to the body corporate.  Withdrawal shall be sent in writing to the body corporate.  the body corporate shall have the option to not provide goods or services for which the said information was sought.
OPT OUT/WITHDRAWAL  It is noteworthy that, none of the rules talk about obtaining the consent of the person to whom the information relates in case the provider the information is not the person concerned.  For example, where the husband provides the medical information of the wife, consent of the wife is not required as per these rules as she is not the provider of the information. She also does not have the option of opting out as per Rule 5(7).
ACCESS & REVIEW OF INFORMATION RULE 5(6) o Providers of information- permitted- to review the information provided by them- as and when requested by them; o Information- if found to be inaccurate or deficient shall be corrected or amended as feasible. o Body corporate NOT responsible for authenticity of the personal information or sensitive personal data or information as supplied by the provider to the body corporate.
GRIEVANCE REDRESSAL MECHANISM RULE 5(9) o Time bound redressal of any discrepancies and grievances. o Grievance Officer shall be appointed. o Publication of name and contact details of Grievance Officer on website o Redressal of grievances: within one month from the date of receipt of grievance.
LIMITATION ON DISCLOSURE OF INFORMATION RULE 6 Permission of the provider of the information is required before disclosure of information Exceptions: 1. when disclosure is agreed upon in the contract; 2. when disclosure is necessary for compliance of a legal obligation; 3. when disclosure to Government agencies mandated under the law to obtain information. 4. when disclosure to any third party by an order under the law for the time being in force.
LIMITATION ON DISCLOSURE OF INFORMATION RULE 6  Rule 6 also forbids the following: 1. Publication of sensitive personal data or information by body corporate or its representative, 2. Disclosure by third party receiving the sensitive personal data or information from the body corporate.
LIMITATION ON TRANSFER OF INFORMATION RULE 7 Transfer allowed to:  another body corporate or a person  in India, or located in any other country. Transfer is allowed only if : 1. other body corporate or person ensures the same level of data protection that is adhered to by the body corporate as provided under these rules. 2. it is necessary for the performance of the lawful contract between the provider of the information and the corporate receiving the information.
REASONABLE SECURITY PRACTICES AND PROCEDURES RULE 8  Prescribes standard to be adhered to  by a body corporate, receiving the information, ◦ in the absence of an agreement between the parties; ◦ or any law for the time being in force.  One such prescribed standard: The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”.
REASONABLE SECURITY PRACTICES AND PROCEDURES  Any other Security code, if followed shall be : o Duly approved and Notified o by the Central Government o Audited annually by an independent auditor approved by the Central Government.  In the event of an information security breach – demonstration of implementation of security control measures - by the body corporate.
REASONABLE SECURITY PRACTICES AND PROCEDURES  A body corporate or a person on its behalf shall be deemed to have complied with reasonable security practices and procedures if:  They have implemented such security practices and standards, and  Have a  comprehensive documented information security programme; and  information security policies for: managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business.
 IT Act, 2000 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloa ds/itact2000/itbill2000.pdf  IT (Amendment) Act, 2008 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloa ds/itact2000/it_amendment_act2008.pdf  Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011are available at: http://www.mit.gov.in/sites/upload_files/dit/files/GSR313 E_10511(1).pdf
1. What is the likelihood of active enforcement of the new rules? 2. What are the penalties for violations of the new rules? 3. Do the rules apply only to information collected from data subject in India, or do they also apply to information about data subjects located outside India?
 Do the rules apply to uses/disclosure of information that occur outside of India, if the information was originally collected in India?  Do the rules apply to pseudonymized information?  Is the “provider of the information” in Rule 5 referring to the subject, or can this be interpreted as referring to a third party that provides information but who is not the data subject?
 Are there opportunities for further clarification/amendment of the new rules?
THANK YOU Intellectual Property & Information Technology Laws Division New Delhi Mumbai Bangalore Gurgaon Flat # 5-7, 10 Hailey Road, New Delhi, 110001 (India) Phone: +91 11 42492532 (Direct) Phone: +91 11 42492525 Ext 532 Mobile :- 9810081079 Fax: +91 11 23320484 email:- vpdalmia@vaishlaw.com

