On 11 April 2011, India adopted new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. The Rules impose wideranging obligations on any 'body corporate' that 'collects, receives, possesses, stores, deals or handles' personal information.
These obligations require companies to provide privacy policies, restrict the processing of sensitive personal data, restrict international data transfers and require additional security measures.
Sensitive personal data includes physical, physiological and mental health conditions, medical records and history, and sexual orientation. The definition in the Rules also envisages biometric data, passwords and financial information such as bank account details, credit and debit card details. Information that is freely available or accessible in the public domain is excluded from the definition of sensitive personal data.
Organisations must ensure that at the point of collection of any data, individuals must be made aware of the fact that their data is being collected, the purpose for which the data is collected, the intended recipients of the data and the contact details of both the agency collecting the data and the agency that will retain the data. All data is subject to a restriction on any processing for secondary purposes. It must be processed only for the purpose for which it was collected.
The prior written consent of individuals is required before their sensitive personal data may be processed. Consent may be obtained by letter, fax or email. The provider of the sensitive personal data must be given the option, at the outset, not to provide data and may withdraw their consent to the processing at any time.
Sensitive personal data or information may only be transferred to another body corporate or person in India or abroad where the same level of data protection is assured. The Rules also stipulate that 'the transfer may be allowed only if it is necessary' for the performance of a lawful contract with the provider of the data or with their consent.
A company will be taken to have complied with reasonable security practices and procedures where it has implemented those practices and has a comprehensive documented information security programme and policies that contain managerial, technical, operational and physical control measures commensurate with the information assets and nature of the business. In the event of a security breach, the organisation must be able to demonstrate that it has implemented its documented security control measures when asked to do so.
In terms of the immediate steps required to be taken by organisations which routinely collect sensitive personal data, the following may need to be considered/implemented (i) including in employment contracts and offer letters, the specific consent of the employee with respect to the employer collecting, accessing and using personal information and sharing such information with third parties in accordance with the Rules; and (ii) reviewing any online terms and conditions available on a company's website to ensure compliance with the Rules.
The Rules introduce an omnibus privacy law that is similar in many respects to existing EU data protection law, but which raises some fundamental challenges for India’s numerous outsourcing vendors and their customers.