MODULE 6
THE LEGAL CHALLENGES TO INTERNET LAW REGULATION
AND COMPLIANCE IN INDIA
6.1 AN ANALYSIS OF ISSUES UNDER THE INDIAN LAW
The Internet offers a new form of media, which is convenient, fast, and
economical while the dotcom [the commonly used generic word for internet -
based ventures] is the most ubiquitous form of providing content in cyberspace
and conducting Internet based transactions.
6.2 ‘REGULATION’ AND THE INTERNET
Protection of Data over the Internet is the customer’s way of practicing his
Right to Privacy and making sure that their data isn’t treated in any way
contrasting to their wish.1 There are various ways by which a customer’s
security can be breached over the internet. These include mismanagement of
sensitive personal information and data spillage.2 The information gathered
from the consumers is stored in data-clouds managed by both private as well as
public entities and the larger the collection of data is, the larger security
concern it creates and the better protection standard it requires.3 A consumer’s
1 CONGRESSIONAL RESEARCH SERVICES, DATA PROTECTION LAW: AN OVERVIEW [2019]
2 Vijay Pal Dalmia, Data Protection Laws In India - Everything You Must Know, MONDAQ [ Dec. 13,
2017], https://www.mondaq.com/india/data-protection/655034/data-protection-laws-in-india--everything-
you-must-know..
3 Nate Lord, An Expert Guide to Securing Sensitive Data: 34 Experts Reveal the Biggest Mistakes
Companies Make with Data Security, DIGITAL GUARDIAN BLOG [November 12,
2018],https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-
mistakes-companies-make-data.
1
privacy is proportional to the way in which the data is stored, used, dissipated
and destroyed.4
Current legislations governing Online Data
A. The Information Technology Act, 2000
One of the prime legislations to deal with the topic of regulation of data over
the online mediums is the IT Act5 which contains various rules and regulations
to secure electronic data [including the non-electronic data that has already
been, is currently being or would be soon converted into an electronic
medium]. As per the Act, any corporate entity which is storing, trading or
handling any personal information, and is not careful in applying and
maintaining necessary protection methods resulting in wrongful loss or
wrongful gain to any organization or an individual, then such entity would have
to pay damages to the affected individual.6
Additionally, any person or an officer sanctioned by the Government, if content
that it is essential so to do in the interest of sovereignty, integrity, defense or
security of the nation, good relations with foreign nations or public order or for
stopping incitement towards the committal of any cognizable offence relating
to the aforementioned categories or for the analysis of any offence, can order
any agency of the Government to intervene, survey or decipher any data
produced or saved in any digital resource.7
B. The IT [Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information] Rules, 2011
According to the Rules, Corporate entities that collect, produce or disseminate
any kind of personal data, including sensitive data, shall adhere to certain
4 Yibin Li et al., Privacy Protection for preventing Data Over-collection in Smart City, 65 IEEE
TRANSACTION ON COMPUTERS 1, 1 [2015].
5 The Information Technology Act, 2000, No. 21 of 2000, INDIA CODE [1993].
6 The Information Technology Act, 2000, No. 21 of 2000, INDIA CODE [1993], § 43A.
7 The Information Technology Act, 2000, No. 21 of 2000, INDIA CODE [1993], § 69.
2
norms and specific procedures.8 The Privacy Rules make it clear that any
organization or any person for that matter, which gathers personal information
must possess explicit permission [in the form of letters, fax or emails] from the
suppliers of that information.9
The Privacy Rules also make it compulsory for corporate organizations that
either gather, store, handle or arrange any sort of personal data, to devise and
make known the security strategy with respect to the protection and revelation
of such data and to also ensure that the said security strategy is accessible for
display on the corporation’s website.10 Adding to it, the supplier of the data
must be given the option to quit the exchange even after providing the consent
to supply.11
GDPR: The Foreign Influence
The GDPR is one of the strongest collection of data protection regulations12
across the globe, which allows people to have an access to any kind of data
related to them and to set limits on what can be done with information about
them held by the various entities. The prime objective with which the GDPR is
made is to put in place a unanimous data protection framework on all the
members of the European Union such that all member nations have a uniform
8 Seema Jhingan et al., Worldwide: An overview of Data Protection Laws in India and the European Union,
MONDAQ [Apr. 4, 2018], https://www.mondaq.com/india/data-protection/687750/an-overview-of-data-
protection-laws-in-india-and-european-union.
