India
Answer ... The IT Act and Privacy Rules do not prescribe any lawful bases for processing ordinary personal data. At present, such information may be freely collected and processed. However, a data collector may collect and process a data subject’s sensitive personal data or information (SPDI) only if:
- the SPDI is collected for a lawful purpose connected with a function or activity of the data collector; and
- the collection of the SPDI is considered necessary for that purpose.
India
Answer ... Under the IT Act and Privacy Rules, the disclosures, actions and compliances applicable to the data collector will vary, depending on the nature of information it collects, stores, processes and/or transfers.
Collection: When collecting personal information or SPDI from a data subject, the data collector must take reasonable steps to ensure that the data subject has knowledge of:
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information; and
- the name and address of agency that is collecting the information and the agency that will retain the information.
Additionally, to collect SPDI, the data collector must obtain the prior written or electronic consent of the data subject. Notably, no such consent is required for the collection of ordinary personal data (which does not contain or consist of SPDI).
Grievance officer: A data collector must appoint a ‘grievance officer’ and publish his or her name and contact details on its website. The grievance officer will be responsible for the redressal of grievances with respect to the processing of a data subject’s personal information.
Restrictions on use: A data collector must use personal information and SPDI only for the purpose for which it was collected.
Review and opt-out: The Privacy Rules require data collectors to allow data subjects to:
- review the information they provide and ensure that any personal information or SPDI found to be inaccurate or deficient is corrected or amended as feasible; and/or
- withdraw consent to use the information (where applicable).
Privacy policy: A data collector must have in place a privacy policy for the handling of personal information. The privacy policy must provide clear and easily accessible statements of the data collector’s practices and policies. It must disclose:
- the types of data collected by the data collector;
- the purpose for the collection and processing;
- the circumstances for the disclosure of such information; and
- the security practices and procedures implemented by the data collector.
The data collector must ensure that this policy is available for review by data subjects and is published on its website.
India
Answer ... When a data collector is processing personal information, it should provide detailed disclosures on the mechanisms used for data processing. For instance, the data collector may consider outlining whether the processing is done manually or whether the process is automated. The data collector may also consider maintaining detailed records of the third parties with which data is shared with for the purpose of processing and activities involved during processing.