REASONABLE SECURITY PRACTICES AND

PROCEDURES AND SENSITIVE PERSONAL

DATA OR INFORMATION RULES, 2011
UNDER
THE (INDIAN) INFORMATION TECHNOLOGY ACT,
2000

MOKTIKA KUSH SUKHMANI S. KAUR

R120213017 R120213034
THE ORIGINAL INFORMATION TECHNOLOGY ACT

 The Information Technology Act 2000 (“IT Act”) of India was

passed to provide legal recognition for e-commerce and
sanctions for computer misuse

 No express provisions regarding data security

 For example: breaches of data security resulted in prosecutions

of the individuals who hacked into the system, under Sections
43 and 66 of the IT Act, but no remedies were available against
the organisation who originally held that information.
THE INFORMATION TECHNOLOGY
(AMENDMENT) ACT, 2008
 Introduction of new data security laws
 Section 43A and Section 72A, to provide a
remedy to persons who have suffered or are
likely to suffer a loss on account of that
person’s personal data not having been
adequately protected.
SECTION 43A of IT Act 2008

“bodies corporate” can be liable if they are negligent in implementing

and maintaining “reasonable security practices and procedures” to
protect “sensitive personal data or information”.

A body corporate would mean:

 any company and includes:
 a firm,
 sole proprietorship or
 other association of individuals engaged in
• commercial or

• professional activities.

SECTION 72A of IT Act 2008

DCRIMINAL LIABILITY FOR DISCLOSURE OF INFORMATION IN BREACH OF LAWFUL CONTRACT
 REASONABLE SECURITY PRACTICES AND
PROCEDURES AND SENSITIVE PERSONAL DATA
OR INFORMATION) RULES , 2011

 The term “reasonable security practices or procedures” mean those security

practices and procedures which are prescribed by the central government in
consultation with such professional bodies or associations as the central
government may deem fit.

 While the term “sensitive personal data or information” is central to these

provisions it was not defined in Section 43A and instead was to be
prescribed by central government.

 The missing detail in Section 43A was finally provided by the Information
Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules 2011 (“Sensitive Personal Data Rules”)
which were issued in April 2011.
APPLICABILITY OF RULES
 These Rules are applicable only to sensitive personal data or
information.

 These Rules are applicable only to the following:

i. body corporate located within India, or
ii. any person located within India, or
iii. body corporate dealing with the data of any person
located within India.
SENSITIVE PERSONAL DATA OR INFORMATION:
RULE 3, IT RULES, 2011

Sensitive personal data or information of a ‘person’ means such ‘personal

information’ which consists of information relating to:
1. Password;
2. Financial information such as:
 Bank account or,
 Credit card or debit card or,
 Other payment instrument details
3. Physical, physiological and mental health condition. Medical records;
4. biometric information
5. Any of the information received under above clauses by body
corporate for
 processing,
 stored or
 processed
under a lawful contract or otherwise

6. user details as provided at the time of registration

or thereafter; and
7. call data records
EXCEPTIONS

Following information is not regarded as sensitive personal

data or information:
1. Information freely available or accessible in public domain
or,
2. Information furnished under the Right to Information Act,
2005 (RTI) or
3. Information furnished under any other law for the time
being in force.
PERSONAL INFORMATION:
RULE 2 , IT RULES, 2011

 Any information that relates to a

 ‘natural person’
 which either directly or indirectly, in combination with
other information available or likely to be available
with a body corporate,
 is capable of identifying such person
MANDATES FOR CORPORATE UNDER THE IT
RULES, 2011

 Privacy Policy
 Consent for collection of data
 Collection of data
 Use and Retention
 Opt Out/Withdrawal
 Access and Review of Information
 Grievance Mechanism
 Limitation on Disclosure of Information
 Limitation on Transfer of Information
 Reasonable Security Practices and Procedures
 PRIVACY POLICY: RULE 4

 Body corporate or any person on its behalf

 collects, receives, possess,
 stores, deals or handles
 information of provider of information
 Providers of information, are those natural persons who provide
sensitive personal data or information to a body corporate.
 Shall provide a privacy policy for

 handling of or dealing in

 ‘sensitive personal data or information’.