More Related Content

PPT
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
PDF
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
PPT
Electronic contracts
kailash choudhary
 
PDF
By CA.Shweta Ajmera- TDS on payment made to Non residents u/s section 195,MLI...
Shweta Ajmera
 
PPSX
GST on sale of Digital Products & Services in India - OIDAR
Nikhil Chaudhari
 
PPTX
Law & Emerging Technology - The Model Law on E-Commerce (Unit 2).pptx
ssuser32bd0c
 
PPTX
Supply under gst
DVSResearchFoundatio
 
PPTX
Issues of electronic contracts
gagandeepkaur301
 
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
Electronic contracts
kailash choudhary
 
By CA.Shweta Ajmera- TDS on payment made to Non residents u/s section 195,MLI...
Shweta Ajmera
 
GST on sale of Digital Products & Services in India - OIDAR
Nikhil Chaudhari
 
Law & Emerging Technology - The Model Law on E-Commerce (Unit 2).pptx
ssuser32bd0c
 
Supply under gst
DVSResearchFoundatio
 
Issues of electronic contracts
gagandeepkaur301
 

What's hot (20)

DOCX
International convention on cyber crime
IshitaSrivastava21
 
PPTX
Privacy right under it act, 2000 and under other law
Dr. Nitya Nand Pandey
 
PPTX
Digital personal data protection act, 2023.pptx
DineshPrasad64
 
PPTX
Privacy and Privacy Law in India By Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PPT
Information Technology Act 2000
Vijay Dalmia
 
PDF
Cyber law & information technology
Talwant Singh
 
PPTX
Schools of Muslim Law.pptx
LILHOEGAMING
 
PDF
Supply under gst
CA Dr. Prithvi Ranjan Parhi
 
PPTX
Legal drafting
CS Harleen Kaur
 
PPTX
E-filing of Income tax Return
Sundar B N
 
PPTX
Digital signatures
atuljaybhaye
 
PDF
Supply under GST (goods and services tax)
Aashi90100
 
PPTX
Tds 195 final
PSPCL
 
PPT
IT Act 2000
Pradeep Tomar
 
PPTX
5 fema act 1999
yogesh ingle
 
PPTX
Presentation on Unjust Enrichment
CA Chirag kagzi
 
PPTX
Money Laundering Prevention Act- 2012
Patrick Nokrek
 
PPTX
E commerce PPT
Shivam Saini
 
PDF
Taxation of Royalty and FTS
Romesh Shrikant Anusaya Sankhe
 
PPTX
Hague convention for inter country adoption by dr alka mukherjee nagpur ms india
alka mukherjee
 
International convention on cyber crime
IshitaSrivastava21
 
Privacy right under it act, 2000 and under other law
Dr. Nitya Nand Pandey
 
Digital personal data protection act, 2023.pptx
DineshPrasad64
 
Privacy and Privacy Law in India By Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Information Technology Act 2000
Vijay Dalmia
 
Cyber law & information technology
Talwant Singh
 
Schools of Muslim Law.pptx
LILHOEGAMING
 
Supply under gst
CA Dr. Prithvi Ranjan Parhi
 
Legal drafting
CS Harleen Kaur
 
E-filing of Income tax Return
Sundar B N
 
Digital signatures
atuljaybhaye
 
Supply under GST (goods and services tax)
Aashi90100
 
Tds 195 final
PSPCL
 
IT Act 2000
Pradeep Tomar
 
5 fema act 1999
yogesh ingle
 
Presentation on Unjust Enrichment
CA Chirag kagzi
 
Money Laundering Prevention Act- 2012
Patrick Nokrek
 
E commerce PPT
Shivam Saini
 
Taxation of Royalty and FTS
Romesh Shrikant Anusaya Sankhe
 
Hague convention for inter country adoption by dr alka mukherjee nagpur ms india
alka mukherjee
 
