Note On Key Aspects Of Information Technology Act 2000 And Associated Privacy Aspects

Note is divided into two chapter’s i.e. Chapter I covering Law and Chapter II covering the deduction based on the law.

Chapter I

The following are some of the important definitions as per the Information Technology Act 2000.

Section 2 (i) "computer" means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

Section 2(j) "computer network" means the interconnection of one or more computers through— (i) the use of satellite, microwave, terrestrial line or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained;

Section 2(k) "computer resource" means computer, computer system, computer network, data, computer data base or software;

Section 2(l) "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;

Section 2(n) "cyber security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.

Section 2 (o) "data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

Section 2 (t) "electronic record" means data, record or data generated, image or sound stored, receivedor sent in an electronic form or micro film or computer generated micro fiche;

Section           2          (v) "information" includes data, text, images, sound, voice, codes, computer programmes,software and databases or micro film or computer generated micro fiche:

Section 2 (w) intermediary", with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web- hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;'.

Section 2 (za) "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary;

Section 2 (ze) "secure system" means computer hardware, software, and procedure that—

(a) are reasonably secure from unauthorised access and misuse;

(b) provide a reasonable level of reliability and correct operation;

(c) are reasonably suited to performing the intended functions; and

(d) adhere to generally accepted security procedures;

 

The following are some of the important sectionsof the Information Technology Act 2000. Section 43 - Penalty and compensation for damage to computer, computer system, etc

If any person without permission of the owner or any other person who is in charge, of a computer, computer system or computer network,—

 

(a) accesses or secures access to such computer, computer system or computer network; or computer resource

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;

(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means,

(j) steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage".

"he shall be liable to pay damages by way of compensation to the person so affected"]

 

Explanation.—For the purposes of this section,—

 

(i) "computer contaminant" means any set of computer instructions that are designed—

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

"computer database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;

"computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

(iv) "damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.

(v) "computer source code" means the listing of programme, computer commands, design and layout and programme analysis of computer resource in any form."

 

Section 43A - Compensation for failure to protect data

 

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

 

Explanation. -- For the purposes of this section,-‑

 

(i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Section 44 - Penalty for failure to furnish information, return, etc

 

If any person who is required under this Act or any rules or regulations made thereunder to—

 

(a) furnish any document, return or report to the Controller or the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure;

(b) file any return or furnish any information, books or other documents within the time specified therefor in the regulations fails to file return or furnish the same within the time specified therefor in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues;

(c) maintain books of account or records fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues.

 

Section 45 - Residuary penalty

 

Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees.

 

Section 65 - Tampering with computer source documents

 

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

 

Explanation.—For the purposes of this section, "computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

 

Section 66 - Computer related offences

 

If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

 

Explanation.-- For the purposes of this section,-‑

 

(a) the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code; (45 of 1860).

(b) the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code(45 of 1860).]

Section 67C - Preservation and retention of information by intermediaries

• Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
• any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to]

Section 72 - Penalty for Breach of confidentiality and privacy

Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Section 72A - Punishment for disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.’]

Section 79 - Exemption from liability of intermediary in certain cases

(1)     (2) (a)

Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him. The provisions of sub-section (1) shall apply if‑ the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or the intermediary does not‑ initiate the transmission, select the receiver of the transmission, and select or modify the information contained in the transmission; the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

(3) The provisions of sub-section (1) shall not apply if‑

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

 

Explanation.-For the purposes of this section, the expression "third party information" means any information dealt with by an intermediary in his capacity as an intermediary.

The following are some of the important Rules of Information Technology (Intermediaries guidelines) Rules, 2011

2. Definitions.-‑

(d) "Cyber security incident" means any real or suspected adverse event in relation to cyber security

that violates an explicitly or implicitly applicable security policy resulting in unauthorised access,

denial of service or disruption, unauthorised use of a computer resource for processing or storage of

information or changes to data, information without authorisation;

 

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(h) "Information" means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(i) "Intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(j) "User" means any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

3. Due diligence to be observed by intermediary.-‑

The intermediary shall observe following due diligence while discharging his duties, namely : -‑

(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access or usage of the intermediary's computer resource by any person.

 

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that -‑

 

(a) belongs to another person and to which the user does not have any right to;

(b) is grossly harmful, harassing, blasphemous; defamatory, obscene, pornographic, paedophilic,

libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

harm minors in any way;

infringes any patent, trademark, copyright or other proprietary rights;

violates any law for the time being in force;

deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

impersonate another person;

contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.

• The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):

Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as specified in sub-rule (2) -‑

• temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;
• removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;
• The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.
• The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information.