PRIVACY POLICY: RULE 4
Privacy Policy shall be published on the website and provide:-

• Clear and easily accessible statements of its practices and policies;

• Type of personal or sensitive personal data or information collected;

• Purpose of collection and usage of such information;

• Disclosure of information including sensitive personal data or

information;

• Reasonable security practices and procedures followed by the

corporate.
CONSENT TO COLLECT AND DISCLOSE
SENSITIVE PERSONAL INFORMATION
RULE 5 (1)
o Requires the corporate or any person on its behalf,
o before collection of sensitive personal data or
information,
o to obtain consent in writing through any mode of
electronic communication including letter or FAX or
email from the ‘provider of the information’
o regarding purpose of usage of such information.
CONSENT
RULE 5(3)
Requirements in case of collection of information directly from the person
concerned:
Steps to ensure that the person concerned is having the knowledge of :
o The fact that the information is being collected;
o The purpose for which the information is being collected;
o The intended recipients of the information; and
o The name and address of –
 the agency that is collecting the information; and
 the agency that will retain the information
PURPOSE OF COLLECTION OF INFORMATION
RULE 5 (2)
Sensitive personal data or information can be collected only
under following two circumstances:

1. For a ‘lawful purpose’

 connected with a function or activity

of the body corporate or any person on it behalf; and

2. Considered ‘necessary’ for that purpose

USE AND RETENTION OF INFORMATION
USE - RULE 5(5):
 The information collected shall be used
 only for the purpose for which it has been collected.

RETENTION - RULE 5(4)

 A body corporate or its representative
 must not retain such information for
 longer than is required for the purposes for which the information
may lawfully be used. OR
 as required under any other law in force.
OPT OUT/WITHDRAWAL
RULE 5(7) :
Requires the body corporate to give the provider of information,
an option:
1. prior to the collection of the information, to not provide the
data or information sought to be collected
2. of withdrawing his consent given earlier to the body corporate.

 Withdrawal shall be sent in writing to the body corporate.

 the body corporate shall have the option to not provide goods
or services for which the said information was sought.
ACCESS & REVIEW OF INFORMATION
RULE 5(6)
o Providers of information- permitted- to review the
information provided by them- as and when requested
by them;
o Information- if found to be inaccurate or deficient shall
be corrected or amended as feasible.
o Body corporate NOT responsible for authenticity of the
personal information or sensitive personal data or
information as supplied by the provider to the body
corporate.
GRIEVANCE REDRESSAL MECHANISM
RULE 5(9)
o Time bound redressal of any discrepancies and grievances.

o Grievance Officer shall be appointed.

o Publication of name and contact details of Grievance

Officer on website

o Redressal of grievances: within one month from the date of

receipt of grievance.
 LIMITATION ON DISCLOSURE OF
INFORMATION
RULE 6
Permission of the provider of the information is required before
disclosure of information

Exceptions:
1. when disclosure is agreed upon in the contract;
2. when disclosure is necessary for compliance of a legal obligation;
3. when disclosure to Government agencies mandated under the law
to obtain information.
4. when disclosure to any third party by an order under the law for the
time being in force.
 RULE 6
 Rule 6 also forbids the following:
1. Publication of sensitive personal data or
information by body corporate or its
representative,
2. Disclosure by third party receiving the
sensitive personal data or information from
the body corporate.
 LIMITATION ON TRANSFER OF
INFORMATION
RULE 7
Transfer allowed to:
 another body corporate or a person
 in India, or located in any other country.

Transfer is allowed only if :

1. other body corporate or person ensures the same level of data
protection that is adhered to by the body corporate as provided
under these rules.
2. it is necessary for the performance of the lawful contract between
the provider of the information and the corporate receiving the
information.
 REASONABLE SECURITY PRACTICES
AND PROCEDURES
RULE 8
 Prescribes standard to be adhered to
 by a body corporate, receiving the information,
 in the absence of an agreement between the parties;
 or any law for the time being in force.
 One such prescribed standard: The International Standard
IS/ISO/IEC 27001 on “Information Technology – Security
Techniques – Information Security Management System –
Requirements”.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
 Any other Security code, if followed shall be :
o Duly approved and Notified
o by the Central Government
o Audited annually by an independent auditor approved by the Central
Government.

 In the event of an information security breach – demonstration

of implementation of security control measures - by the body
corporate.
REASONABLE SECURITY PRACTICES
AND PROCEDURES
 A body corporate or a person on its behalf shall be deemed to have
complied with reasonable security practices and procedures if:
 They have implemented such security practices and standards,
and
 Have a
 comprehensive documented information security programme; and
 information security policies for:
managerial, technical, operational and physical security which are
proportionate with the information assets being protected with the
nature of business.
THANK YOU