Ad

Viewers also liked (20)

PDF
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
PPTX
Log management
epoxxy
 
PPTX
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
PPTX
Review of Information Security Concepts
primeteacher32
 
PPTX
Intrusion Prevention Systems
primeteacher32
 
PPTX
types of personal computer
9096308941
 
PPT
Indian perspective of cyber security
Aurobindo Nayak
 
PPTX
Leveraging Compliance for Security with SIEM and Log Management
Tripwire
 
PPTX
Types of personal computers
DHANALAKSHMI TALLURI
 
PDF
Selected Aspects of Software Development
Haitham El-Ghareeb
 
ODP
Cisco ios-cont
Haitham El-Ghareeb
 
PPTX
Ddd part 2 modelling qiscus
Hiraq Citra M
 
PPT
Culture, Economy, Community: A Cultural Plan for Chatham-Kent
Emily Robson
 
PDF
Veselin word camp-romania-2014
Veselin Nikolov
 
PDF
Jim Crotty Photography Of Summer 2006
Picture Ohio, LLC
 
PPTX
More amazing photoshop tut
ShdwClaw
 
PPT
Cultural Asset Mapping in Niagara
Emily Robson
 
PDF
Intellectual property rights in sports in india
Vijay Dalmia
 
PDF
Law of Tele-medicine in India
Vijay Dalmia
 
PDF
Guide for de mystifying law of trade mark litigation in India
Vijay Dalmia
 
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
Log management
epoxxy
 
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
Review of Information Security Concepts
primeteacher32
 
Intrusion Prevention Systems
primeteacher32
 
types of personal computer
9096308941
 
Indian perspective of cyber security
Aurobindo Nayak
 
Leveraging Compliance for Security with SIEM and Log Management
Tripwire
 
Types of personal computers
DHANALAKSHMI TALLURI
 
Selected Aspects of Software Development
Haitham El-Ghareeb
 
Cisco ios-cont
Haitham El-Ghareeb
 
Ddd part 2 modelling qiscus
Hiraq Citra M
 
Culture, Economy, Community: A Cultural Plan for Chatham-Kent
Emily Robson
 
Veselin word camp-romania-2014
Veselin Nikolov
 
Jim Crotty Photography Of Summer 2006
Picture Ohio, LLC
 
More amazing photoshop tut
ShdwClaw
 
Cultural Asset Mapping in Niagara
Emily Robson
 
Intellectual property rights in sports in india
Vijay Dalmia
 
Law of Tele-medicine in India
Vijay Dalmia
 
Guide for de mystifying law of trade mark litigation in India
Vijay Dalmia
 
Ad

Similar to Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2011 Avantha (20)

PPT
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
PPTX
Privacy in India: Legal issues
Sagar Rahurkar
 
PPTX
Right to privacy on internet and Data Protection
atuljaybhaye
 
PPT
Data Privacy in India and data theft
Amber Gupta
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
PPT
Legal aspects of IT Security-at ISACA conference 2011
Adv Prashant Mali
 
PPT
Legal aspects of IT security
Adv Prashant Mali
 
PDF
Ppt
Gareth Badrian
 
PPT
Data protection in_india
Altacit Global
 
PPTX
PRIVACY_SPI-Subject_3rdyear-BSITWeb.pptx
inaresangelique
 
PPT
Gary Davis
dri_ireland
 
PPTX
14-Computer Privacy and Security Principles.pptx
wylobide
 
PDF
An Indian Outline on Database Protection
Singhania2015
 
PDF
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
PDF
Startups - data protection
Mathew Chacko
 
PPTX
POPI Seminar FINAL
Imraan Kharwa
 
PPTX
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited
 
PPT
969_powerpoint_on_data_protection.ppt
sheryl90
 
PPSX
Data Protection Act presentation
Ian Clive Oultram
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Privacy in India: Legal issues
Sagar Rahurkar
 