9 INSTITUTE OF MEDICINE, HEALTH DATA IN THE INFORMATION AGE: USE, DISCLOSURE, AND PRIVACY 23
[1994].
10 Zeenat Phophalia, Employee Data Protection In India- What Should Employers Be Aware Of, MONDAQ
[Mar. 2, 2016], https://www.mondaq.com/india/data-protection/470538/employee-data-protection-in-india-
what-should-employers-be-aware-of.
11 Vinod Joseph et al., A Review of The Information Technology Rules, 2011 Reasonable Security Practices
And Procedures And Sensitive Personal Data or Info, MONDAQ [Mar. 19, 2020],
https://www.mondaq.com/india/privacy-protection/904916/a-review-of-the-information- technology-rules-
2011-.
12 Matt Burges, What is GDPR? The summary guide to GDPR Compliance in the UK, WIRED [Mar. 24,
2020], https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.
3
law governing data over online mediums and there exists no need for every
country to have different data protection regulations.
Article 5 of the Regulation mentions 7 core principles of this legislative
framework which serve as aa guidance on handling personal data. GDPR's
seven principles are: lawfulness, fairness and transparency; purpose limitation;
data minimisation; accuracy; storage limitation; integrity and confidentiality
[security]; and accountability.13
No matter if some data isn’t procured or worked upon in the correct way, if
there is an absence of a data protection officer within an organisation or if there
is a breach in the security systems of organisations handling personal data,
every such thing can be fined under the Regulations.
The new proposed legislation in India: PDP Bill, 2019
The Personal Data Protection Bill14 [PDP Bill] is India’s maiden attempt to
locally regulate the data protection framework for the security of information
and to set up a Data Protection Authority in the nation.15
According to the provisions of the Bill, any personal information belonging to
the citizens can’t be stored, worked upon or distributed online without their
consent. Only such data which who’s purpose of use is already defined and is
necessary in nature can be used. Various obligations are imposed on corporates
depending upon the size of data they take and store from the consumers.16
These include security audits at regular intervals, hiring of a data protection
officer, and many more obligations as mentioned in the legislation.17
13 Id.
14 The Personal Data Protection Bill, 2019, No. 373, Bills of Parliament, 2019 [India].
15 Rudra Srinivas, All you need to know about India’s first Data Protection Bill, CISOMAG [Jan. 3, 2020],
https://www.cisomag.com/all-you-need-to-know-about-indias-first-data- protection-bill/.
16 Sharda Balaji, Personal Data Protection Bill, 2018 – An overview with brief analysis, NOVOJURIS LEGAL
BLOG [Aug. 21, 2018] https://www.novojuris.com/thought-leadership/personal-data-protection-bill-2018-
an-overview-with-brief-analysis.
17 Id.
4
Majority of the principles laid down in both the laws are similar in nature. Even
then, there are some differences between the two sets of rules that need to be
discussed. The Bill put more clarity on the table in matters of legal outcomes in
events of withdrawal of consent, as compared to the GDPR. Data can be kept
stored by entities for longer periods of time if they are stored for research
purposes, as per the GDPR,18 but the same cannot be done under the PDP Bill
unless a clear consent by the Data Principal is provided or the said storage has
to do with any sort of compliance to any law in force at that time.19 While the
Bill allows the governing authority to formulate and instruct the means and
modes in which the auditors are to conduct the audits, the GDPR remains silent
on the same. On the other hand, the ambit of data to be provided to the
authority is smaller in the Bill in comparison to the GDPR.20
The PDP Bill is one of the primary steps in the path of digital transformation as
well as data protection in India. However, various dimensions of data
protection [such as segregation of personal information into sensitive personal
data and critical personal data, elements of anonymous data, conditions for
relief from certain sections of the PDP Bill, types of SDFs, conditions for
enrollment as a consent manager and handling of personal data and sensitive
personal data of children], which will be of prime importance towards an
18 James Hutchinson, Document Retention under the GDPR and the Data Protection Act 2018 December
2018, BEALE AND CO. [Dec. 2018], https://beale-law.com/publications/799-document-retention-under-the-
gdpr-and-the-data-protection-act-2018.php.
