Scribd Logo
Upload

Welcome to Scribd!

  • 2011 Indian Privacy Law - Outsourcing Law

    Uploaded by

    Arun Pragada
    13 views4 pages
    Privacy Data Protection Law

    Original Title

    2011 Indian Privacy Law _ Outsourcing Law

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Privacy Data Protection Law

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views4 pages

    2011 Indian Privacy Law - Outsourcing Law

    Uploaded by

    Arun Pragada
    Privacy Data Protection Law

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    OutsourcingLawhttp://www.outsourcinglaw.

    com

    2011IndianPrivacyLaw

    byKochhar&Co
    www.kochhar.com
    att:stephen.mathias@bgl.kochhar.com
    Introduction
    OnApril11,2011,IndiasMinistryofCommunicationsandInformationTechnologynotifiedthe
    InformationTechnology(Reasonablesecuritypracticesandproceduresandsensitivepersonaldata
    orinformation)Rules,2011undertheInformationTechnologyAct,2000.Indianowhasaprivacy
    law,broughtintoforcewithimmediateeffectwithwideramificationsonthewaycompanieswilldo
    businessinIndia.Thisclientadvisoryprovidesadescriptionandreviewofthenewlaw.

    InformationTechnologyAct
    Untilacoupleofyearsago,Indianlawhadnoprovisionsdealingwithprivacyprotection.The
    enactmentoftheRighttoInformationAct,2005gaveafilliptotransparencyingovernmentdealings
    andconcurrentlyprovidedsomeprotectionagainsttheunwarranteddisclosureofconfidential
    informationunderthatlaw.In2008,theITActwasamendedtointroducethefollowing:

    Anewcivilprovisionprescribingdamagesforanentitythatisnegligentinusingreasonablesecurity
    practicesandprocedureswhilehandlingsensitivepersonaldataorinformationresultingin
    wrongfullossorwrongfulgaintoanyperson.
    Criminalpunishmentforapersonif(a)hedisclosessensitivepersonalinformation(b)doesso
    withouttheconsentofthepersonorinbreachoftherelevantcontractand(c)withanintentionof,
    orknowingthatthedisclosurewouldcausewrongfullossorgain.
    Ineffect,thecivilprovisionmerelyprovidedfordamagesfornegligentconductwhichisalready
    availableundercommonlaw.Thecriminalprovisionisfairlynarrowandincludesanelementofmens
    rea,i.e.,actualintentiontodowrongisrequired.Thetwoprovisionswereclearlynotcomprehensive
    intermsofprivacyprotectioninIndia.

    SalientFeaturesofNewRules
    Thefollowingarethesalientfeaturesofthenewrules:

    SensitivePersonalInformation.Thelawrelatestodealingwithinformationgenerally,personal
    informationandsensitivepersonaldataorinformation(hereinafter,SPD).SPDisdefinedto
    coverthefollowing:(a)passwords,(b)financialinformationsuchasbankaccountorcreditcardor
    debitcardorotherpaymentinstrumentdetails(c)physical,physiologicalandmentalhealth
    condition(d)sexualorientation(e)medicalrecordsandhistoryand(f)biometricinformation.It
    maybenotedthatSPDdealsonlywithinformationofindividualsandnotinformationofbusinesses.
    PrivacyPolicy.Everybusinessisrequiredtohaveaprivacypolicy,tobepublishedonitswebsite.
    ThebusinesshastoalsoappointaGrievanceOfficer.Theprivacypolicyappearstoberequired
    whetherornotthebusinessdealswithSPD.Theprivacypolicymustdescribewhatinformationis
    collected,thepurposeofuseoftheinformation,towhomorhowtheinformationmightbedisclosed
    andthereasonablesecuritypracticesfollowedtosafeguardtheinformation.
    Consentforcollection.AbusinesscannotcollectSPDunlessitobtainsthepriorconsentofthe
    provideroftheinformation.Theconsenthastobeprovidedbyletter,faxoremail.Thebusiness
    mustalso,priortocollectingtheinformation,givetheoptiontotheprovideroftheinformationto
    notprovidesuchinformation.Insuchcase,thebusinesscanceaseprovidinggoodsandservicesfor
    whichtheinformationissought.
    Notification.Thebusinessshouldensurethattheprovideroftheinformationisawarethatthe
    informationisbeingcollected,thepurposeofuseoftheinformation,therecipientsofthe
    informationandthenameandaddressoftheagencycollectingtheinformation.Priorconsentis
    requiredfordisclosureoftheinformationtoanypartyotherthanthegovernment.
    Useandretention.Thebusinesscanusepersonalinformationonlyforthepurposeforwhichitwas
    collected.Also,thebusinesscannotretaintheSPDforlongerthanisrequiredforthepurposesfor
    whichtheinformationmaylawfullybeusedorisotherwiserequiredunderanyotherlaw.
    Rightofaccess,correctionandwithdrawal.Thebusinessshouldpermittheproviderofthe
    informationtherighttoreviewthatinformationandshouldensurethatanyinformationfoundtobe
    inaccurateordeficientbecorrected.Theprovideroftheinformationalsohastherighttowithdrawits
    consenttothecollectionanduseoftheinformation.
    Transnationaltransfer.AbusinesscanonlytransfertheSPDorinformationtoapartyoverseasif
    theoverseaspartyensuresthesamelevelofprotectionprovidedforundertheIndianrules.
    Further,theinformationcanbetransferredonlyifitisnecessaryfortheperformanceofalawful
    contractbetweenthebodycorporateandtheinformationproviderorwheretheinformationprovider
    hasprovidedhisconsenttosuchtransfer.
    Securityprocedures.TheITActrequiresreasonablesecurityprocedurestobemaintainedinorderto
    escapeliability(seeabove).Therulesappeartostatethatreasonablesecurityprocedureswouldbe
    either(a)theIS/ISO/IEC27001onInformationTechnologySecurityTechniquesInformation
    SecurityManagementSystemRequirementsor(b)acodedevelopedbyanindustryassociation
    andapprovedandnotifiedbythegovernment.Thesecurityprocedurehastobeauditedonaregular
    basisbyanindependentauditor,whohasbeenapprovedbytheGovernmentofIndia.Suchaudit
    shouldbecarriedoutatleastonceayearorasandwhenthebodycorporatehasundertakena
    significantupgradationofitscomputerresource.
    ImplicationsoftheNewRules
    ForEmployers
    Employerswillneedtoprepareaprivacypolicyandobtaintheconsentoftheemployeestothe
    privacypolicybyfax,letteroremail.Theemployerhastogivetheemployeetherightnottoprovide
    SPD(andconsequently,nottohiretheemployee,thoughthisisnotentiretyclear).Theprivacy
    policyneedstosetoutwhatinformationisbeingcollected,whatitwillbeusedforandthenameand
    addressoftheagencycollectingtheinformation.Aseriousconcernwouldbetherightofthe
    employeetoaccessallinformationabouthim,toreviewandcorrecttheinformationandtorequire
    theinformationtobedeleted.