Right to privacy on internet and Data Protection
atuljaybhaye
 
Data Privacy in India and data theft
Amber Gupta
 
3A – DATA PROTECTION: ADVICE
CFG
 
Legal aspects of IT Security-at ISACA conference 2011
Adv Prashant Mali
 
Legal aspects of IT security
Adv Prashant Mali
 
Ppt
Gareth Badrian
 
Data protection in_india
Altacit Global
 
PRIVACY_SPI-Subject_3rdyear-BSITWeb.pptx
inaresangelique
 
Gary Davis
dri_ireland
 
14-Computer Privacy and Security Principles.pptx
wylobide
 
An Indian Outline on Database Protection
Singhania2015
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
Startups - data protection
Mathew Chacko
 
POPI Seminar FINAL
Imraan Kharwa
 
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited
 
969_powerpoint_on_data_protection.ppt
sheryl90
 
Data Protection Act presentation
Ian Clive Oultram
 
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 

More from Vijay Dalmia (20)

PPTX
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
Vijay Dalmia
 
PPTX
Enforcement Of Intellectual Property Rights Through Customs
Vijay Dalmia
 
PPTX
White Collar Crime by Vijay Pal Dalmia.pptx
Vijay Dalmia
 
PPTX
Taxation of Cryptocurrencies – Virtual Digital Assets in India-VPDalmia.pptx
Vijay Dalmia
 
PPT
Indian Approach On Bitcoins-cryptocurrencies- Blockchain Legal Practical Pe...
Vijay Dalmia
 
PPTX
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Vijay Dalmia
 
PPTX
Police Remand- Judicial Remand & Default Bail-Vijay Pal Dalmia Advocate.pptx
Vijay Dalmia
 
PPTX
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia Advocate
Vijay Dalmia
 
PPT
Indian approach on bitcoins, cryptocurrencies and blockchain – legal practica...
Vijay Dalmia
 
PDF
Sanction for prosecution of offences under chapter xii of the income tax act
Vijay Dalmia
 
PDF
Guide for de-mystifying law of trade mark enfocrement and litigation in india
Vijay Dalmia
 
PPT
IPR Enforcement in India through Criminal Measures - By Vijay Pal Dalmia
Vijay Dalmia
 
PDF
Process of criminal trial in india
Vijay Dalmia
 
PPT
LAW OF THE SEMICONDUCTOR INTEGRATED CIRCUITS IN INDIA By Vijay Pal Dalmia
Vijay Dalmia
 
PPT
Types of electronic contracts
Vijay Dalmia
 
PPT
Information Technology Policy for Corporates - Need of the Hour
Vijay Dalmia
 
PPT
Ipr enforcement in india
Vijay Dalmia
 
PPT
Patent law and Indian perspective
Vijay Dalmia
 
PPTX
Wills in the indian perspective
Vijay Dalmia
 
PDF
Law of nutritional and supplement food products in India-The Conflict
Vijay Dalmia
 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
Vijay Dalmia
 
Enforcement Of Intellectual Property Rights Through Customs
Vijay Dalmia
 
White Collar Crime by Vijay Pal Dalmia.pptx
Vijay Dalmia
 
Taxation of Cryptocurrencies – Virtual Digital Assets in India-VPDalmia.pptx
Vijay Dalmia
 
Indian Approach On Bitcoins-cryptocurrencies- Blockchain Legal Practical Pe...
Vijay Dalmia
 
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Vijay Dalmia
 
Police Remand- Judicial Remand & Default Bail-Vijay Pal Dalmia Advocate.pptx
Vijay Dalmia
 
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia Advocate
Vijay Dalmia
 
Indian approach on bitcoins, cryptocurrencies and blockchain – legal practica...
Vijay Dalmia
 
Sanction for prosecution of offences under chapter xii of the income tax act
Vijay Dalmia
 