19 Hari Subramaniam & Aditi Subramaniam, India: Data Protection 2019, INTERNATIONAL COMPARATIVE
LEGAL GUIDES [Jul. 3, 2019], https://iclg.com/practice-areas/data-protection-laws-and-regulations/india.
20 Aditi Chaturvedi, Comparison of General Data Protection Regulation and Data Protection Directive,
CENTRE FOR INTERNET AND SOCIETY BLOG [Feb. 7, 2017], https://cis-india.org/internet-
governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive.
5
productive and flawless implementation of the new regulations, have been
assigned to the Central Government.21
A hope still remains that once the Bill acquires its final form and comes out as
a full-fledged legislation, it will provide sufficient time to organisations to
adapt their business methodologies in order to comply with the new
regulations.
A lot has been said, discussed and debated about the Information Technology
Act, 2000 [‘the Act’] and how it is expected to give a quantum jump to e-
commerce in India. Unfortunately, the Act deals only with the narrow issue of
recognising digital signatures and setting up certification authorities which will
co-ordinate and regulate the process. It does not [and to be fair] was not
expected, to be a panacea for all sorts of ills and new liability issues which
inevitably arise from the use of the net.
In the recent years, governments across the world have made attempts to
regulate the Internet. The common belief that it is unregulated is a fallacy and is
best dispensed as soon as possible. The three basic categories in which
regulation of the Internet can be classified is:
1. Intellectual property [for example, where copyright law governs the use,
styling, linking and copying of content on a website]
2. Contractual law [for example, the scope and enforceability of limitation
and exclusion of liability clauses and unfair contract terms posted on a
website]
21 Radhika Iyer et al., India: The Personal Data Protection Bil, 2019, MONDAQ [Jan. 7, 2020],
https://www.mondaq.com/india/data-protection/880766/the-personal-data-protection-bill-2019.
6
3. State/jurisdictional regulation [issues regarding conflict of laws of
various legal jurisdictions which become involved in any dispute relating
to a transaction over the internet].
6.3 AN EXAMINATION OF THE MAIN ISSUES
6.3.1 INTELLECTUAL PROPERTY ISSUES
Intellectual property rights disputes regarding domain names and cyber-
squatting have been the most visible and possibly most dramatic part of
cyber-related disputes. But this is not the only area of intellectual property,
which is getting attention in the post-internet era. Data, which is the sine qua
non of websites, is equally vulnerable to intellectual property infringement.
Firstly content [data] on a website essentially consists of text, graphics,
audio, video files which are all protectable as literary, artistic and
cinematographic works under the Indian Copyright Act 1957. The first
ownership of the copyright vests in the author of the work unless it is being
done in the course of employment for the purposes of publication. The
creator or the copyright owner can prevent anyone from reproducing,
distributing, adapting, modifying, disseminating the copyrighted content
without his consent3. Secondly, the computer program or the source code,
which forms the backbone of the website, is also protectable as a ‘literary
work’. Thirdly, the layout and design of the website, if distinctive, in its
style can be protected as what is called a ‘trade-dress’.
7
A website owner must first ensure that he owns the copyright in all these
elements on the site, so if the website is designed and developed by
employees or consultants, which is almost always the case, the website
owner has to make sure that terms of engagement of the
employee/consultant contain unequivocal and express clauses reserving the
exclusive copyright in the owner.
