India has recently extended its information technology laws to embrace wider data privacy issues. These new regulations will have some impact on those outsourcing to India, but will be more significant for those conducting business in India. Set out here is a summary of the key changes brought about by these laws along with some of the issues that they raise.
Compensation for loss of data
The new regulations have been issued under the Indian Information Technology Act 2000 (IT Act). The IT Act was originally passed in order to, amongst other things, provide legal recognition for e-commerce and sanctions for computer misuse. It did not, however, have any express provisions regarding data security. As a result, the IT Act could be used to prosecute hackers who caused a data breach but did not provide other remedies, for example, against an organisation that failed to adequately protect that information.
This gap was partly filled by a 2008 amendment to the IT Act. Section 43A of the IT (Amendment) Act 2008 provided compensation to persons who suffer loss because of a “body corporate’s” failure to implement and maintain “reasonable security practices and procedures” to protect “sensitive personal data or information”. The term “body corporate” is not limited to companies and includes “a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.” Arguably, most entities that are undertaking any commercial or professional activities can be brought within this definition and can be held liable under this rule.
Section 43A defined “reasonable security practices or procedures” to mean those contractually specified in an agreement between the parties or specified in any law and in the absence of any such law or agreement, as may be prescribed by the central government. However, the meaning of “sensitive personal data or information” was not defined and was, instead, left to further implementing regulations.
Exceeding its mandate?
The concepts of “sensitive personal data or information” and “reasonable security practices and procedures” are now clarified in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (Sensitive Personal Data Rules). These were issued in April, 2011, under Section 43A.
Whilst issued under Section 43A, the rules go far beyond a simple definition of “sensitive personal data or information” and “reasonable security practices or procedures.” Instead, they impose a wider set of data privacy obligations on a body corporate or a person acting on its behalf that processes information including sensitive personal data or information. As a result, there are some questions about whether these rules have exceeded their mandate under section 43A and the scope of their applicability. This is particularly the case where the body corporate has its security measures set by contract and therefore does not need to look to the rules for further definition.
Highlighted below are some of key changes brought in by the Sensitive Personal Data Rules and their practical implications.
Sensitive personal data or information
The Sensitive Personal Data Rules define “sensitive personal data or information” about a person to include information about
- passwords;
- financial information such as bank accounts, credit and debit card details;
- physiological and mental health conditions, medical records;
- sexual orientation;
- biometric information;
- any detail relating to the above information provided to a body corporate for providing service, and
- any information received under the above by a body corporate for processing, stored or processed under a lawful contract or otherwise.
Information that is freely available in the public domain or accessible under the Right to Information Act 2005 or any other law will not be regarded as sensitive personal data or information. It is interesting to note that, shorn of any historical baggage, the Sensitive Personal Data Rules specify information that is more likely to be of direct concern to individuals (e.g. passwords and financial data) than some types of sensitive personal information identified in the European Data Protection Directive. (See also Peter Fleischer’s blog, Trying to define “sensitive” data, 17 May 2011, at peterfleischer.blogspot.com.)
Consent to process sensitive personal information
One of the most significant changes for the handling of sensitive personal data is the requirement that a body corporate must get consent from the “provider of information” for the processing of that data.
The term “provider of information” is not defined in the Sensitive Personal Data Rules, and this makes the application of the rules ambiguous. Does “provider of information” refer to the individual data subject? Or, in certain situations, does the provider of information refer to the person who provided the information to the body corporate, who may not be the individual to whom the information relates? Regulation 5(3) prescribes certain guidelines that have to be complied with by a body corporate “while collecting information directly from the person concerned.” This provision clearly refers to a situation where information is being collected directly from the data subject, for instance, by a bank from its customers. If the intent was to get consent from individual data subjects at all times, why isn’t similar language used in Regulation 5(1), which instead uses the term “provider of information”?
Some commentators have suggested that the term “provider of information” refers to the underlying individuals in all cases. This would mean that consent from the underlying individual would be required in all cases where a body corporate is processing data on behalf of another entity, which could cause significant practical difficulties for outsourcings. A more reasonable interpretation for the term “provider of information” vis-a-vis a body corporate is to refer to the person who
provided
the information to that body corporate. For example, where the processing of sensitive personal information is outsourced to a service provider in India, the service provider has to only seek the consent from its customer who is the “provider of information” vis-a-vis the service provider. Whether that customer must, in turn, obtain the consent of the individual from whom the information relates depends on the data protection laws that apply to the customer in the jurisdiction where the information is being collected.
Restrictions on disclosure of sensitive personal information
A body corporate is required to obtain permission from the provider of information prior to disclosing the information to a third party. The use of the term “provider of information” once again raises issues similar to those discussed in the previous paragraph.
A body corporate is permitted to disclose sensitive personal data or information where such disclosure has been agreed to in the contract between the body corporate and the provider of information. Needless to say, the cautious approach would be to ensure that to the extent possible any contract pursuant to which sensitive personal data or information is being collected includes a provision expressly permitting such body corporate to disclose the sensitive personal data or information for processing or other specified purposes.
There is an exception for disclosures mandated by law or to government agencies for certain purposes. There is also an exception for disclosures to sub-contractors who provide an appropriate level of security.
Reasonable security practices and procedures
The Sensitive Personal Data Rules set out what measures constitute “reasonable security practices and procedures.” A body corporate caught by the rules (so, not one that has security measures imposed by contract) must implement security practices and procedures that include a comprehensive documented information security programme and information security policies. The information security policies should contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.
Organisations following IS/ISO/IEC 27001 codes are deemed to have implemented reasonable security practices and procedures. Industry associations or industry clusters that follow security standards other than IS/ISO/IEC 27001 codes are required to get the same approved by the government.
Wider privacy changes
The Sensitive Personal Data Rules also contain a number of other changes that potentially have a wider privacy impact. These include
- an obligation to ensure that, when information is collected “directly from the person concerned,” that person is informed of the purpose for which the information is collected, the intended recipients of the information and the name and address of the agency that will collect and hold the information;
- a right for “providers of information” to review information they provide and to make corrections;
- a right for “providers of information” to withdraw consent to processing;
- an obligation to ensure sensitive personal information is only collected for a lawful purpose, and the collection of information must be necessary for that purpose;
- an obligation to keep sensitive personal information for no longer than necessary, and
- an obligation for a body corporate to appoint a grievance officer to deal with complaints.
Conclusion
The Sensitive Personal Data Rules attempt to fill the gaps in Section 43A of the IT Act by providing a definition for “sensitive personal data and information” and laying down standards for reasonable security practices. However, questions have been raised on whether the Sensitive Personal Data Rules go beyond their mandate and attempt to implement a broad set of privacy rules.
Those conducting business in India will need to take steps to comply with these new requirements, including the development of appropriate policies and security practices.
The impact of these rules on those outsourcing services to India is still somewhat uncertain. In the absence of further guidance on how the Sensitive Personal Data Rules should be interpreted, it is at least possible that some Indian-based services providers will ask their customers to start to obtain consents from underlying data subjects to process sensitive personal information.