Guide for de-mystifying law of trade mark enfocrement and litigation in india
Vijay Dalmia
 
IPR Enforcement in India through Criminal Measures - By Vijay Pal Dalmia
Vijay Dalmia
 
Process of criminal trial in india
Vijay Dalmia
 
LAW OF THE SEMICONDUCTOR INTEGRATED CIRCUITS IN INDIA By Vijay Pal Dalmia
Vijay Dalmia
 
Types of electronic contracts
Vijay Dalmia
 
Information Technology Policy for Corporates - Need of the Hour
Vijay Dalmia
 
Ipr enforcement in india
Vijay Dalmia
 
Patent law and Indian perspective
Vijay Dalmia
 
Wills in the indian perspective
Vijay Dalmia
 
Law of nutritional and supplement food products in India-The Conflict
Vijay Dalmia
 

Recently uploaded (20)

PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
A Presentation on Touch Screen Technology
memembruh336
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
A Presentation on Artificial Intelligence
memembruh336
 
August Patch Tuesday
Ivanti
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 

Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2011 Avantha

  • 1. REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011 Under The (Indian) Information Technology Act, 2000 By Vijay Pal Dalmia, Advocate Partner & Head of Intellectual Property & Information Technology Laws Practice
  • 2. INFORMATION TECHNOLOGY ACT, 2000  Enacted in the year 2000 and was implemented w.e.f. 17th October, 2000.  Important features of this Act :  Recognition to e-transactions, digital signatures, electronic records etc. and also recognise their evidentiary value.  Lists out various computer crimes which are technological in nature.  However, this Act, originally, did not contain any provision for data protection.
  • 3. THE INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008  The IT Act, 2002 was amended in the year 2008.  Section 43A and Section 72A were added by the amendment Act for protection of personal data and information.  Boththese provisions are penal in nature, civil and criminal respectively.
  • 4. REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES , 2011  Ministry Of Communications And Information Technology (Department Of Information Technology) promulgated these rules (IT Rules 2011), under Section 87 (2)(ob) read with Section 43A.  IT Rules, 2011 came in force on 11th April, 2011.  Non Compliance of these rules would lead to invocation of Section 43A of The IT Act, 2008 and liability to pay compensation, limits of which have not been fixed.
  • 5. SECTION 72A of IT Act 2008.  In addition to the civil liabilities under Section 43 A ◦ Any person, or ◦ Intermediary ◦ Is liable for punishment  Of imprisonment for term which may extend to  *3 years  Or fine up to INR 5,00,000  Or both ◦ For disclosure of information  In breach of lawful contract.  *(Cognizable offence and Bailable) ( as per Section. 77B)
  • 6. SECTION 43A: COMPENSATION FOR FAILURE TO PROTECT DATA Where a BODY CORPORATE,  possessing, dealing or handling any sensitive personal data or information  in a computer resource which it owns, controls or operates  is negligent in implementing and maintaining reasonable security practices and procedures  and thereby causes wrongful loss or wrongful gain to any person  such body corporate shall be liable to pay damages by way of compensation to the person so affected.
  • 7. DEFINITION OF BODY CORPORATE SECTION 43 A –Explanation (i) A body corporate would mean: any company and includes:  a firm,  sole proprietorship or  other association of individuals engaged in •commercial or •professional activities.
  • 8. SENSITIVE PERSONAL DATA OR INFORMATION: RULE 3, IT RULES, 2011 Sensitive personal data or information of a „person‟ means such „personal information‟ which consists of information relating to: 1. Password; 2. Financial information such as:  Bank account or,  Credit card or debit card or,  Other payment instrument details 3. Physical, physiological and mental health condition; 4. Sexual orientation; Contd…
  • 9. SENSITIVE PERSONAL DATA OR INFORMATION RULE 3 OF THE IT RULES, 2011 5. Biometric information; 6. Any detail relating to the above clauses  as provided to body corporate  for providing service; and 7. Any of the information received under above clauses by body corporate for  processing,  stored or  processed under a lawful contract or otherwise
  • 10. EXCEPTIONS: Following information is not regarded as sensitive personal data or information: 1. Information freely available or accessible in public domain or, 2. Information furnished under the Right to Information Act, 2005 (RTI) or 3. Information furnished under any other law for the time being in force.
