The Department of Information Technology (IT), on April 11, 2011, notified the Information Technology (Reasonable security practices and procedures, and sensitive personal data or information) Rules, 2011, under Section 43A of the Information Technology Act, 2000.These Rules led to two primary issues; first, whether foreign companies that collect data within their jurisdiction and send the...
The Department of Information Technology (IT), on April 11, 2011, notified the Information Technology (Reasonable security practices and procedures, and sensitive personal data or information) Rules, 2011, under Section 43A of the Information Technology Act, 2000.
These Rules led to two primary issues; first, whether foreign companies that collect data within their jurisdiction and send the same to India for onward processing fall within the purview of the Rules, and second, whether the Rules imply that Indian outsourcers are required to get written consent from individuals in other countries, whose data is being collected and processed by them. These issues have now been resolved, subsequent to clarifications issued by the IT Department on August 24, 2011.
However, the clarifications issued by the Department have led to one more issue. The clarifications state, "These Rules are regarding sensitive personal data or information...". Now in addition to sensitive personal data or information, the Rules also make a reference to personal information. If the intention of the clarifications is to limit the scope of applicability of the Rules to sensitive personal data only, the relevance of personal information is now being questioned.
The term personal information is defined as information relating to a person that either directly or indirectly, in combination with other information, is capable of identifying such a person. Whereas, sensitive personal data or information is defined as personal information, which relates to passwords, financial information, medical records and history, sexual orientation, and the like.
While most of the obligations under the Rules are with respect to sensitive personal data or information, there are a few obligations which extend to personal information as well. In particular, under Rule 4, bodies corporate that collect, store, handle information are required to have a privacy policy for handling or dealing of personal information, including sensitive personal information. Under Rule 5(6), bodies corporate are required to permit the providers of personal information, to review such information to correct any inaccurate or deficient information.
Under Rule 5(7), bodies corporate are required to provide an option to the providers of personal information, to not provide the information which is sought to be collected. Thus, the term personal information, as used in the Rules, not only elaborates the definition of the term, sensitive personal data or information, but is also with regard to certain specific obligations.
That said, it is important to note that under Section 43A of the Information Technology Act, pursuant to which, the Rules have been made, the obligation of bodies corporate extends only to sensitive personal data or information. On a strict reading of Section 43A, a view may be taken that the purpose of defining the term personal information under the Rules is only to elaborate the definition of sensitive personal information, and not have any separate obligations attached to it.
Going by this interpretation, the legislative intention behind the use of the term, personal information, under the Rules, is unclear. It is interesting to note that in other jurisdictions, such as the EU, no such distinction has been drawn between personal information and sensitive information. The privacy obligation in EU extends to personal data, which is defined wide enough to include any and all information relating to an identified or identifiable natural person.
To conclude, whilst one cannot deny that certain information may deserve stricter privacy obligations, this does not mean that there are absolutely no privacy obligations towards information that does not qualify to be 'sensitive' under the Rules. The legislature may perhaps consider an approach, where an element of privacy is also accorded to such information, as the same is critical in today's day and age.
Disclaimer - The views expressed are those of the authors and do not reflect the official policy or position of Amarchand Mangaldas.