    ForMultinationalsinIndia
    Multinationalstendtomaintaincentralizeddatabasesofinformationabouttheirbusinessesallover
    theworld,includinginparticular,informationaboutemployees,serviceprovidersandcustomers.
    SincetherulesareinsomepartsmorestringentthaneventheEuropeanrules,overseasgroup
    entitieswhoreceivetheinformationwillhavetobuildinprocessestocomplywiththerules.Further,
    theIndianentitywillneedtomeettherequirementsforhavingaprivacypolicy,consentfor
    collection,notificationaboutpurposeofuseoftheinformationandwhowillbecollectingthe
    informationandconsentfromtheprovidersforprovidingsuchinformationtoanotherparty.

    FortheOutsourcingIndustry
    TherulesareframedundertheInformationTechnologyAct2000whichappliestothewholeof
    India.Onaplainreading,thismeansthatanybusinessdealingwithinformationorSPDinIndiahas
    tocomplywiththerules,evenifsuchinformationrelatestoanindividualbasedoutsideIndia.The
    logicaleffectofthisisthatthevendorinIndiaorhiscustomeroverseaswillneedtofulfillthe
    requirementsofthelawwiththeconcernedindividual,suchastheconsentforcollection,notification
    obligations,rightofaccess,correctionandwithdrawal.Thishasgraveimplicationsforthe
    outsourcingindustryandcouldleadtodisruptionofBPOoperationsinIndia.

    ReviewoftheNewRules:
    Therearesomesignificantconcernsassociatedwiththeimplementationofthenewlaw.Theseareas
    follows:

