Skip to main content

What the Privacy Rules Apply To

Four sets of Rules were issued under the Information Technology Act, 2000 in April 2011. The second of these sets — called the Information Technology (Reasonable security practices and procedures and Sensitive Personal Data or Information) Rules, 2011, i.e. the Privacy Rules — deals with how certain information collected from persons should be treated.

A. Kinds of Information

The information contemplated by the Privacy Rules is differentiated into ‘Information’, ‘Personal Information’ and ‘Sensitive Personal Data or Information’, with all three terms being defined under the Rules as follows:
    Rule 2(1)(f).Information” means information as defined in clause (v) of sub-section (1) of section 2 of the [Information Technology] Act [i.e. ‘Information’ includes data, message, text, images, sound, voice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche]; 
    Rule 2(1)(i).Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. 
    Rule 3. Sensitive personal data or information of a person means such personal information which consists of information relating to;―
      (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
      provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

    B. Obligations Pertaining to Each Type of Information

    All of the obligations set out in the Privacy Rules apply to ‘Sensitive Personal Data or Information. However, although they do not all apply to ‘Information’ and/or ‘Personal Information’. The table below attempts to capture which obligations contemplated by the Privacy Rules apply to which kind of information. (It is intended to be read in conjunction with the Rules themselves which detail the obligations; the table below does not attempt to do anything beyond convey the essence of the obligations).

    Sr. No. Rule Information Personal Information Sensitive Personal Data or Information Comments
    1 5(1): Consent for collection

    Applies See Clarification (below)
    2 5(2): Restrictions on collection Applies Sensitive Personal Data or Information may only be collected for a lawful purpose (connected with the activities of the collector) for which the info. is required.
    3 5(3): Knowledge regarding collection Applies Applies Applies Providers must know: (a) the fact that the information is being collected; (b) the purpose for which the information s being collected; (c) the intended recipients of the information; and (d) the name and address of ― (i)  the agency that is collecting the information; and (ii) the agency that will retain the information.
    4 5(4): Retention Applies ‘Sensitive Personal Data or Information’ cannot be retained by the collector for longer than required.
    5 5(5): Use only for the purpose of collection Applies Applies Applies
    6 5(6): Review by providers Applies Applies Applies
    7 5(6): Correction by providers Applies Applies Collectors must correct inaccurate info. (‘Personal Information’ and ‘Sensitive Personal Data and Information’) but are not responsible for the authenticity of provider-supplied info.
    8 5(7): Option not to provide or to withdraw information Applies Applies Applies ‘Withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought’
    9 5(8): Security obligations Applies Applies Applies See Rule 8
    10 5(9): Grievance officer Applies Applies Applies
    11 6(1): Disclosure to any third party other than govt. agencies Applies See Clarification (below)
    12 6(1) Proviso: Disclosure to certain  government agencies Possible to interpret this to have it apply although probably doesn't apply Possible to interpret this to have it apply although probably doesn't apply Applies
    13 6(2): Disclosure to any third party pursuant to order under law Applies
    14 6(3): Publication Applies
    15 6(4): Disclosure by a party who receives info. under Rule 6(1) Applies The Rules do not have a clear demarcation between ‘disclosures’ and ‘transfers’ contemplated in Rules 6 and 7. Thus, although Rule 6 does not apply to ‘Information’ and ‘Personal Information’, it is unclear how Rules 6 and 7 interact.
    16 7: Transfer Probably applies; the rule refers to ‘sensitive personal data or information including any information’
    Probably applies
    Applies Rule 7 may require ‘consent’ from the provider for the  transfer of any information unless the transfer is necessary for the performance of the lawful contract between the collector and provider.
    17 8: Security Practices & Audits thereof Applies Applies Applies Reasonable security practices and procedures (such as ISI/ISO/IEC:27001) must be implemented. Security practices are required to be audited at least once a year, or whenever the process and computer resources are upgraded.

    C. The Clarification of the Rules (and the Scope of Rules 5 and 6)

    The Privacy Rules were unclear in several places, and (presumably because of this) the Department of Information Technology, Ministry of Communications & Information Technology issued a clarificatory Press Note on August 24, 2011 through the Press Information Bureau, Government of India. Unfortunately, the clarification was, itself, anything but clear. It stated that the Privacy Rules ‘are regarding Sensitive Personal Data or Information and are applicable to the body corporate or any person located within India’. However, in opposition to this, a plain reading of the Privacy Rules themselves indicates that they apply to three kinds of information, and not merely to ‘Sensitive Personal Data or Information’. As such, it is unclear whether the reference to only one kind of information in the Press Note is intentional, or whether it is a clerical error (with the intention being to have the clarification apply to all three kinds of information contemplated by the Privacy Rules). In other words, it appears that the clarification of the Privacy Rules is, at the outset itself, inconsistent with the Rules in question.

    In addition to this, Press Note states that: ‘Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate.’ The implication here is that the Privacy Rules do not apply to information provided by corporate bodies; whether or not this is the intention of the Privacy Rules is debatable although considering the clarification pertaining to the scope of Rules 5 and 6 (referred to in the next paragraph), it may be possible to argue that this supports the proposition that the Privacy Rules are primarily intended to govern B2C interaction and not B2B interaction.

    According to the Press Note, ‘Any such body corporate providing services relating to collection, storage, dealing or handling of Sensitive Personal Data or Information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6’.

    That said, the Press Note, did specifically clarify that ‘Rule 5(1) consent includes consent given by any mode of electronic communication’. The cleared a great deal of confusion which had arisen when then Rules were first issues, as it appeared that obtaining electronic consent would not be adequate to comply with the Privacy Rules. Following the issue of the Press Note though, it has become possible to interpret the Rules to mean that electronic consent consent is adequate to satisfy their mandate.

    D. Privacy Policy

    Under Rule 4 of the Privacy Rules, each body corporate (or, sacrificing nuance, its agent) which collects, receives, possesses, stores, deals with or handles information of providers must provide a privacy policy (on its website, viewable by information providers) detailing how it deals with ‘Personal Information’ including ‘Sensitive Personal Data or Information’. Specifically, each Privacy Policy must contain:
      (i) ‘clear and easily accessible statements of its practices and policies; 
      (ii) type of personal or sensitive personal data or information collected under rule 3; 
      (iii) purpose of collection and usage of such information; 
      (iv) disclosure of information including sensitive personal data or information as provided in rule 6; 
      (v) reasonable security practices and procedures as provided under rule 8’.
    Further, a Grievance Officer is required to be designated under Rule 5(9) of the Privacy Rules; this Rule states: "Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances of provider of information expeditiously but within one month from the date of receipt of grievance."

    (This post is by Nandita Saikia and was first published at Indian Copyright.)