This article covers the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. While the Personal Data Protection Bill is still in the pipeline, this guideline is often resorted to when it comes to issues regarding the protection of sensitive personal data or information. These rules were issued by the concerned Ministry through exercising the powers conferred by Section 87(2)(ob) read with Section 43A of the Information Technology Act, 2000.

Personal data is winding up more and more valuable. Therefore, unlawful, negligent, or careless use of personal data can lead to extreme harm to an individual as well as to an organization. The reason for personal data protection isn’t to simply protect an individual’s data but also is to ensure the basic fundamental rights of the citizens. To guarantee that one’s personal data is secured and is not being misused by any individual or organization, the governments across the world often pass laws and regulations for laying down the ground rules for the processing of personal data of their citizens.

Key Features of the 2011 Rules

It defines biometrics under Rule 2(1)(b) as the technologies that measure and analyses physical characteristics of humans, like fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements and DNA for authentication purposes.

It defines a password under Rule 2(1)(h) as a secret word or phrase or code or passphrase or secret, or encryption or decryption keys that one uses to gain admittance or access to information.

Rule 3 specifies that the following types of data or information shall be considered as personal and sensitive:

• Passwords
• Bank Account details
• Credit/debit card details
• Present and past health records
• Sexual orientation
• Biometric data

Rule 3 also clarified that any information which is freely available on the public domain or furnished under the Right to Information Act, 2005, or any such law, must not be considered as personal and sensitive for the purpose of these rules.

Rule 4 places an obligation on organizations collecting and dealing with any kind of sensitive personal data or information to draft and publish a privacy policy detailing

• Type of information collected
• Purpose of collecting such information
• Details about disclosure of collected information to any third party
• Reasonable security practices and procedures taken by the organization to protect the data

Rule 5 talks about the collection of data. It says that

• A body corporate or any person must obtain the consent of an information provider before collecting any sensitive personal data or information.
• A person shall not collect any sensitive personal data or information of an individual unless there is a connected lawful purpose.
• The information provider must be provided with an alternative to not to give sensitive personal data or information.
• The data collected shall not be used for any purpose other than specified at the time of its collection.
• A body corporate must appoint a grievance officer to address the complaints. The contact details of such officer must be available on the website of a body corporate.

Rule 6 focusses on the disclosure of information to third parties. It says that disclosure of any sensitive personal data or information to any third party requires prior permission of the information provider, except in the cases where the data is requested by a government agency for the purpose of identity verification, or for preventing, detecting, investigating crimes. Also, a third party receiving sensitive personal data or information must not publish or further disclose that data.

Rule 7 talks about the sharing of information. A body corporate is allowed to share or transfer sensitive personal data or information of an individual to a body corporate registered in India or outside that undertakes to ensure the protection of data at the same level as provided for under these Rules. The transfer is allowed when the transfer of data is essential for the performance of a lawful contract, or the transfer is undertaken subsequent to the consent of an information provider.

Rule 8 discusses reasonable security practices and procedures. A body corporate is considered to have complied with reasonable security practices and procedures, if they have implemented security practices and standards along with having a comprehensive documented information security program and information security policies such as ISO 27001:2013. Such security policies must be duly approved by the central government. A body corporate must allow an auditor to conduct an audit of its reasonable security practices and procedures, at least once a year.

Ending Notes

A single body corporate is bound to store personal data of hundreds of thousands of individuals. It is an inherent obligation of the said body corporate to ensure that every piece of data stored with it is safe and protected. Data privacy is not just a business concern anymore. An individual has his entire life at stake when it comes to the violation of his privacy. Hence, a body corporate must be meticulous while collecting the data, while an information provider must be prudent while sharing his data. Though the 2011 rules miss out on many vital issues, they have still acted as basic rules for reasonable security practices and handling of sensitive personal data or information. With the personal data protection bill bound to be passed sooner than later, it seems that the time is going to be up for the 2011 rules.