    Transitionperiod.Thelawdoesnothaveatransitionperiod.Itcomesintoforcewithimmediate
    effect.Itappliestobodycorporateswhichincludessoleproprietors,partnershipsandassociations
    ofpersonsdoingbusiness.Theeffectisthatthelawhastobeimplementedinahurriedmannerby
    everysinglebusinessinthecountry.Thisisclearlyquiteimpractical.Mostsmallbusinessesarelikely
    toignorethelawandnotcomplywithit.
    Ultraviresthestatute?Theruleshavebeenframedundertheprovisionrelatingtothecivilremedy
    (describedabove)incaseanorganizationdoesnotusereasonablesecuritypracticesand
    procedures.Accordingly,thegovernmentwasonlytohavesetforthwhatwouldbethose
    proceduresandwhatconstitutesSPD.However,therulesinsteadtalkabouttherighttouse
    personalinformationitselfandseveralotherrelatedmatters.Onemaybeabletomakeoutacase
    thattherulesgobeyondwhatispermittedbythestatute.However,thegovernmentcanremedy
    thisbyamendingtherulestoprovidethattheyhavebeenissuedunderthegeneralrulemaking
    powerunderthestatueandnotthespecificrulemakingpowerasstatedabove.
    Applicabilitytoinformationgenerally.Thelawdefinessensitivepersonaldataandinformation
    (SPD).Insomeplaces,referencesaretoSPDandinotherplacestopersonalinformationandto
    informationgenerally.Thereissometimessomeambiguityoverwhethercertainprovisionsapplyto
    allinformation,personalinformationoronlytoSPD.Insomecases,itseemsclearthatthe
    applicabilityistoinformationgenerally,therebywideningtheambitofthelaw.
    Applicabilitytofinancialinformation.UnlikeintheEuropeanlaw.thelawincludesfinancialinformation
    generallywithinSPD.Alargepartofbusinessinformationisfinancialinnature.Theinclusionof
    financialinformationsetsahighstandardofprivacyprotectionrelatingtoinformationthatisreceived
    intheordinarycourseofbusiness.ThisislikelytohaveadisruptiveeffectonbusinessinIndia.
    Consentasacondition.TherequirementofconsentasamandatoryconditionfortheuseofallSPD
    issurprisingandrestrictive.UnderEuropeanlaw,consentisjustonegroundonthebasisofwhich
    SPDcanbeused.Forexample,forpersonalinformationgenerally,(includingfinancialinformation),
    onecanprocesssuchinformationwithoutconsentoftheproviderifitisnecessaryforthepurpose
    ofperformanceofacontractwiththeprovideroftheinformation.
    MethodofConsent.Themethodofconsentrequiredisverysurprising!Theconsentcanbe
    obtainedonlythroughletter,faxoremail!Itappearsthattheconsentcannotbeobtainedthrough
    anonlineconsent,perhaps,noteventhroughacontractanddefinitelynotthroughtheacceptance
    ofaprivacypolicy.Onewouldhaveexpectedanelectroniclawtobethoughtthroughmorein
    electronicterms!
    Unlimitedrightofaccess.Therightofaccessisprovidedtoobroadlywithoutregardtovarious
    exceptionsthatwouldneedtobebuiltin.TheEuropeanlawcontainsoveradozenexceptionsthat
    coverobvioussituations.
    Withdrawalofconsent.Therightoftheprovidertowithdrawconsentisnaiveandimpractical.
    Businesscannotbeconductedwithouttheflowofinformationandconsentcannotbetheonlyfactor
    inthecollection,useorcontinueduseofsuchinformation.Oncethatinformationhasbeenreceived
    andprocessed,itmayberequiredbytherecipientandcannotbeunilaterallywithdrawnbythe
    provider.Evensafeguardsrelatingtolegalrequirementsforrecordkeeping,whicharepresentinthe
    languageondurationofretention,arenotpresentinthisprovision.
    Securitystandards.Underthestatute,theprescribedsecuritystandardsapplyonlyiftheprovider
    andrecipientoftheinformationhavenotagreedonthestandardsinacontract.Thelawseemsto
    suggestthatinsuchasituation,oneeitherfollowsIS/ISO/IEC27001oragovernmentapproved
    codedevelopedbyanindustrybody.Itisnotclearwhetherthesearetheonlytwooptionsor
    merelythatifeitheroftheseoptionsisused,theconcernedbusinessisdeemedtohavecomplied
    withitsobligationtousereasonablesecurityprocedures.Itisourunderstandingthatthe
    requirementsofthiscodearequiteonerousandlargelyfollowedbybanksandlargeorganizations
    thatneedveryhighstandardsofsecurity.
    ApplicabilitytoGovernment.Therulesdonotapplytothegovernment,therebyexemptingoneof
    thelargestprocessorsofpersonalinformationinthecountry.Thismeansthatoneofthekey
    reasonsforhavingaprivacylawhasnotbeenfulfilled.Perhaps,thenonapplicabilitytothe
    governmentcanbeunderstoodinthecontextofaseparateprojectthatthegovernmentis
    commencingtodraftalawtodealwithconcernsrelatingtotheGovernmentscreationofan
    identitydatabase.ItmaybenotedthatKochhar&Cowasrecentlyawardedtheprojecttoreview
    existinglawsandframerulesfortheprotectionofidentityinformationcontainedinthedatabase.
    Conclusion
    Overall,thelaw,whilelaudableinobjective,ispoorlywritten,notproperlythoughtthrough,too
    simplisticandfailstoaddressmorecomplexnuancesofdataprotectionissuesthatfindplaceinthe
    Europeanlaw.IthasgraveimplicationsfordoingbusinessinIndia,particularlyformultinationals
    operatinginIndiaandtheoutsourcingindustry.Thisappearstobeacaseofonestepforwardand
    twostepsbackward!

    Anexerciseisurgentlyrequiredtoclarifyandinsomecases,amendtherulessothatambiguityis
    removedandobviousexceptionsarebuiltintotherules.Wewouldprobablyalsoneeda
    governmentagencytoimplementtherulesinaproactive,businessmindedmanneralongthelines
    oftheInformationCommissionerintheUK.

    Kochhar&Co

    ArticleprintedfromOutsourcingLaw:http://www.outsourcinglaw.com

    URLtoarticle:http://www.outsourcinglaw.com/2011/07/2011indianprivacylaw/
    Copyright2012OutsourcingLaw.Allrightsreserved.

    You might also like