Once the website is up and going, three issues of copyright protection arise.
• First, the protection of the copyright of the content on your website
and which the website owner owns.
• Second, is to take care not to infringe the copyright of other websites
on the net.
• Third, is the copyright of content posted on the website by users of the
site?
The first issue concerns the ownership of copyright with the website owner
and has been briefly touched upon above. Under Indian law, copyright vests
in the owner without any mandatory pre-requisite for registration. It follows,
therefore, that to claim ownership of copyright there is no real need for
putting the public to notice. Copyright law, in its earlier stages of
development, required the display of a copyright notice as proof of
ownership of copyright, but the requirement was done away with. However,
even under new legislation, a person who has no reasonable grounds to
believe and is not aware that a work is copyrighted and is not permitted for
communication to the public is not liable for in infringement of copyright. In
all circumstances, therefore, and considering the fact that the website is
accessible from anywhere in the word, it must, for abundant caution, be
8
made clear in the user agreement posted on your website that all copyright
[in content, underlying programs and styling] vests in the website owner and
any unauthorized download would infringe that copyright.
Downloading: The act of downloading from the internet involves making
permanent copies by the user on his hard disk, which amounts to
reproduction and, therefore, infringement, if not authorized by the copyright
owner. A website owner may, therefore, permit download for personal, non-
commercial usage and prohibit further distribution or posting on the internet.
Alternatively, the user must be warned that all copyright notices attached to
the files should be retained at the times on the downloads and/or any/copies
made from it. Additionally, the user must also be warned that the
modification, deletion, edit or updation of content on the website without
permission would amount to an unauthorized activity and be subject to penal
consequences. All this has to be specifically spelt out in the user agreement,
which must be clearly brought to the notice of the user and the user must be
encouraged to ‘accept’ the terms and conditions. This is usually done by
allowing the user access to the further pages of the website only after
clicking on the ‘I accept’ button on the home page of the website [the ‘click-
through’ format].
The second issue is that of the copyright of another website’s content. It is
clearly an infringement of another’s copyright if one copy-pastes something
from another website into one’s own website without prior consent, license
or permission. This is rampant on the Internet and most websites don’t even
blink before “copy-pasting” merrily from other sites, especially if the
website is information intensive. Needless to say, this is potentially
9
dangerous. Most people harbour under a wrong presumption that availability
of materials on the Internet means that the website is giving tacit permission
and licence to copy and use the content freely. The legal issue, which arises
here, is whether there is an implied license given by a website by providing
the information for public access. This really depends on the terms and
conditions stated in the other website’s user agreements and if there is no
such express license the presumption that it is freely available for public use
cannot be drawn.
Linking and framing – Linking [or ‘hyper-linking’] involves merely
clicking on one HTML [hyper text mark-up language] link and being
transmitted to another target website page, which may be of the same
website or of a third party website. Linking is the raison d’être of the web
and allows the user to negative seamlessly between documents regardless of
their location. A hyper link is comparable to a reference or a footnote of the
target document.
It is, therefore, imperative that to avoid problems the user agreement on a
website must be a ‘click-through’ format where necessary acceptance is
required to access or get linked to content on your website and necessary
restrictions are brought to the notice of the user11. In case of commercial
links, however, to your website or linking to other website, an appropriate
“linking agreement” may be entered into with the other party which should
take into account the extent and nature of linking, control of trademarks and
brands and the requirement to remove material on request. Therefore, to
avoid liability for infringement of copyright, consent may be obtained for
use of third-party data and adequate disclaimers be given if and when
10
linking to other websites. It is also important to give disclaimers for the
content which may be available on other websites on which there cannot be
any control of the host website.
Interestingly, the US has enacted legislation which protects online service
providers [‘OSPs’ – equivalent to internet service providers or ‘ISPs’] from
liability for copyright infringement where the OSP refers users to material of
third party websites via a search engine, a hypertext link or a list of
recommended sites. Framing, however, which is potentially a more
dangerous activity is not protected under this legislation.
