On April 11 2011 the central government announced the new Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, under the Information Technology Act 2000. Such privacy rules represent an important step in the regulation of data privacy and impose stringent obligations on corporations (including banks) for the implementation of adequate steps for the protection of personal information and sensitive personal data.
Section 43A was introduced to the Information Technology Act in 2008. It provided that where a body corporate possessed, dealt with or handled any sensitive personal data or information in a computer resource that it owned, controlled or operated, it would be found negligent in its implementation and maintenance of reasonable security practices and procedures.(1) By causing wrongful loss or wrongful gain to any person, such body corporate would be liable to pay damages by way of compensation to the affected person.
Before the introduction of the privacy rules, no law set out the reasonable security practices and procedures to be followed (as required by Section 43A of the act). Such practices were typically determined by contract between the relevant recipient and the data subject. However, several banks in India have voluntarily adopted a number of codes, including:
- the Bankers' Fair Practice Code, the Fair Practice Code for Credit Card Operations and the Model Deposit Policy, formulated by the Indian Bank Association; and
- the Code of Banks' Commitment to Customers, implemented by the Indian Banking Codes and Standards Board.
These codes require banks to maintain all personal customer information as private and confidential, and restrict banks from sharing customers' information (eg, personal data and account details) with a third party without the prior consent of the customer. However, neither of these codes has the force of law.
The privacy rules define two terms - 'personal information' and 'sensitive personal data' - and set out the guidelines to be followed by any corporation that receives such information.
Personal and sensitive information
'Personal information' is defined as:
"any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying that person."
The definition expressly applies only to natural persons. Information relating to corporate and other legal persons is not protected under the privacy rules.
'Sensitive personal data' is defined as:
"personal information that consists of information relating to passwords; financial information such as Bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical history and records and biometric information; any detail relating to the above clauses as provided to [a] body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise."
The definition expressly excludes any information either that is in the public domain or that is furnished under the Right to Information Act 2005.
Key steps to be implemented by banks under privacy rules
Banks must comply with the provisions on the collection and usage of personal and sensitive information, as detailed under the privacy rules. Sensitive information must:
- be collected for a lawful purpose;
- relate to the functions or activities to be undertaken by the bank; and
- be used only for the purpose for which it has been collected.
Further, the bank (or any person on its behalf) must obtain consent in writing (by way of letter, fax or email) from the data subject regarding the intended purpose of use, before collecting of any such information.
The bank (or any person on its behalf) must take reasonable steps to ensure that the data subject is aware:
- that such information is being collected;
- of the purpose of collection;
- of the intended recipients of such information; and
- of the name and address of the agency that is collecting or will retain the information.
In the absence of a lawful contract permitting disclosure, the bank must obtain prior consent of the data subject before disclosing any sensitive information to a third party, unless such disclosure is required by law.
The bank (or any person on its behalf) may transfer sensitive information to any entity in India or overseas only if:
- such other entity ensures the same level of data protection as that adhered to by the bank under the privacy rules; and
- the transfer is necessary for the performance of the lawful contract between the bank (or any person on its behalf)and the data subject, or where such person has consented to a data transfer.
The bank must have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures.(2)
The language of the explanation in Section 43A(ii) of the Information Technology Act appears to indicate that, in respect of the technical security procedures (but not consent requirements) to be followed, a bank may contractually agree with the data subject to a different set of procedures from those prescribed under the privacy rules. However, while such procedures may be contractually agreed, the procedures prescribed by the privacy rules should be viewed as a minimum threshold requirement.
The privacy rules will have a significant impact on the banking industry, given that a large volume of information that banks receive falls within the definition of 'sensitive information'. In addition to implementing a set of security practices and procedures, banks must now put in place mechanisms for obtaining specific consent before receiving sensitive information and must inform the data subject of the use and purpose for which it is being collected. At present, many banks outsource several technological and other non-core services (eg, data management and market research) to third-party service providers, some of which may be foreign entities. Banks and third-party service providers must now re-examine their security procedures and privacy policies in light of the changes brought about by the privacy rules. Banks that fail to comply with the privacy rules will be exposed to potential claims for compensatory damages by affected persons.
For further information please contact Shilpa Mankar Ahluwalia or Pooja Mahajan at Amarchand & Mangaldas & Suresh A Shroff & Co by telephone (+91 11 41590700), fax (+91 11 26924900) or email ([email protected] or [email protected]).
"Reasonable security practices and procedures means those practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit." (emphasis added)
(2) The International Standard IS/ISO/IEC 270001 on Information Technology - Security Techniques - Information Security Management System - Requirements is one such standard referred to under the act.