Four sets of Rules were issued under the Information Technology Act, 2000 in April 2011. The second of these sets — called the Information Technology (Reasonable security practices and procedures and Sensitive Personal Data or Information) Rules, 2011, i.e. the Privacy Rules — deals with how certain information collected from persons should be treated.
A. Kinds of Information
The information contemplated by the Privacy Rules is differentiated into ‘Information’, ‘Personal Information’ and ‘Sensitive Personal Data or Information’, with all three terms being defined under the Rules as follows:
All of the obligations set out in the Privacy Rules apply to ‘Sensitive Personal Data or Information. However, although they do not all apply to ‘Information’ and/or ‘Personal Information’. The table below attempts to capture which obligations contemplated by the Privacy Rules apply to which kind of information. (It is intended to be read in conjunction with the Rules themselves which detail the obligations; the table below does not attempt to do anything beyond convey the essence of the obligations).
C. The Clarification of the Rules (and the Scope of Rules 5 and 6)
The Privacy Rules were unclear in several places, and (presumably because of this) the Department of Information Technology, Ministry of Communications & Information Technology issued a clarificatory Press Note on August 24, 2011 through the Press Information Bureau, Government of India. Unfortunately, the clarification was, itself, anything but clear. It stated that the Privacy Rules ‘are regarding Sensitive Personal Data or Information and are applicable to the body corporate or any person located within India’. However, in opposition to this, a plain reading of the Privacy Rules themselves indicates that they apply to three kinds of information, and not merely to ‘Sensitive Personal Data or Information’. As such, it is unclear whether the reference to only one kind of information in the Press Note is intentional, or whether it is a clerical error (with the intention being to have the clarification apply to all three kinds of information contemplated by the Privacy Rules). In other words, it appears that the clarification of the Privacy Rules is, at the outset itself, inconsistent with the Rules in question.
In addition to this, Press Note states that: ‘Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate.’ The implication here is that the Privacy Rules do not apply to information provided by corporate bodies; whether or not this is the intention of the Privacy Rules is debatable although considering the clarification pertaining to the scope of Rules 5 and 6 (referred to in the next paragraph), it may be possible to argue that this supports the proposition that the Privacy Rules are primarily intended to govern B2C interaction and not B2B interaction.
According to the Press Note, ‘Any such body corporate providing services relating to collection, storage, dealing or handling of Sensitive Personal Data or Information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6’.
That said, the Press Note, did specifically clarify that ‘Rule 5(1) consent includes consent given by any mode of electronic communication’. The cleared a great deal of confusion which had arisen when then Rules were first issues, as it appeared that obtaining electronic consent would not be adequate to comply with the Privacy Rules. Following the issue of the Press Note though, it has become possible to interpret the Rules to mean that electronic consent consent is adequate to satisfy their mandate.
D. Privacy Policy
Under Rule 4 of the Privacy Rules, each body corporate (or, sacrificing nuance, its agent) which collects, receives, possesses, stores, deals with or handles information of providers must provide a privacy policy (on its website, viewable by information providers) detailing how it deals with ‘Personal Information’ including ‘Sensitive Personal Data or Information’. Specifically, each Privacy Policy must contain:
(This post is by Nandita Saikia and was first published at Indian Copyright.)
A. Kinds of Information
The information contemplated by the Privacy Rules is differentiated into ‘Information’, ‘Personal Information’ and ‘Sensitive Personal Data or Information’, with all three terms being defined under the Rules as follows:
- Rule 2(1)(f). “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the [Information Technology] Act [i.e. ‘Information’ includes data, message, text, images, sound, voice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche];
- Rule 2(1)(i). “Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
- Rule 3. Sensitive personal data or information of a person means such personal information which consists of information relating to;―
- (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
All of the obligations set out in the Privacy Rules apply to ‘Sensitive Personal Data or Information. However, although they do not all apply to ‘Information’ and/or ‘Personal Information’. The table below attempts to capture which obligations contemplated by the Privacy Rules apply to which kind of information. (It is intended to be read in conjunction with the Rules themselves which detail the obligations; the table below does not attempt to do anything beyond convey the essence of the obligations).
