Reasonable security practices and procedures and sensitive personal data or information rules 2012-presentation
envydalmia
2,224 views
33 slides
Feb 20, 2015
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Reasonable security practices and procedures and sensitive personal data or information rules 2012- A presentation on data secrecy and sharing.
Slide Content
REASONABLE SECURITY PRACTICES AND PROCEDURES AND
SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
By
Vijay Pal Dalmia, Advocate
Partner & Head of Intellectual Property & Information Technology Laws Practice
SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
By
Vijay Pal Dalmia, Advocate
Partner & Head of Intellectual Property & Information Technology Laws Practice
Enacted in the year 2000 and was implemented w.e.f. 17th October,
2000.
Important features of this Act :
Recognition to e-transactions, digital signatures, electronic
records etc. and also recognise their evidentiary value.
Lists out various computer crimes which are technological in
nature.
However, this Act, originally, did not contain any provision for data
protection.
INFORMATION TECHNOLOGY ACT,
2000
2000.
Important features of this Act :
Recognition to e-transactions, digital signatures, electronic
records etc. and also recognise their evidentiary value.
Lists out various computer crimes which are technological in
nature.
However, this Act, originally, did not contain any provision for data
protection.
INFORMATION TECHNOLOGY ACT,
2000
The IT Act, 2002 was amended in the year 2008.
Section 43A and Section 72A were added by the
amendment Act for protection of personal data and
information.
Both these provisions are penal in nature, civil and
criminal respectively.
THE INFORMATION TECHNOLOGY
(AMENDMENT) ACT, 2008
Section 43A and Section 72A were added by the
amendment Act for protection of personal data and
information.
Both these provisions are penal in nature, civil and
criminal respectively.
THE INFORMATION TECHNOLOGY
(AMENDMENT) ACT, 2008
Ministry Of Communications And Information Technology (Department Of
Information Technology) promulgated these rules (IT Rules 2011), under
Section 87 (2)(ob) read with Section 43A.
IT Rules, 2011 came in force on 11th April, 2011.
The Government has come up with further clarifications w.r.t. these Rules
by a Press Note Dated 24
th
August, 2011 to avoid ambiguities
(http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf)
Non Compliance of these rules would lead to invocation of Section 43A
of The IT Act, 2008 and liability to pay compensation, limits of which
have not been fixed.
REASONABLE SECURITY PRACTICES AND
PROCEDURES AND SENSITIVE PERSONAL
DATA OR INFORMATION) RULES , 2011
Information Technology) promulgated these rules (IT Rules 2011), under
Section 87 (2)(ob) read with Section 43A.
IT Rules, 2011 came in force on 11th April, 2011.
The Government has come up with further clarifications w.r.t. these Rules
by a Press Note Dated 24
th
August, 2011 to avoid ambiguities
(http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf)
Non Compliance of these rules would lead to invocation of Section 43A
of The IT Act, 2008 and liability to pay compensation, limits of which
have not been fixed.
REASONABLE SECURITY PRACTICES AND
PROCEDURES AND SENSITIVE PERSONAL
DATA OR INFORMATION) RULES , 2011
SECTION 72A of IT Act 2008.
In addition to the civil liabilities under Section 43 A
◦Any person, or
◦Intermediary
◦Is liable for punishment
Of imprisonment for term which may extend to
*3 years
Or fine up to INR 5,00,000
Or both
◦For disclosure of information
In breach of lawful contract.
*(Cognizable offence and Bailable) ( as per Section. 77B)
In addition to the civil liabilities under Section 43 A
◦Any person, or
◦Intermediary
◦Is liable for punishment
Of imprisonment for term which may extend to
*3 years
Or fine up to INR 5,00,000
Or both
◦For disclosure of information
In breach of lawful contract.
*(Cognizable offence and Bailable) ( as per Section. 77B)
Where a BODY CORPORATE ,
possessing, dealing or handling any sensitive personal
data or information
in a computer resource which it owns, controls or
operates
is negligent in implementing and maintaining
reasonable security practices and procedures
and thereby causes wrongful loss or wrongful gain to any
person
such body corporate shall be liable to pay damages by
way of compensation to the person so affected.