  • 11. PERSONAL INFORMATION: RULE 2 , IT RULES, 2011  Any information that relates to a  „natural person‟  which either directly or indirectly, in combination with other information available or likely to be available with a body corporate,  is capable of identifying such person.
  • 12. MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii)  Security practices and procedure designed to  protect such information from unauthorized • access, • damages, • use, • modification, • disclosure or • impairment, Contd…
  • 13. MEANING OF REASONABLE SECURITY PRACTICES AND PROCEDURES Section 43, Explanation (ii) Contd… as may be specified in :  an agreement between the parties or;  any law for the time being in force; or  in absence of such agreement or law,  such reasonable security practices and procedures,  as may be prescribed by the Central Government.
  • 14. Privacy Policy  Consent for collection of data  Collection of data  Use and Retention  Opt Out/Withdrawal  Access and Review of Information  Grievance Mechanism  Limitation on Disclosure of Information  Limitation on Transfer of Information  Reasonable Security Practices and Procedures
  • 15. PRIVACY POLICY: RULE 4  Body corporate or any person on its behalf ◦ collects, receives, possess, ◦ stores, deals or handles  information of provider of information  Shall provide a privacy policy for  handling of or dealing in  „personal information including sensitive personal data or information‟. Contd…
  • 16. PRIVACY POLICY: RULE 4 Privacy Policy shall be published on the website and provide:- • Clear and easily accessible statements of its practices and policies; • Type of personal or sensitive personal data or information collected; • Purpose of collection and usage of such information; • Disclosure of information including sensitive personal data or information; • Reasonable security practices and procedures followed by the corporate.
  • 17. CONSENT RULE 5 (1) o Requires the corporate or any person on its behalf, o before collection of sensitive personal data or information, o to obtain consent in writing through letter or FAX or email from the „provider of the information‟ o regarding purpose of usage of such information.
  • 18. CONSENT RULE 5(3) Requirements in case of collection of information directly from the person concerned: Steps to ensure that the person concerned is having the knowledge of : o The fact that the information is being collected; o The purpose for which the information is being collected; o The intended recipients of the information; and o The name and address of – ◦ the agency that is collecting the information; and ◦ the agency that will retain the information
  • 19. PURPOSE OF COLLECTION OF INFORMATION RULE 5 (2) Sensitive personal data or information can be collected only under following two circumstances: 1. For a „lawful purpose‟  connected with a function or activity of the body corporate or any person on it behalf; and 2. Considered „necessary‟ for that purpose
  • 20. USE AND RETENTION OF INFORMATION USE - RULE 5(5):  The information collected shall be used  only for the purpose for which it has been collected. RETENTION - RULE 5(4)  A body corporate or its representative  must not retain such information for  longer than is required for the purposes for which the information may lawfully be used. OR  as required under any other law in force.
  • 21. OPT OUT/WITHDRAWAL RULE 5(7) : Requires the body corporate to give the provider of information, an option: 1. prior to the collection of the information, to not provide the data or information sought to be collected 2. of withdrawing his consent given earlier to the body corporate.  Withdrawal shall be sent in writing to the body corporate.  the body corporate shall have the option to not provide goods or services for which the said information was sought.
  • 22. OPT OUT/WITHDRAWAL  It is noteworthy that, none of the rules talk about obtaining the consent of the person to whom the information relates in case the provider the information is not the person concerned.  For example, where the husband provides the medical information of the wife, consent of the wife is not required as per these rules as she is not the provider of the information. She also does not have the option of opting out as per Rule 5(7).
