Handling and Processing Large Amount of Sensitive Personal Data: Obligations, Offences and Penalties

In Depth

Handling and Processing Large Amount of Sensitive Personal Data: Obligations, Offences and Penalties

Amber Gupta | April 2013

In today’s world, companies are having access to various medium of data storage and sharing to use. A large amount of sensitive personal data is also provided by customers to the companies. With the advent of ecommerce and the growing outsourcing industry in India, companies are now handling and processing large amount of sensitive personal data.

Internationally, countries have enacted well defined data privacy laws providing a regulatory framework for protection of personal data like Federal Data Protection Act, Germany, Data Protection Act, UK, Personal Information Protection Act, Japan, Privacy Act, Australia to name a few.

In India, the Information Technology Act 2000 contains provisions related to handling of personal data. Section 43A and 72A, which were inserted by Information Technology (Amendment Act) 2008, provided the required framework for protection of sensitive personal data or information, maintenance of reasonable security practices and procedures or civil and criminal penalties for breaches thereto. To further address the concerns in data handling, particularly sensitive personal data, the Government of India in April 2011 has notified new IT rules called Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 [hereinafter referred to us “SPDI rules”].

SPDI RULES

The SPDI rules apply to everybody (corporate or any person), who on behalf of body corporate collects, receives, possesses stores, deals or handles sensitive personal data or information. The SPDI rules interalia provide various compliances which a body corporate would be required to implement in terms of privacy policy, consent of client, transfer and disclosure and reasonably security practices

The SPDI rules define “Personal information” and “Sensitive Personal Data or Information (SPDI)” for the first time.

Personal information means any Information

that relates to a natural person, which
either directly or indirectly, in combination with other information available or likely to be available with a body corporate,
is capable of identifying such person. Sensitive personal data or information means such personal information which consists of information relating to

password
financial information
physical, physiological and mental health condition,
sexual orientation
medical records and history
biometric information or any
detail relating to the above clauses as provided to body corporate for providing service or for processing,
any information received under above clauses by body corporate for processing, storage or processed under lawful contract or otherwise

However, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force, shall not be regarded as sensitive personal data or information for the purposes of the SPDI rules.

KEY OBLIGATIONS AND ADHERENCE

The following table list out the key requirements and actionable for compliance of SPDI rules

POLICY FOR PRIVACY AND DISCLOSURE OF INFORMATION

Provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information. The policy shall provide for:

clear and easily accessible statements of its practices and policies;
type of personal or sensitive personal data or information collected; • purpose of collection and usage of such information;
disclosure of information including sensitive personal data or information;
reasonable security practices and procedures
Policy shall be published on website Sample policy is provided as an Annexure A

COLLECTION OF INFORMATION

Consent for collection should be obtained writing. The information so collected should only

for a lawful purpose,
considered necessary and
connected with a function or activity of the body corporate or any person on its behalf.
The provider of information at the same time should have
knowledge of the fact that the information is being collected,
the purpose for which the information is being collected,
the intended recipients of the information,
the name and address of the agency that is collecting the information, and
the agency that will retain the information.
The provider of information should be permitted to review the information so provided and to correct / amend if found in accurate or deficient.
Provider of information have an option
not to provide the data or information sought to be collected.
option to withdraw its consent given earlier
such withdrawal of the consent shall be sent in writing to the body corporate.
The Information not to be retained for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

DISCLOSURE OF INFORMATION

Prior permission of the provider of information must be obtained in case of disclosure to any third party either in form of the contract or otherwise obtained specifically for disclosing the same.
Such consent would be not be necessary in case of sharing with government agencies or where such disclosure is necessary for compliance of a legal obligation

TRANSFER OF INFORMATION

The following conditions must be satisfied while undertaking the transfer:

the same level of data protection that is adhered to by the body corporate (transferor) is adhered to by the receiving party (transferee)
it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information
such person has consented to data transfer.

GRIEVANCE HANDLING

Body corporate to designate a grievance officer
Publish his name and contact details on its website
Grievances to be resolved within one month

REASONABLE SECURITY PRACTICES AND PROCEDURES

Implement security practices and standards
IS/ISO/IEC 27001
Documentation of practices and standards in form of information security programme that contains o managerial, o technical, o operational and physical security control measures
The codes of best practices (by any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices) for data protection.

Such standard or the codes of best practices to be certified or audited on at least once a year , through independent auditor, duly approved by the central government, or as and when there is a significant up gradation of its process and computer resource.,

DATA THEFT

Let us look at the following case study

M/S JUST DIAL PRIVATE LIMITED Vs. M/S INFOMEDIA 18 LIMITED & OTHERS (2010)

Just Dial alleged that their extensive and valuable database was copied by Infomedia 18 limited, on their website AskMe.in.
Just Dial moved the High Court against ‘AskMe.in’ for breach of copyright with respect to database.
Just Dial submitted that Infomedia 18 had substantially copied the data base of Just Dial, which was evident from the reproduction of same mistakes in the database of AskMe.in. They contended that a minimum of 14 years were spent in producing the data base and a lot of resource was put in for the same.
The court granted an exparte injunction against Infomedia 18, restraining them from infringing the said copyright and from running the website askme.

Data theft can simply be defined as

Unauthorised copying or removal of confidential information
It could be in form of theft of customer or company’s proprietary or intellectual property
Data theft involves issues of copyright violation, violation of privacy under IT Act 2000, as well criminal breach of trust and dishonest misappropriation under Indian Penal Code, 1860.
Section 43(b), read with Section 66 of the Information Technology Act 200 and Section 379, 405 & 420 of Indian Penal Code deals with framework of data theft and penal provisions thereto.

Section 43(b) of the Information Technology Act provides that

“any person without permission of the owner or any other person, who is incharge of a computer, computer system or computer network, downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium”.

PENAL PROVISIONS

The following chart captures the gist of penal provisions as applicable under the Information Technology Act 2000 dealing with the consequences of violations.

S.43A (FAILURE TO PROTECT DATA)

Damages by way of compensation to the person so affected. Upto Rs. 5 crore (adjudicating officer) and Above Rs. 5 crore (civil court).

S. 65 (HACKING / TAMPERING)

Imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

S. 66C (IDENTITY THEFT)

Imprisonment for a term, may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

S. 66E (PUNISHMENT FOR VIOLATION OF PRIVACY)

Imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

S. 67C (PRESERVATION AND RETENTION OF INFORMATION BY INTERMEDIARIES)

Imprisonment for a term which may extend to three years and shall also be liable to fine.

S. 72 (BREACH OF CONFIDENTIALITY AND PRIVACY)

Imprisonment for a term which may extend to 2 years, or with fine which may extend to one lakh rupees, or with both.

S. 72A (DISCLOSURE OF INFORMATION IN BREACH OF LAWFUL CONTRACT)

Imprisonment for a term, which may extend to 3 years or with fine, which may extend to five lakh rupees, or with both.

S. 85 (OFFENCES BY COMPANIES)

No express provision vis-à-vis penalties and compensation. Onus is on the company / personnel responsible.

About Author

Amber Gupta

Amber is Head Compliance Aditya Birla Money.