The third issue is regarding content posted or supplied by the user. There
can be a clear term in the user agreement obliging the user to give a non-
exclusive, royalty free, perpetual license for information submitted in the
public areas of the website. The user may also be put to notice that the
website will have no liability whatsoever for materials posted on the website
on which the website has not control and which cannot be screened before
they are posted for public viewing. Such cases have arisen more in the case
of bulletin boards and chat rooms where the website or an ISP acts as an
intermediary.
6.3.2 THE WEBSITE AS AN INTERMEDIARY
It is very common to have websites [or ISPs which provide access to the
internet], which provide the facility of online bulletin boards or chat rooms
for users to communicate and interact online. There are huge potential
liability issues lurking here.
11
India’s new Information Technology Act, 2000 also partially takes this into
account. Section 79 of the Act deals with the exclusion of liability of
‘network service providers’ for third party information as long as he can
prove that he exercised due diligence and had no knowledge of the offence
or contravention. The definition of ‘network service providers’ means an
“intermediary” and which as per clause [v] of Section 2[1] means any person
who on behalf of another person receives, stores or transmits the message.
This definition would probably include a website or an ISP, which is
providing such services. The onus is, of course, fairly heavy on the
intermediary to prove that it exercised due diligence. It is also arguable
whether this exclusion of liability would include violations under normal
civil law and which do not come within the ambit of “offences and
contravention” under the Act, e.g., copyright infringement and defamation.
6.4 INFORMATION TECHNOLOGY – REGULATORY
COMPLIANCE IN INDIA
6.4.1 THE NEED FOR COMPLIANCE
Banks and other financial institutions collect a huge amount of personal
data, which in the legal parlance are known as SPDI [Sensitive Personal
Data or Information]. Banks and other financial institutions are required to
comply under the Information Technology Act [2000] Amended [2008] and
its Rules, which lay down certain procedures to be followed at the time of
collection of data, transfer of data, and disposal of data, and to maintain
relevant security practices and procedures.
12
This legal compliance document provides you with all the legal provisions
under the Information Technology Act that a bank or any other financial
institution needs to comply.
6.4.2 PERSONAL AND SENSITIVE PERSONAL DATA OR
INFORMATION DEFINED
As per the “Rules” Sensitive personal data or information of a person means
such personal information which consists of information relating to
password, financial information such as bank account or credit card or debit
card or other payment instrument details, physical, physiological and mental
health condition, sexual orientation, medical records and history, biometric
information, any detail relating to the above clauses as provided to body
corporate for providing service; and any of the information received under
above clauses by body corporate for processing, stored or processed under
lawful contract or otherwise. Freely available or accessible information or
information furnished under the Right to Information Act, 2005 or any other
law for the time being in force has been expressly excluded from the
definition.
The “Rules” further defined “Personal information” as any information that
relates to a natural person, which, either directly or indirectly, in
combination with other information available or likely to be available with a
body corporate, is capable of identifying that person.
13
6.4.3 DATA PRIVACY AND INFORMATION SECURITY
The Information Technology Act places a duty on the organisation to “…
maintain reasonable security practices and procedures” [Section 43A]. The
Act under the Section - “Offences by Companies” [Section 85] – makes it
clear that “… every person who, at the time the contravention was
committed, was in charge of, and was responsible to, the company for the
conduct of business of the company as well as the company…”
The persons responsible may not just be Directors or members of the senior
management, it could be any employee entrusted with the related
responsibility under the Act. It is imperative that all facets of the use of
organisation’s IT resources should be governed by internal IT Use and
Security Policies.
Data protection has now been made more explicit through clause 43A. This
clause provides for compensation to an aggrieved person whose personal
data, including sensitive personal data, may be compromised by a company
during the time this data was under processing with the company and as a
result of the company’s negligent failure to protect such data due to a lack of
implementing or maintaining reasonable security practices.
