By Shamma Iqbal and Helena Marttila
This April, the Indian government quietly passed the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). Among other things, the Rules require written consent for the processing of “sensitive personal information” in India and that organizations processing personal information in India implement reasonable security practices and procedures. As drafted, the Rules apply to organizations that process personal information, including sensitive personal information, in India regardless of where the information originates or whether the information relates to Indian or non-Indian citizens. The Rules also do not differentiate between “data controller” and “data processor” and thus it is likely that they apply to all organizations engaging in data processing activities in India, whether or not the processing is performed on behalf of other organizations.
Much ambiguity surrounds the interpretation and practical effect of the Rules, and the Indian government had not provided any clarification on the Rules at the time of writing, although it is expected to respond to questions posed by industry stakeholders on the meaning of certain provisions in the coming weeks.
The key features of the Rules, and their potential application, are discussed below:
1. Definition of Sensitive Personal Information. The Rules provide an exhaustive definition of “sensitive personal data”, which is similar to the definition contained in the EU Privacy Directive. This definition encompasses passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. The definition excludes any information that is freely available or in the public domain.
3. Authorization for Processing Sensitive Personal Information. Article 5(1) of the Rules requires that organizations based in India obtain authorization in writing from any “provider” of sensitive personal information in order to process such information in India. While the term “provider” is not expressly defined in the Rules, it is possible to construe a distinction in the Rules between “provider” and “person” meaning that the term “provider” encompasses corporate bodies only. According to this reading, the requirement for written consent will apply only where the sensitive personal information to be processed in India is provided by a corporate body. Thus, where sensitive personal information is transferred from a non-Indian organization to an organization based in India, the exporting organization should provide a written authorization (which may be by letter, fax or email) to permit the recipient organization in India to process the information. On the other hand, and on the assumption that “provider” does not encompass natural persons, the Rules do not require written consent where sensitive personal information is obtained directly from individuals.
4. Transparency Requirement. Pursuant to Article 5(3) of the Rules, when collecting personal information directly from natural persons, organizations based in India should furnish such individuals with certain information about the processing, including the fact that personal information is being collected and the purpose for which such information will be used. As stated above, the Rules appear to make a distinction between “provider of personal information” and “person.” According to this reading, the Rules do not require written consent where personal information, including sensitive personal information, is collected from individuals directly.
5. Authorization for Third-Party Disclosures. In order for an organization in India to disclose personal or sensitive personal information to a third-party, it should have the prior permission of the “provider” of such information (i.e., the organization that originally provided the information). The Rules provide that onward transfers of personal information may alternatively be addressed through contractual arrangements between the provider of the information and the recipient based in India.
6. International Transfers. Under the Rules, organizations based in India may transfer personal information, including sensitive personal information, internationally in two specific situations: (i) where there is a contract in place between the transferring organization and the receiving organization or (ii) where the individual to whom the information relates has consented to the transfer.
7. Security. The Rules provide that an Indian organization will be deemed to have complied with reasonable security practices and procedures where they have implemented a comprehensive documented information security program and policies that contain managerial, technical, operational and physical controls commensurate with the information assets and the nature of the business. In the event of a data breach incident, the organization may be required to evidence, upon request, that it has implemented its documented security controls. An organization that has implemented International Standard IS/ISO/IEC 27001 or an approved industry code of practice is deemed to have complied with reasonable security practices and procedures, provided that compliance with the standard or code of practice is audited on an annual basis.