Affecting all, the Central Government has recently, on 11th April, 2011, dramatically transformed the privacy and data protection landscape in India by promulgating the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The new Rules have wide scope and extraterritorial application. These new Rules could have a profound effect on multinational businesses that either outsource business functions to Indian service providers or maintain their own operations in India. The Rules impose wide ranging obligations on any "body corporate" regarding use and collection of personal information.
Some of the provisions under the new Rules appear to be more restrictive than regulations under US laws and the EU Directive. It is argued that the new Rules could have a dramatic effect on the IT landscape in India and for overseas companies that contract IT services with Indian companies.
The Rules apply to Corporations in India getting any information from anywhere. These Rules define "sensitive personal data" to include PASSWORD, BANK ACCOUNT DETAILS, CREDIT CARD, DEBIT CARD, HEALTH CONDITIONS, SEXUAL ORIENTATION, MEDICAL RECORDS etc. and permit the collection of such information by Corporate only for a 'lawful purpose' connected with their function or activity and 'necessary' for that purpose.
The most important feature of the Rules is the absolute requirement of taking CONSENT, in writing by email, fax or letter, before the collection of sensitive personal data, regarding purpose of usage of such information and before disclosing any information to any third party. Thus, Outsourcing companies in India will have to inform the client regarding purpose of usage before collection of such information. This would put additional responsibility on Indian suppliers to obtain consent from the customers of their clients. It is interesting to note that the consent is not required in case of disclosure to the Government.
These Rules further provide that a corporation should take REASONABLE STEPS to INFORM an individual that personal information about them has been collected and the PURPOSE of that collection. The sensitive information must not be retained for longer than is necessary. Furthermore, personal information must only be used for the purpose for which it was collected. It also empowers a person to access its personal information or sensitive information which is held by a corporation, and to correct inaccuracies. These Rules also require that an individual should be provided with the option to OPT OUT of providing personal information. These Rules lay down the standards for protection of sensitive personal information. However, Corporate is free to follow their own standards provided it is duly approved and audited annually.
The Rules ALLOW THE TRANSFER OF PERSONAL DATA to any person or Corporate, in India or abroad, provided that such person or Corporate ensures the same level of data protection that is adhered to by the Corporate as provided under these rules. This puts EXTRA RESPONSIBILITY on the Corporate to ensure the compliance of prescribed standards by the transferee.
The new rules lack clarity creating ambiguity as to the extent of applicability of these rules. Furthermore, certain terms are not defined and may prove difficult to determine how they apply to typical scenarios.
It also entails REVISION of the Employment contracts and offer letters, requiring specific consent of the employee with respect to the employer collecting, accessing and using personal information and sharing such information with third parties in accordance with the new Rules.
© 2011. All rights reserved with Vaish Associates
Advocates, IPR & IT Laws Practice Division
Flat # 903, Indra Prakash Building, 21, Barakhambha Road, New Delhi 110001 (India)
The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.