SECTION 43A: COMPENSATION FOR
FAILURE TO PROTECT DATA
possessing, dealing or handling any sensitive personal
data or information
in a computer resource which it owns, controls or
operates
is negligent in implementing and maintaining
reasonable security practices and procedures
and thereby causes wrongful loss or wrongful gain to any
person
such body corporate shall be liable to pay damages by
way of compensation to the person so affected.
SECTION 43A: COMPENSATION FOR
FAILURE TO PROTECT DATA
A body corporate would mean:
any company and includes:
a firm,
sole proprietorship or
other association of individuals
engaged in
•commercial or
•professional activities.
DEFINITION OF BODY CORPORATE
SECTION 43 A –Explanation (i)
any company and includes:
a firm,
sole proprietorship or
other association of individuals
engaged in
•commercial or
•professional activities.
DEFINITION OF BODY CORPORATE
SECTION 43 A –Explanation (i)
These Rules are applicable only to sensitive
personal data or information.
These Rules are applicable only to the following:
◦body corporate located within India, or
◦any person located within India, or
◦body corporate dealing with the data of any person
located within India.
personal data or information.
These Rules are applicable only to the following:
◦body corporate located within India, or
◦any person located within India, or
◦body corporate dealing with the data of any person
located within India.
Sensitive personal data or information of a ‘person’ means such
‘personal information’ which consists of information relating to:
1.Password;
2.Financial information such as:
Bank account or,
Credit card or debit card or,
Other payment instrument details
3.Physical, physiological and mental health condition;
4.Sexual orientation;
Contd…
SENSITIVE PERSONAL DATA OR
INFORMATION:
RULE 3, IT RULES, 2011
‘personal information’ which consists of information relating to:
1.Password;
2.Financial information such as:
Bank account or,
Credit card or debit card or,
Other payment instrument details
3.Physical, physiological and mental health condition;
4.Sexual orientation;
Contd…
SENSITIVE PERSONAL DATA OR
INFORMATION:
RULE 3, IT RULES, 2011
5.Biometric information;
6.Any detail relating to the above clauses
as provided to body corporate
for providing service; and
7.Any of the information received under above clauses by body
corporate for
processing,
stored or
processed
under a lawful contract or otherwise
SENSITIVE PERSONAL DATA OR
INFORMATION
RULE 3 OF THE IT RULES, 2011
6.Any detail relating to the above clauses
as provided to body corporate
for providing service; and
7.Any of the information received under above clauses by body
corporate for
processing,
stored or
processed
under a lawful contract or otherwise
SENSITIVE PERSONAL DATA OR
INFORMATION
RULE 3 OF THE IT RULES, 2011
Following information is not regarded as sensitive personal data or
information:
1.Information freely available or accessible in public domain or,
2.Information furnished under the Right to Information Act,
2005 (RTI) or
3.Information furnished under any other law for the time being in
force.
EXCEPTIONS:
information:
1.Information freely available or accessible in public domain or,
2.Information furnished under the Right to Information Act,
2005 (RTI) or
3.Information furnished under any other law for the time being in
force.
EXCEPTIONS:
Any information that relates to a
‘natural person’
which either directly or indirectly, in combination with other information
available or likely to be available with a body corporate,
is capable of identifying such person.
PERSONAL INFORMATION:
RULE 2 , IT RULES, 2011
‘natural person’
which either directly or indirectly, in combination with other information
available or likely to be available with a body corporate,
is capable of identifying such person.
PERSONAL INFORMATION:
RULE 2 , IT RULES, 2011
Security practices and procedure designed to
protect such information from unauthorized
•access,
•damages,
•use,
•modification,
•disclosure or
•impairment,
Contd…
MEANING OF REASONABLE SECURITY
PRACTICES AND PROCEDURES
Section 43, Explanation (ii)
protect such information from unauthorized
•access,
•damages,
•use,
•modification,
•disclosure or
•impairment,
Contd…
MEANING OF REASONABLE SECURITY
PRACTICES AND PROCEDURES
Section 43, Explanation (ii)
Contd…
as may be specified in :
an agreement between the parties or;
any law for the time being in force; or
in absence of such agreement or law ,
such reasonable security practices and
procedures,
as may be prescribed by the Central
Government.
