The Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011

apply to all organizations that collect and use personal data and information in India. The law applies to all companies in India getting any information from anywhere. On the face of it, it doesn't exempt the service provider or the intermediaries that collect and process information on behalf of their organizations. What this means is that any personal data collected in India, or outside of India and transferred into the country, is governed by these rules. The privacy rules include an obligation to provide notice to individuals when personal information is collected. Prior to the collection of information, the organization or person on its behalf must obtain a written consent by letter, fax or email from the provider of sensitive personal data regarding the purpose of use. As a consequence, this suggests that outsourcing providers in India may be required to notify every person seeking assistance at a call center about their data handling practices and to obtain consent to handle personal data. Outsourcing providers may also be forced to make sure their customers' data handling practices match the requirements laid down in the new rules.

Please Note: Section 43A only seeks to protect, sensitive personal data as opposed to mere personal data.
Sensitive personal data is broadly defined to include a) password;
b) financial information (bank account, credit / debit card, any other payment instrument

details) c) Physical, Physiological and mental health conditions, medical records and history d) Sexual orientation e) Bio metric information.

f) any detail relating to the above clauses as provided to body corporate for providing service; and g) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

There are no exceptions listed in the regulation. Sensitive personal data may not be collected unless it is for a lawful purpose connected to the function or activity of the organization or any person on its behalf and the collection is necessary for that purpose. The sensitive personal data can only be transferred to any other organization or person in India or abroad, which ensures the same level of data protection as provided by these privacy rules. This transfer is allowed only if it is necessary for the purpose of contract between the organization or any person on its behalf or where the person has consented to the transfer. Corporate entities have been known to enter into several agreements with other companies, clients, agencies or partners to keep the information secured by executing agreements such as non-disclosure agreement, non-circumvention agreement, licence agreement, referral partner agreement, etc, which contain confidentiality and privacy clauses. Though the rules provide for keeping this information confidential from third parties except with the individual's prior consent, they explicitly state that all sensitive personal details shall be shared, without obtaining prior consent from the provider of information, with government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The government has been criticized for giving itself the master key to access the sensitive personal information of individuals .

Therefore, these privacy rules rest on the pillars of Individual consent, right to opt out, contractual / necessary third party disclosure, contractual transfer of information, a distinct privacy policy and access to providers of information, and a dispute resolution mechanism.

In case there is a security breach then, the organization would have to demonstrate that they have been provided reasonable security control measures if they are to avoid heavy penalty. Reasonable Security Practices and Procedures. (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.

Rule 7(4) of the Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011 states that The body corporate who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures. The notification also states that:
The audit of reasonable security practices and procedures shall be carried out under sub-rule
(3) and the body corporate shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government at least once a year or

as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.
The body corporate thus has to undergo the audit and failure to comply could lead to a huge legal

liability.

Section 43 A of the amended Information Technology Act:Compensation for failure to protect data Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Section 72A of the amended Information Technology Act: 72A. Punishment for disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both. India is an important outsourcing hub and U.S and European multinational organizations have established extensive IT and back office centers in India. Given the wide scope of these privacy rules, which are highly restrictive, the said business may be affected since the BPOs would have to adjust their personal data collection practices to conform to the new Indian Data Protection Rules. It is not yet clear how companies will adapt to the new rules and incorporate them. The widespread and successful adaption of the said rules also depends on how the authorities enforce

the law. The degree to which companies will comply with these rules remains unclear, as does the extent to which Indian authorities will enforce them. However, the new privacy laws have the potential to dramatically affect the business landscape for IT companies in India and for overseas companies that contract IT services with Indian companies. The IT service buyers may specifically benefit from the improved security measures and may attract bigger amount of foreign clientele especially those who have decided against outsourcing in the past due to security reasons. However, it may also lead to outsourcing business from the US to go to countries where such rules are not so stringent. U.S companies may not want to adhere to India's relatively strong standards and could seek outsourcing partners in other countries. There is speculation however that given the importance of IT to India it seems likely that overly burdensome regulations will be relaxed, go unenforced, or be superseded by a subsequent legislation.

Ministry of Communication and Information Technology, Department of Information Technology, Government of India has issued following notifications under Information Technology Act, 2000: 1. Information Technology (Intermediaries Guidelines) Rules, 2011; and 2. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011.

The final set of Rules 43A and 79 of the IT Amendment Act, 2008 have been formalized for publication in the Gazette of India (Extraordinary), Part-II, Section 3, sub-section (1).