Learner’s Submission: Data Protection in India

“With the development in the field of information technology industry, cyber crimes have become a terrible headache for the government of every country . The existing laws is not enough to cover all the issues and circumstances that make the new digital world a threat to personal privacy. So all the developed countries have framed and established their data protection laws. The law relating to privacy is under the scope of Article 21 of the constitution in India. IT Act 2000 has been introduced in 2000 and it has certain provisions that provide protection to stored data and the issues relating to computer system.

Under IT Act, 2000, Section 43 provides protection against unauthorized access of the computer system. Under section 65 of this Act, protection has been provided against tampering of computer source documents. Section 66 provides protection against hacking. Section 70 provides protection to the data stored in the protected system. Under section 72, protection has been provided against breach of confidentiality and privacy of the data.

The ‘Personal Data Protection Bill 2006’ has been introduced in parliament on 8 December, 2006  to provide protection to the personal data and information of the person collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial and other purpose. Data controllers are to look upon the issues of violation of the Act. The Bill was drafted wholly on the structure of the UK Data Protection Act . But this proposed Act has lapsed now.

The Indian Government on behalf of Ministry of Communications and Information Technology has notified the “Information Technology ( Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011” on 11 April 2011 under Section 43A of the Information Technology Act, 2000,  to implement certain provisions. In  August , 2011 , the Ministry of Communication and Information Technology issued a press note also to clarify some of the provisions of the Rules.

The provision of The Information Technology Rules , 2011 is to protect sensitive personal data. Sensitive Data means personal information of a person in relation to:

  1. Passwords;
  2. Financial information such as Bank account or credit card or debit card or other payment instrument details;
  3. Physical , psychological and mental health condition ;
  4. Sexual orientation ;
  5. Medical records and history ;
  6. Biometric information ;
  7. Any detail relating to the above clauses as provided to body corporate for providing service ;
  8. Any of the information received under above clauses by body corporate for processing , stored or processed under lawful contract.

In the Press Note, it has been clarified that The Rules are applicable to body corporate or any person.  The term ‘ body corporate ‘ is not limited to a ‘body corporate’ located in India . It means any company or other association of individuals engaged in commercial or professional activities. It also includes a foreign body corporate . The Rules will apply to sensitive data of any individual collected , processed or stored in India via computer resources by any entity , whether located in India or not .

Sensitive data can be transferred to third party in India or outside India but the body corporate should be aware of the fact that: the provider has consented to such transfer , the third party is able to provide adequate level of protection for such data via legislative or other means and the transfer is necessary for the lawful contract .

The companies or the corporate houses are now making several agreements with other companies , partners , agencies or clients to provide adequate protection for their data . ‘ User license  agreements’ , ‘ non circumvention and non-disclosure agreements, referral partner agreements are such agreements that covers privacy and confidentiality clauses and also arbitration clauses for resolving any dispute if arises .The body corporate is allowed to adopt any other information security policies and standards approved by the Central Government to run their business smoothly. BPO companies have implemented security control measures like BS 7799 and the ISO 17799 standards of information security management. The body corporate  also implements the recognized and approved international standards like IS, ISO ,IEC 27001 on ‘Information Technology – Security Techniques –Information Security Management System –Requirements’.

As per The Rules , the security standards adopted by the body corporate should be audited at least once every year by an auditor approved by the Central Government.

The big question here arises : is our data safe ?  This  essay certainly has thrown ample light on  the Data Protection Legislation in India . Indian Penal code imposes punishment for crimes relating to data protection but it is a matter of surprise that how easy we are  providing room to the miscreants to do crimes through the easiest medium while using internet ,credit card etc. The criminals are being able to collect the secured information only by using computers and electronic gadgets.

Many countries other than India have framed their data protection law as a separate discipline. So it has raised concerns that a qualitative effort must be taken by the Government to frame and establish a most comprehensive data protection law.” – Dr. Mahabur Rahaman Mondal – Kolkata, India

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: