1. DATA PRIVACY UNDER THE
INFORMATION TECHNOLOGY
ACT, 2000

2. CASES
 Nadeem Kashmiri and HSBC
 Karan Bahree and Mphasis
 My case - Hyundai

3. ISSUES
 Liability of Company
 Protection of data – Concern for outsourcing
industry
 Privacy of data – Individual’s concern

4. SEC. 43A – COMPENSATION FOR FAILURE
TO
PROTECT DATA
If body corporate, possessing, dealing or
handling any sensitive personal data or
information in a computer resource which it
owns, controls or operates, is negligent in
implementing and maintaining reasonable
security practices and procedures and
thereby causes wrongful loss or wrongful
gain to any person
 Liability– Damages by the way of
compensation

5. ADJUDICATION
 For claims upto Rs. 5 Crores –
Adjudicating officer
 For claims above Rs. 5 Crores - Civil
courts (Unlimited liability)

6. WHO IS LIABLE?
 Sec.85: Offences by companies
• The company itself, being a legal person;
• The top management including directors; and
• The managers (persons directly responsible for the data)
If it is proved that -
• they had knowledge of a contravention; or
• they have not used due diligence
• that it was caused due to their negligence

7. ISSUES
 Whatis Sensitive Personal data or
Information?
 Whatare Reasonable Security
Practices and Procedures?

8. THE SOLUTION
 The Information Technology (Reasonable
security practices and procedures and sensitive
personal data or information) Rules, 2011
 Enforceable from 11th April, 11
 To be read with Sec. 43A

9. SENSITIVE PERSONAL DATA OR
INFORMATION
Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

10. REASONABLE SECURITY
PRACTICES
 Implementing comprehensive documented
information security programme and information
security policies
 Containing –
 Managerial, technical, operational and physical
security control measures commensurate with the
information assets held by the person.
Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011

11. REASONABLE SECURITY PRACTICES
 The International Standard IS/ISO/IEC 27001 on
“Information Technology – Security Techniques –
Information Security Management System – Requirements”
is one such standard OR
 If following other than IS/ISO/IEC codes of best practices
for data protection, shall get it duly approved and notified
by the Central Government OR
 An agreement between the parties regarding protection of
“Sensitive Personal Information”

12. AUDITING
 Necessary to get the codes or procedure certified or
audited on regular basis
 Needs to be done by the Government Certified Auditor
 Will be known as “Govt. Certified IT Auditor”
 Not appointed yet
 CERT-IN has empanelled IT Auditors

13. POLICIES/CLAUSES

14. COLLECTION OF INFORMATION
 About obtaining consent of the information provider
 Consent in writing through letter/fax/email from the provider
of the SPDI regarding purpose of usage before collection of
such information
 Need to specify –
 Fact that SPDI is being collected
 What type of SPDI it is
 How long SPDI will be held
Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011

15. COLLECTION OF INFORMATION
 Provider should know –
 Purpose of collection
 Intended recipients
 Details of the agency collecting the information and agency
retaining the information
 Body Corporate not to retain information longer than required
 Option should be given to withdraw the information provided
 SPDI shall be used only for the purpose for which it has been
collected
 Shall appoint “Grievance Officer” to address any discrepancies
and grievances about information in a timely manner – Max. time
– One month

16. PRIVACY AND DISCLOSURE OF
INFORMATION POLICY
 Policy about handling of SPDI
 Shall be published on website or should be available to view/inspect @
any time
 Shall provide for –
 Type of SPDI collected
 Purpose of collection and usage
 Clear and easily accessible statements of IT Sec. practices and policies
 Statement that the reasonable security practices and procedures as provided
under rule 8 have been complied
Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

17. DISCLOSURE
 Disclosure –
 Prior permission of provider necessary before disclosure
to third party OR
 Disclosure clause needs to be specified in the original
contract OR
 Must be necessary by law
 Third party receiving SPDI shall not disclose it
further
Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

18. TRANSFER OF INFORMATION
 Transfer to be made only if it is necessary for
performance of lawful contract
 Disclosure clause should be a part of Privacy and
Disclosure Policy
 Transferee to ensure same level of data
protection is adhered while and after transfer
 Details of transferee should be given to provider
Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

19. SEC 72(A) (CRIMINAL
OFFENCE)
 Punishment for Disclosure of information in
breach of lawful contract -
 Knowingly or intentionally disclosing “Personal
Information" in breach of lawful contract
 IMP – Follow contract
 Punishment - Imprisonment upto 3 years or fine
up to 5 lakh or with both (Cognizable but Bailable)

20. GRAMM–LEACH–BLILEY ACT
(GLBA, USA)
 Focuses on finance
 Safeguards Rule - Disclosure of Nonpublic Personal
Information
 It requires financial institutions to develop a written information
security plan that describes how the company is prepared for, and
plans to continue to protect clients’ nonpublic personal
information.
 This plan must include –
 Denoting at least one employee to manage the safeguards,
 Constructing a thorough risk analysis on each department handling
the nonpublic information,
 Develop, monitor, and test a program to secure the information, and
 Change the safeguards as needed with the changes in how
information is collected, stored, and used.

21. THE FEDERAL INFORMATION
SECURITY MANAGEMENT ACT OF 2002
(FISMA, USA)
 Focus on economic and national security interests of
the United States
 Emphasized on "risk-based policy for cost-effective
security“
 Responsibility attached to federal agencies, NIST and
the Office of Management and Budget (OMB) to
strengthen information system security
 Not mandatory
 No penalty for non-compliance

22. DATA PROTECTION DIRECTIVE
(EU)
 European Union directive regulating the processing of
personal data within the EU
 Protection of individual’s personal data and its free
movement
 Coming soon - European Data Protection Regulation
 Not mandatory
 No penalty for non-compliance

23. PREAMBLE OF THE IT ACT
 Purpose behind enacting IT Act –
 To provide legal recognition to e-commerce
 To facilitate e-governance
 To provide remedy to cyber crimes
 To provide legal recognition to digital evidence
o Preamble doesn’t specify that the Act aims @
establishing IT Security framework in India

24. BENEFITS
 Compliance with legislation
 No liability on organisation
 Increased reliability and security of systems
 Systems rationalization
 Improved management controls
 Improved risk management and contingency
planning

27. GET IN TOUCH
HONE
+9 19 6 2 3 4 4 4 4 4 8
M A IL
O N TA C T@ A G A R R A H U R K A R .C O M
S