MEANING OF REASONABLE SECURITY
PRACTICES AND PROCEDURES
Section 43, Explanation (ii)
as may be specified in :
an agreement between the parties or;
any law for the time being in force; or
in absence of such agreement or law ,
such reasonable security practices and
procedures,
as may be prescribed by the Central
Government.
MEANING OF REASONABLE SECURITY
PRACTICES AND PROCEDURES
Section 43, Explanation (ii)
Privacy Policy
Consent for collection of data
Collection of data
Use and Retention
Opt Out/Withdrawal
Access and Review of Information
Grievance Mechanism
Limitation on Disclosure of Information
Limitation on Transfer of Information
Reasonable Security Practices and Procedures
Consent for collection of data
Collection of data
Use and Retention
Opt Out/Withdrawal
Access and Review of Information
Grievance Mechanism
Limitation on Disclosure of Information
Limitation on Transfer of Information
Reasonable Security Practices and Procedures
Body corporate or any person on its behalf
◦collects, receives, possess,
◦stores, deals or handles
information of provider of information
◦Providers of information, are those natural persons who
provide sensitive personal data or information to a body
corporate.
Shall provide a privacy policy for
handling of or dealing in
‘sensitive personal data or information’.
Contd…
PRIVACY POLICY: RULE 4
◦collects, receives, possess,
◦stores, deals or handles
information of provider of information
◦Providers of information, are those natural persons who
provide sensitive personal data or information to a body
corporate.
Shall provide a privacy policy for
handling of or dealing in
‘sensitive personal data or information’.
Contd…
PRIVACY POLICY: RULE 4
Privacy Policy shall be published on the website and provide:-
•Clear and easily accessible statements of its practices and
policies;
•Type of personal or sensitive personal data or information
collected;
•Purpose of collection and usage of such information;
•Disclosure of information including sensitive personal data or
information;
•Reasonable security practices and procedures followed by the
corporate.
PRIVACY POLICY: RULE 4
•Clear and easily accessible statements of its practices and
policies;
•Type of personal or sensitive personal data or information
collected;
•Purpose of collection and usage of such information;
•Disclosure of information including sensitive personal data or
information;
•Reasonable security practices and procedures followed by the
corporate.
PRIVACY POLICY: RULE 4
Any such body corporate providing services relating to
collection, storage, dealing or handling of sensitive
personal data or information under contractual obligation
with
◦any legal entity located within or outside India is not subject to the
requirement of Rules 5 & 6.
This above exemption is mainly applicable to Data Collection Agencies.
Exception
However, Body corporate, providing services to the
provider of information under a contractual obligation
directly with them, as the case may be, is subject to Rules
5 & 6.
collection, storage, dealing or handling of sensitive
personal data or information under contractual obligation
with
◦any legal entity located within or outside India is not subject to the
requirement of Rules 5 & 6.
This above exemption is mainly applicable to Data Collection Agencies.
Exception
However, Body corporate, providing services to the
provider of information under a contractual obligation
directly with them, as the case may be, is subject to Rules
5 & 6.
RULE 5 (1)
oRequires the corporate or any person on its
behalf,
obefore collection of sensitive personal data or
information,
oto obtain consent in writing through any mode of
electronic communication including letter or FAX or
email from the ‘provider of the information’
oregarding purpose of usage of such information.
CONSENT
oRequires the corporate or any person on its
behalf,
obefore collection of sensitive personal data or
information,
oto obtain consent in writing through any mode of
electronic communication including letter or FAX or
email from the ‘provider of the information’
oregarding purpose of usage of such information.
CONSENT
RULE 5(3)
Requirements in case of collection of information directly from the
person concerned:
Steps to ensure that the person concerned is having the
knowledge of :
oThe fact that the information is being collected;
oThe purpose for which the information is being collected;
oThe intended recipients of the information; and
oThe name and address of –
◦the agency that is collecting the information; and
◦the agency that will retain the information
CONSENT
Requirements in case of collection of information directly from the
person concerned:
Steps to ensure that the person concerned is having the
knowledge of :
oThe fact that the information is being collected;
oThe purpose for which the information is being collected;
oThe intended recipients of the information; and
oThe name and address of –
◦the agency that is collecting the information; and
◦the agency that will retain the information
CONSENT
RULE 5 (2)
Sensitive personal data or information can be collected
only under following two circumstances:
1.For a ‘lawful purpose’
connected with a function or activity
of the body corporate or any person on it behalf; and
1.Considered ‘necessary’ for that purpose
PURPOSE OF COLLECTION OF
INFORMATION
Sensitive personal data or information can be collected
only under following two circumstances:
1.For a ‘lawful purpose’
connected with a function or activity
of the body corporate or any person on it behalf; and
1.Considered ‘necessary’ for that purpose
PURPOSE OF COLLECTION OF
INFORMATION
USE - RULE 5(5):
The information collected shall be used
only for the purpose for which it has been collected.
