PRIVACY & DATA PROTECTION

‘Privacy’, a noun:
“A state in which one is not
observed or disturbed by other
people”
or
“The state of being free from
public attention”
Privacy & DataProtection
‘Privacy’ of a natural living
person is the state of not
Privacy being observed or
disturbed without their
explicit consent to do so.

Data/
Information

Legal
Security
Compliance
 Privacy is control over information or
activities relating to oneself; Privacy can be
considered as a “derivative” right i.e. privacy
right is derived from other related rights;
 In India majority understand Privacy only in
context of Sex and Wealth. Sometimes with
password too
The Supreme Court in the case of R. Rajagopal v. State of Tamil Nadu , for the
first time directly linked the right to privacy to Article 21 of the Constitution
and laid down:

"The right to privacy is implicit in the right to life and

liberty guaranteed to the citizens of this country by
Article 21. It is a "right to be let alone". A citizen has
aright to safeguard the privacy of his own, his family,
marriage, procreation, motherhood, child bearing
and education among other matters. None can
publish anything concerning the above matters
without his consent whether truthful or otherwise
and whether laudatory or critical. If he does so, he
would be violating the right to privacy of the person
concerned and would be liable in an action for
damages.“
R. Rajagopal v. State of Tamil Nadu, cited at: 1994 SCC (6) 632.
 The Supreme Court in the case of Ram
Jethmalani v. Union of India categorically held
that the right to privacy also requires the
state not to make public any private
information about an individual, which would
violate her privacy.

Ram Jethmalani v. Union of India, cited at:

(2011) 8 SCC 1.
The Information Technology Act, 2000 have two
sections relating to Privacy:

Section 43A, which deals with implementation

of reasonable security practices for sensitive personal
data or information and provides for the
compensation of the person affected by wrongful loss
or wrongful gain.

Section 72A, which provides for imprisonment for a

period up to 3 years and/or a fine up to Rs. 5,00,000
for a person who causes wrongful loss or wrongful
gain by disclosing personal information of another
person while providing services under the terms of
lawful contract .
SEC. 43A – COMPENSATION FOR FAILURE TO
PROTECT DATA

If a body corporate, possessing, dealing or handling any

sensitive personal data or information in a computer resource
which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices
and procedures and thereby causes wrongful loss or
wrongful gain to any person

Liability – Damages by the way of Compensation – Unlimited

damages
The IT Act,2000 has provisions that permit
the interception, monitoring, and decryption
of digital communications. It provides for the
collection and monitoring of traffic data. It
allows the government to set the national
encryption standard.
Projects like the Central Monitoring System,
NATGRID, Phone & Internet Interception used
by Police is making State surveillance at all
time high.
 Privacy Protection Bill, proposed
legislation for a privacy and personal
data protection regime in India.
This law when passed would regulate
the collection and use of personal data
in India, as well as surveillance and
interception of communications.
Citizens could not claim right to privacy as a
fundamental right is the Government’s
stand.
Supreme Court would decide in due course
in the light of Article 21 whether it is a
fundamental right.
Or The Supreme Court relies on eight-judge
bench decision which in1954 ruled that right
to privacy was not a fundamental right
 INFORMATION/DATA PRIVACY

 Attitude of an organization or individual to determine

what data in a computer system can be shared with third
parties
 Private data is known as –

 Personally Identifiable Information (PII)

 Personal data

 Sensitive Personal Data/Information

PERSONALLY IDENTIFIABLE INFORMATION

o US Privacy Laws
Information that can be used on its own or with other information to
identify, contact, or locate a person, or to identify an individual in
context
 PERSONAL DATA AND SENSITIVE PERSONAL DATA

 Data Protection Act – UK

 Personal data - Data relating to a living individual which helps in his identification and
includes any expression of opinion him

 Sensitive personal data - Personal data consisting of information as to –

 the racial or ethnic origin of the data subject,

 his political opinions,

 his religious/spiritual beliefs

 His professional associations,

 his physical or mental health or condition,

 his sexual life,

 the commission or alleged commission by him of any offence, or

 any proceedings for any offence committed or alleged to have been committed by him, the disposal of
such proceedings or the sentence of any court in such proceedings.
KEY ISSUES

 Liability of Company (Sec. 85)

 Data protection – Concern for outsourcing industry

 Privacy – Individual’s concern

 Increasing Government control/interference

WHO IS
LIABLE?

they had
knowledge
of the
Top contraventio
Company managemen n or they
itself, being t including If it is have not
Sec. 85 directors used due
a legal proved that
person and diligence or
Managers that it was
caused due
to their
negligence
ISSUES

 What is Sensitive Personal data or Information?