  • 23. ACCESS & REVIEW OF INFORMATION RULE 5(6) o Providers of information- permitted- to review the information provided by them- as and when requested by them; o Information- if found to be inaccurate or deficient shall be corrected or amended as feasible. o Body corporate NOT responsible for authenticity of the personal information or sensitive personal data or information as supplied by the provider to the body corporate.
  • 24. GRIEVANCE REDRESSAL MECHANISM RULE 5(9) o Time bound redressal of any discrepancies and grievances. o Grievance Officer shall be appointed. o Publication of name and contact details of Grievance Officer on website o Redressal of grievances: within one month from the date of receipt of grievance.
  • 25. LIMITATION ON DISCLOSURE OF INFORMATION RULE 6 Permission of the provider of the information is required before disclosure of information Exceptions: 1. when disclosure is agreed upon in the contract; 2. when disclosure is necessary for compliance of a legal obligation; 3. when disclosure to Government agencies mandated under the law to obtain information. 4. when disclosure to any third party by an order under the law for the time being in force.
  • 26. LIMITATION ON DISCLOSURE OF INFORMATION RULE 6  Rule 6 also forbids the following: 1. Publication of sensitive personal data or information by body corporate or its representative, 2. Disclosure by third party receiving the sensitive personal data or information from the body corporate.
  • 27. LIMITATION ON TRANSFER OF INFORMATION RULE 7 Transfer allowed to:  another body corporate or a person  in India, or located in any other country. Transfer is allowed only if : 1. other body corporate or person ensures the same level of data protection that is adhered to by the body corporate as provided under these rules. 2. it is necessary for the performance of the lawful contract between the provider of the information and the corporate receiving the information.
  • 28. REASONABLE SECURITY PRACTICES AND PROCEDURES RULE 8  Prescribes standard to be adhered to  by a body corporate, receiving the information, ◦ in the absence of an agreement between the parties; ◦ or any law for the time being in force.  One such prescribed standard: The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”.
  • 29. REASONABLE SECURITY PRACTICES AND PROCEDURES  Any other Security code, if followed shall be : o Duly approved and Notified o by the Central Government o Audited annually by an independent auditor approved by the Central Government.  In the event of an information security breach – demonstration of implementation of security control measures - by the body corporate.
  • 30. REASONABLE SECURITY PRACTICES AND PROCEDURES  A body corporate or a person on its behalf shall be deemed to have complied with reasonable security practices and procedures if:  They have implemented such security practices and standards, and  Have a  comprehensive documented information security programme; and  information security policies for: managerial, technical, operational and physical security which are proportionate with the information assets being protected with the nature of business.
  • 31. IT Act, 2000 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloa ds/itact2000/itbill2000.pdf  IT (Amendment) Act, 2008 is available at: http://www.mit.gov.in/sites/upload_files/dit/files/downloa ds/itact2000/it_amendment_act2008.pdf  Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011are available at: http://www.mit.gov.in/sites/upload_files/dit/files/GSR313 E_10511(1).pdf
  • 32. 1. What is the likelihood of active enforcement of the new rules? 2. What are the penalties for violations of the new rules? 3. Do the rules apply only to information collected from data subject in India, or do they also apply to information about data subjects located outside India?
  • 33. Do the rules apply to uses/disclosure of information that occur outside of India, if the information was originally collected in India?  Do the rules apply to pseudonymized information?  Is the “provider of the information” in Rule 5 referring to the subject, or can this be interpreted as referring to a third party that provides information but who is not the data subject?
  • 34. Are there opportunities for further clarification/amendment of the new rules?
  • 35. THANK YOU Intellectual Property & Information Technology Laws Division New Delhi Mumbai Bangalore Gurgaon Flat # 5-7, 10 Hailey Road, New Delhi, 110001 (India) Phone: +91 11 42492532 (Direct) Phone: +91 11 42492525 Ext 532 Mobile :- 9810081079 Fax: +91 11 23320484 email:- vpdalmia@vaishlaw.com