RETENTION - RULE 5(4)
A body corporate or its representative
must not retain such information for
longer than is required for the purposes for which the
information may lawfully be used. OR
as required under any other law in force.
USE AND RETENTION OF INFORMATION
The information collected shall be used
only for the purpose for which it has been collected.
RETENTION - RULE 5(4)
A body corporate or its representative
must not retain such information for
longer than is required for the purposes for which the
information may lawfully be used. OR
as required under any other law in force.
USE AND RETENTION OF INFORMATION
RULE 5(7) :
Requires the body corporate to give the provider of information,
an option:
1.prior to the collection of the information, to not provide the data
or information sought to be collected
2.of withdrawing his consent given earlier to the body corporate.
Withdrawal shall be sent in writing to the body corporate.
the body corporate shall have the option to not provide goods
or services for which the said information was sought.
OPT OUT/WITHDRAWAL
Requires the body corporate to give the provider of information,
an option:
1.prior to the collection of the information, to not provide the data
or information sought to be collected
2.of withdrawing his consent given earlier to the body corporate.
Withdrawal shall be sent in writing to the body corporate.
the body corporate shall have the option to not provide goods
or services for which the said information was sought.
OPT OUT/WITHDRAWAL
RULE 5(6)
oProviders of information- permitted- to review the
information provided by them- as and when requested by
them;
oInformation- if found to be inaccurate or deficient shall be
corrected or amended as feasible.
oBody corporate NOT responsible for authenticity of the
personal information or sensitive personal data or information
as supplied by the provider to the body corporate.
ACCESS & REVIEW OF INFORMATION
oProviders of information- permitted- to review the
information provided by them- as and when requested by
them;
oInformation- if found to be inaccurate or deficient shall be
corrected or amended as feasible.
oBody corporate NOT responsible for authenticity of the
personal information or sensitive personal data or information
as supplied by the provider to the body corporate.
ACCESS & REVIEW OF INFORMATION
RULE 5(9)
oTime bound redressal of any discrepancies and
grievances.
oGrievance Officer shall be appointed.
oPublication of name and contact details of Grievance
Officer on website
oRedressal of grievances: within one month from the
date of receipt of grievance.
GRIEVANCE REDRESSAL MECHANISM
oTime bound redressal of any discrepancies and
grievances.
oGrievance Officer shall be appointed.
oPublication of name and contact details of Grievance
Officer on website
oRedressal of grievances: within one month from the
date of receipt of grievance.
GRIEVANCE REDRESSAL MECHANISM
RULE 6
Permission of the provider of the information is required before
disclosure of information
Exceptions:
1.when disclosure is agreed upon in the contract;
2.when disclosure is necessary for compliance of a legal obligation;
3.when disclosure to Government agencies mandated under the law
to obtain information.
4.when disclosure to any third party by an order under the law for
the time being in force.
LIMITATION ON DISCLOSURE OF
INFORMATION
Permission of the provider of the information is required before
disclosure of information
Exceptions:
1.when disclosure is agreed upon in the contract;
2.when disclosure is necessary for compliance of a legal obligation;
3.when disclosure to Government agencies mandated under the law
to obtain information.
4.when disclosure to any third party by an order under the law for
the time being in force.
LIMITATION ON DISCLOSURE OF
INFORMATION
RULE 6
Rule 6 also forbids the following:
1.Publication of sensitive personal data or
information by body corporate or its
representative,
2.Disclosure by third party receiving the
sensitive personal data or information from the
body corporate.
