What is PI, what is protected, Rights of a data subject, duties of a company dealing with data;
Data protection has become one of the biggest concerns for all involved stakeholders – businesses, individuals, and the state. With the advent and increasing use of technology, companies have been able to collect a massive amount of data belonging to individuals. This data could either be personal information (such as a person's name, address, contact number, email address, etc.) or sensitive information (financial details, racial/religious information, health details, etc.) . Data has become so increasingly important that most innovative products today are focused on collecting data from their users in one form or another.
While several giant organisations such as Google, Facebook, etc. have gained immense value by virtue of having collected, stored, processed and use such data, protecting the user's interest and their data must be made a priority. To understand how laws work for entities that deal with an individual's personal information, sensitive information as well as aggregated data, let's first understand what each of these terms means.
Personal Information, as per Section 3 (29) of the proposed Data Privacy Bill is defined in a manner similar to the global data protection laws. Personal Information means and "includes, data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information"
The Indian proposed law as well as the European GDPR laws as well as other global laws define Sensitive Information as, "personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; (xii) religious or political belief or affiliation; or (xiii) any other category of data specified by the Authority;
While for most of it, this article covers information and deals with Data privacy issues and discussions in India, the information can be considered as neutral and globally-serving since the Indian Data Privacy Bill, in fact, originates from the GDPR and other prominent data privacy laws across the world.
How can a business collect its user's data?
A business can collect its user's data by letting the user know what data is being collected at what point, and by taking their due consent. Collecting any sort of personal information from a user without their express consent can be considered to be a violation of their rights under the Data Privacy laws. The law is extremely clear on this – if a business wants to mandate data submission from a user for using their service, which most businesses today do, they must collect such data or seek such submission duly, by also capturing the user's consent.
It also helps if entities capture and store the consent details such as the IP, timestamp of consent taken, etc. to ensure they have due records of each data piece so collected for future use. It's recommended for companies to create an internal audit system and provide clear disclaimers along with consent capture every time they collect their user's information.
It is also important for businesses to intimate to their users the purpose of collection of the data and the period for which the entity will be retaining it.
How can a business use its user's data?
When a business collects its user's data with their due consent and in a manner aligned with the law, businesses can use data for several lawful purposes such as analyzing such data and providing better services to its users, processing the data, aggregating such data, transferring data in a due manner and even storing it for a valid purpose.
Can a business commercialize its user's data?
A business can share or transfer its user's data only if it ensures that the same is communicated to the User when the data is being collected, with due consent. All transfers should strictly happen through data transfer agreements, that duly lay down critical terms for sharing and usage of the data.
Do user's have a right to protect themselves?
Data Privacy laws across the world have put maximum emphasis on protecting the user's rights, which is clear when we see the mandatory consent requirement. Data privacy laws give users several rights such as the right to have an entity delete their information, the right to take legal actions against a breach, the right to know how their information is being used, etc.
Can a business be held liable for a data breach?
A business that collects data can definitely be held liable for a breach, It is the business's responsibility to ensure that all data it collects is duly protected, and safely stored.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.