| Sr. No. | Rule | Information | Personal Information | Sensitive Personal Data or Information | Comments |
| 1 | 5(1): Consent for collection | Applies | See Clarification (below) | ||
| 2 | 5(2): Restrictions on collection | Applies | Sensitive Personal Data or Information may only be collected for a lawful purpose (connected with the activities of the collector) for which the info. is required. | ||
| 3 | 5(3): Knowledge regarding collection | Applies | Applies | Applies | Providers must know: (a) the fact that the information is being collected; (b) the purpose for which the information s being collected; (c) the intended recipients of the information; and (d) the name and address of ― (i) the agency that is collecting the information; and (ii) the agency that will retain the information. |
| 4 | 5(4): Retention | Applies | ‘Sensitive Personal Data or Information’ cannot be retained by the collector for longer than required. | ||
| 5 | 5(5): Use only for the purpose of collection | Applies | Applies | Applies | |
| 6 | 5(6): Review by providers | Applies | Applies | Applies | |
| 7 | 5(6): Correction by providers | Applies | Applies | Collectors must correct inaccurate info. (‘Personal Information’ and ‘Sensitive Personal Data and Information’) but are not responsible for the authenticity of provider-supplied info. | |
| 8 | 5(7): Option not to provide or to withdraw information | Applies | Applies | Applies | ‘Withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought’ |
| 9 | 5(8): Security obligations | Applies | Applies | Applies | See Rule 8 |
| 10 | 5(9): Grievance officer | Applies | Applies | Applies | |
| 11 | 6(1): Disclosure to any third party other than govt. agencies | Applies | See Clarification (below) | ||
| 12 | 6(1) Proviso: Disclosure to certain government agencies | Possible to interpret this to have it apply although probably doesn't apply | Possible to interpret this to have it apply although probably doesn't apply | Applies | |
| 13 | 6(2): Disclosure to any third party pursuant to order under law | Applies | |||
| 14 | 6(3): Publication | Applies | |||
| 15 | 6(4): Disclosure by a party who receives info. under Rule 6(1) | Applies | The Rules do not have a clear demarcation between ‘disclosures’ and ‘transfers’ contemplated in Rules 6 and 7. Thus, although Rule 6 does not apply to ‘Information’ and ‘Personal Information’, it is unclear how Rules 6 and 7 interact. | ||
| 16 | 7: Transfer | Probably applies; the rule refers to ‘sensitive personal data or information including any information’ | Probably applies | Applies | Rule 7 may require ‘consent’ from the provider for the transfer of any information unless the transfer is necessary for the performance of the lawful contract between the collector and provider. |
| 17 | 8: Security Practices & Audits thereof | Applies | Applies | Applies | Reasonable security practices and procedures (such as ISI/ISO/IEC:27001) must be implemented. Security practices are required to be audited at least once a year, or whenever the process and computer resources are upgraded. |
C. The Clarification of the Rules (and the Scope of Rules 5 and 6)
The Privacy Rules were unclear in several places, and (presumably because of this) the Department of Information Technology, Ministry of Communications & Information Technology issued a clarificatory Press Note on August 24, 2011 through the Press Information Bureau, Government of India. Unfortunately, the clarification was, itself, anything but clear. It stated that the Privacy Rules ‘are regarding Sensitive Personal Data or Information and are applicable to the body corporate or any person located within India’. However, in opposition to this, a plain reading of the Privacy Rules themselves indicates that they apply to three kinds of information, and not merely to ‘Sensitive Personal Data or Information’. As such, it is unclear whether the reference to only one kind of information in the Press Note is intentional, or whether it is a clerical error (with the intention being to have the clarification apply to all three kinds of information contemplated by the Privacy Rules). In other words, it appears that the clarification of the Privacy Rules is, at the outset itself, inconsistent with the Rules in question.
In addition to this, Press Note states that: ‘Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate.’ The implication here is that the Privacy Rules do not apply to information provided by corporate bodies; whether or not this is the intention of the Privacy Rules is debatable although considering the clarification pertaining to the scope of Rules 5 and 6 (referred to in the next paragraph), it may be possible to argue that this supports the proposition that the Privacy Rules are primarily intended to govern B2C interaction and not B2B interaction.
According to the Press Note, ‘Any such body corporate providing services relating to collection, storage, dealing or handling of Sensitive Personal Data or Information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6’.
That said, the Press Note, did specifically clarify that ‘Rule 5(1) consent includes consent given by any mode of electronic communication’. The cleared a great deal of confusion which had arisen when then Rules were first issues, as it appeared that obtaining electronic consent would not be adequate to comply with the Privacy Rules. Following the issue of the Press Note though, it has become possible to interpret the Rules to mean that electronic consent consent is adequate to satisfy their mandate.
D. Privacy Policy
Under Rule 4 of the Privacy Rules, each body corporate (or, sacrificing nuance, its agent) which collects, receives, possesses, stores, deals with or handles information of providers must provide a privacy policy (on its website, viewable by information providers) detailing how it deals with ‘Personal Information’ including ‘Sensitive Personal Data or Information’. Specifically, each Privacy Policy must contain:
- (i) ‘clear and easily accessible statements of its practices and policies;
- (ii) type of personal or sensitive personal data or information collected under rule 3;
- (iii) purpose of collection and usage of such information;
- (iv) disclosure of information including sensitive personal data or information as provided in rule 6;
- (v) reasonable security practices and procedures as provided under rule 8’.
(This post is by Nandita Saikia and was first published at Indian Copyright.)