• The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

   

   

The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

 

(7) When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any such assistance.

 

(8) The intermediary shall take all reasonable measures to secure its computer resource and

information contained therein following the reasonable security practices and procedures as

prescribed in the Information Technology (Reasonable security practices and procedures and

sensitive personal information) Rules, 2011.

 

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

 

(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force:

 

Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

 

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

The following are some of the important Rules of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

2. Definitions.-‑

(b) 'Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', 'facial patterns', 'hand measurements' and 'DNA' for authentication purposes;

 

(c) "Body corporate" means the body corporate as defined in clause (i) of explanation to section 43A of the Act;

(d) "Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

 

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

 

(f) "Information" means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

 

(g) "Intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

 

(h) "Password" means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information;

 

(i) "Personal information" means any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

 

3. Sensitive personal data or information.-‑

 

Sensitive personal data or information of a person means such personal information which consists of information relating to;-‑

 

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

 

provided that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

 

4. Body corporate to provide policy for privacy and disclosure of information.-‑

 

The body corporate or any person who on behalf of body corporate collects, receives, posses, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for‑

(I)        clear and easily accessible statements of its practices and policies;

• type of personal or sensitive personal data or information collected under rule 3;
• purpose of collection and usage of such information;
• disclosure of information including sensitive personal data or information as provided in rule 6;
• reasonable security practices and procedures as provided under rule 8.

5. Collection of information.-‑

• Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
• Body corporate or any person on its behalf shall not collect sensitive personal data or information unless -‑
• the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
• the collection of the sensitive personal data or information is considered necessary for that purpose.
• While collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of -‑

 

the fact that the information is being collected; the purpose for which the information is being collected; the intended recipients of the information; and the name and address of -‑ the agency that is collecting the information; and (ii) the agency that will retain the information.

 

• Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
• The information collected shall be used for the purpose for which it has been collected.
• Body corporate or any person on its behalf shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible:

provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to such body corporate or any other person acting on behalf of such body corporate.

(7) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise; also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought.

 

(8) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.

 

(9) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances of provider of information expeditiously but within one month from the date of receipt of grievance.

6. Disclosure of information.-‑

(1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

 

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

 

(2) Notwithstanding anything contained in sub-rule (1), any sensitive personal data or Information shall be disclosed to any third party by an order under the law for the time being in force.

(3) The body corporate or any person on its behalf shall not publish the sensitive personal data or information.

(4) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

7. Transfer of information.-‑

A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

8. Reasonable Security Practices and Procedures.-‑

(1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated/under the law, that they have implemented security control measures as per their documented information security programme and information security policies.

 

(2) The international Standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

 

(3) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub­rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.

 

(4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule

(3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

Chapter II

Deduction Based On Law

The information technology Act 2000, though Section 2 (w) outlines “intermediary", to include telecom service providers, network service providers, internet service providers, web- hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.

Further section 43 (A) Explanation (i) enumerates that "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

 

Thus as per the above the proposed entity is a body corporate and falls within the meaning of intermediary.

 

Section 43 (A) imposes penalty by way of damages on body corporate if it fails to protect confidential information / sensitive personal data by not adhering to instil reasonable security practices and procedures.

 

Section 72 A imposes punishment with imprisonment for a term which may extend to 3 years or with fine which may extend to 5 lakhs rupees or with both if any person including an intermediary discloses material containing personal information with an intent to cause or knowingly that he is likely to cause wrongful loss or wrongful gain to any third person in breach of a lawful contract entered between intermediary on the originator. In the present scenario, if the personal information of the user who has availed the services from the proposed entity under a contract, comes out in the public, then the proposed entity will be held liable for such breach of confidentiality.

 

However as a saving grace section 79 lays down certain exemptions which an intermediary and claim as immunity.

 

The Information Technology (Intermediaries guidelines) Rules, 2011 govern the operations of Intermediaries which is enumerated though rule 3 therein, which also provides the nature and scope of the privacy policy of the Intermediaries.

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are the key to the operations of the proposed entity ( considering the nature of services that it wants to offer).

Rule 3 outlays the Sensitive personal data or information of a person as following :

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

 

Rule 4 provides for the mature and scope of the privacy policy and Rule 5 provides for the system through which the Sensitive personal data is obtained.

Rule 8 lays down the standards for reasonable security practices and procedures to be employed while obtaining the Sensitive personal data and more particularly states that the international Standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System – Requirements should be in place.

This article is contributed by Partners of SBS and Company LLP - Chartered Accountant Company. You can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.