 What are Reasonable Security Practices and

Procedures?
SOLUTION

 The Information Technology (Reasonable security

practices and procedures and sensitive personal data or
information) Rules, 2011

 Enforceable from 11th April, 11

 To be read with Sec. 43A

SENSITIVE PERSONAL DATA/INFORMATION

 The Information Technology

Act, 2000 (Amd. 2008) – Password
India
Financial Health
info condition

SPDI

Biometrics
Health
Sexual records
orientation

Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
REASONABLE SECURITY PRACTICES

Implementing comprehensive documented information security programme and policies

Managerial, technical, operational and physical security control measures

commensurate with the information assets and nature of business

The International Standard IS/ISO/IEC 27001 – is one of a standard

An agreement between the parties regarding protection of “Sensitive Personal Information”

Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
AUDITING

 Necessary to get the codes or procedure certified or

audited on regular basis
 Needs to be done by the Government Certified Auditor
who will be known as “Govt. Certified IT Auditor”

 Not appointed yet

COMPLIANCE POLICIES
COLLECTION OF INFORMATION

 About obtaining consent of the information provider

 Consent in writing through letter/fax/email from the provider of
the SPDI regarding purpose of usage before collection of such
information

 Need to specify –
 Fact that SPDI is being collected
 What type of SPDI is collected?
 How long SPDI will be held?

Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
COLLECTION OF INFORMATION
 Provider should know –
 Purpose of collection
 Intended recipients
 Details of the agency collecting the information and agency retaining
the information

 Body Corporate not to retain information longer than required

 Option should be given to withdraw the information provided
 SPDI shall be used only for the purpose for which it has been
collected
 Shall appoint “Grievance Officer” to address any discrepancies and
grievances about information in a timely manner – Max. time – One
month
PRIVACY POLICY
 Policy about handling of SPDI
 Shall be published on website or should be available to view/inspect @ any
time

 Shall provide for –

 Type of SPDI collected
 Purpose of collection and usage
 Clear and easily accessible statements of IT Sec. practices and policies
 Statement that the reasonable security practices and procedures as provided
under rule 8 have been complied

Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
DISCLOSURE OF INFORMATION

 Disclosure –
 Prior permission of provider necessary before disclosure to third party
OR

 Disclosure clause needs to be specified in the original contract OR

 Must be necessary by law

 Third party receiving SPDI shall not disclose it further

Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
TRANSFER OF INFORMATION

 Transfer to be made only if it is necessary for performance of

lawful contract
 Disclosure clause should be a part of Privacy and Disclosure
Policy

 Transferee to ensure same level of data protection is

adhered while and after transfer

 Details of transferee should be given to provider

Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
SEC 72(A) (CRIMINAL OFFENCE)
 Punishment for Disclosure of information in breach of
lawful contract -

 Knowingly or intentionally disclosing “Personal Information"

in breach of lawful contract

 IMP – Follow contract

 Punishment - Imprisonment upto 3 years or fine up to 5 lakh
or with both (Cognizable but Bailable)
OTHER PROVISIONS U/IT ACT
o Section 66E – Punishment for Violation of personal privacy
 Popularly known as Voyeurism
 Covers acts like hiding cameras in changing rooms, hotel rooms, etc.
 Punishment –imprisonment upto 3 years or fine upto Rs. 2 lakh or both
o Section 67C – Preservation and retention of information by intermediaries
o Section 69 – Power to issue directions for interception or monitoring or decryption
of any information through any computer resources.
o Section 69A – Power to issue directions for blocking public access to any
information through any computer resource
o Section 69B – Power to authorize to monitor and collect traffic data or information
through any computer resource for cyber security

o Section 79 – Intermediary not liable in certain circumstances