LIMITATION ON DISCLOSURE OF
INFORMATION
Rule 6 also forbids the following:
1.Publication of sensitive personal data or
information by body corporate or its
representative,
2.Disclosure by third party receiving the
sensitive personal data or information from the
body corporate.
LIMITATION ON DISCLOSURE OF
INFORMATION
RULE 7
Transfer allowed to:
another body corporate or a person
in India, or located in any other country.
Transfer is allowed only if :
1.other body corporate or person ensures the same level of
data protection that is adhered to by the body corporate as
provided under these rules.
2.it is necessary for the performance of the lawful contract
between the provider of the information and the corporate
receiving the information.
LIMITATION ON TRANSFER OF
INFORMATION
Transfer allowed to:
another body corporate or a person
in India, or located in any other country.
Transfer is allowed only if :
1.other body corporate or person ensures the same level of
data protection that is adhered to by the body corporate as
provided under these rules.
2.it is necessary for the performance of the lawful contract
between the provider of the information and the corporate
receiving the information.
LIMITATION ON TRANSFER OF
INFORMATION
RULE 8
Prescribes standard to be adhered to
by a body corporate, receiving the information,
◦in the absence of an agreement between the
parties;
◦or any law for the time being in force.
One such prescribed standard: The International
Standard IS/ISO/IEC 27001 on “Information
Technology – Security Techniques –
Information Security Management System –
Requirements”.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
Prescribes standard to be adhered to
by a body corporate, receiving the information,
◦in the absence of an agreement between the
parties;
◦or any law for the time being in force.
One such prescribed standard: The International
Standard IS/ISO/IEC 27001 on “Information
Technology – Security Techniques –
Information Security Management System –
Requirements”.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
Any other Security code, if followed shall be :
oDuly approved and Notified
oby the Central Government
oAudited annually by an independent auditor approved by
the Central Government.
In the event of an information security breach –
demonstration of implementation of security
control measures - by the body corporate.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
oDuly approved and Notified
oby the Central Government
oAudited annually by an independent auditor approved by
the Central Government.
In the event of an information security breach –
demonstration of implementation of security
control measures - by the body corporate.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
A body corporate or a person on its behalf shall be deemed to have
complied with reasonable security practices and procedures if:
They have implemented such security practices and standards,
and
Have a
comprehensive documented information security
programme; and
information security policies for:
managerial, technical, operational and physical
security which are proportionate with the information
assets being protected with the nature of business.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
complied with reasonable security practices and procedures if:
They have implemented such security practices and standards,
and
Have a
comprehensive documented information security
programme; and
information security policies for:
managerial, technical, operational and physical
security which are proportionate with the information
assets being protected with the nature of business.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
IT Act, 2000 is available at:
http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill200
0.pdf
IT (Amendment) Act, 2008 is available at:
http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_ame
ndment_act2008.pdf
Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011are available at:
http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
Clarification on Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 under
section 43A of the Information Technology Act, 2000
http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf
http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill200
0.pdf
IT (Amendment) Act, 2008 is available at:
http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_ame
ndment_act2008.pdf
Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011are available at:
http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
Clarification on Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 under
section 43A of the Information Technology Act, 2000
http://mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf
THANK YOUTHANK YOU
Vaish Associates Advocates
Celebrating 43 years of professional excellence
1
st
& 11
th
Floors Mohan Dev Building 13, Tolstoy Marg New Delhi
ǀ ǀ ǀ
110001 (India)
Phone: +91 11 42492532 (Direct) Phone: +91 11 42492525 (Board)
Mobile: +91 9810081079
Fax: +91 11 23320484
Email: [email protected]
www.vaishlaw.com
Intellectual Property & Information Technology Laws Division
New Delhi Mumbai Bangalore Gurgaon
Vaish Associates Advocates
Celebrating 43 years of professional excellence
1
st
& 11
th
Floors Mohan Dev Building 13, Tolstoy Marg New Delhi
ǀ ǀ ǀ
110001 (India)
Phone: +91 11 42492532 (Direct) Phone: +91 11 42492525 (Board)
Mobile: +91 9810081079
Fax: +91 11 23320484
Email: [email protected]
www.vaishlaw.com
Intellectual Property & Information Technology Laws Division
New Delhi Mumbai Bangalore Gurgaon
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 2,224
- Slides 33
- Favorites 1
- Age 3938 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views