“Reasonable security practices and procedures” will constitute those
practices and procedures that protect such information from unauthorized
access, damage, use, modification, disclosure, or impairment as may be
specified in an agreement between the parties or as may be specified by any
law in force. In the absence of such an agreement or any law, the central
14
government will prescribe security practices and procedures in consultation
with professional bodies or associations.
The primary law for data privacy in India is the Information Technology
[Reasonable security practices and procedures and sensitive personal data or
information] Rules, 2011 issued by the Central Government in exercise of
the powers conferred by clause [ob] of subsection [2] of Section 87 read
with Section 43A of the Information Technology Act, 2000.
The data privacy rules define sensitive personal data or information to
include passwords, financial information, physical, physiological and mental
health condition, sexual orientation, medical records and history and
biometric information.
Non-compliance with any of the provisions of the data privacy rules is
penalized with a compensation /penalty of upto Rs. 25,000 under Section 45
of the Information Technology Act.
6.4.5 CONFIDENTIALITY AND PRIVACY
On breach of confidentiality and privacy, the Act of 2000, restricted to those
who gain access to an electronic record or document, has been enhanced
with a new section that calls for punishment for disclosure of information in
breach of a lawful contract.
Any person including an intermediary who has access to any material
containing personal information about another person, as part of a lawful
15
contract, and who discloses it without the consent of the subject person will
be deemed in breach. Punishment will consist of imprisonment of up to three
years, and/or a fine of Rs. 5,00,000 . This may prove to be a strong deterrent
to breaching data confidentiality.
These additions and changes aimed at improving data protection and making
more stringent the punishment for breach of confidentiality might encourage
greater business flow across international borders. Enterprises may become
more confident about their global data traffic coming into or even passing
through India.
6.5 COMPLIANCE FOR THE BANKING INDUSTRY UNDER
“THE INFORMATION TECHNOLOGY ACT, 2000”
1. Retention of electronic records [Section 7]
2. Regular Audit of electronic records [Section 7A]
3. Reasonable measures to ensure that its employees don’t inflict
damage upon any computer, computer system, etc. Without the
permission of the owner, they also must not do the following acts
[Section 43]
• Securing access to computer or computer system
• Downloading, copying and extracting data
• Introducing computer virus or contaminant
• Damaging or disrupting the computer
• Denying access to any person authorized to do so
• Assisting someone in gaining access to the computer
16
• Tampering and manipulating any computer
• Stealing, destroying, deleting or altering any information and
assisting someone in doing so
4. Compensation for failure to protect data [Section 43A]
5. Furnish information, record, document or report including books of
accounts to the concerned authorities [Section 44]
6. Reasonable steps to ensure that its employees don’t tamper with
computer source documents [Section 65]
7. Computer related offences [Section 66 [A-F]]
• Offensive messaging
• Receiving stolen computer source and Data
• Identity Theft
• Cheating by personating using computer source
• Violation of privacy
• Cyber Terrorism
8. Publishing obscene material [Section 67]
9. Preservation and retention of information by intermediaries [Section
67 C]
10. To comply with the directions to monitor and collect traffic data or
information through any computer resource for cyber security
[Section 69B]
11. To comply with the direction of the Indian Computer Emergency
Response Team [CERT-IN] in the area of cyber security [Section
70B]
12. Organizations must also take serious note of the following offences:
• Misrepresentation [Section 71]
17
• Breach of Confidentiality [Section 72]
• Disclosure of information in breach of contract [Section 72A]
• Publishing false particulars in Electronic Signature Certificate
[Section 73]
• Using Electronic Signature Certificate for fraudulent purposes
[Section 74]
13. Intermediary Liability [Section 79]: Intermediary with respect to any
particular electronic records, means any person who on behalf of
another person receives, stores or transmits that record or provides
any service with respect to that record and includes telecom service
providers, network service providers, internet service providers, web
hosting service providers, search engines, online payment sites,
online-auction sites, online market places and cyber cafes. Banks also
come under the purview of an Intermediary. As per Section 79 of the
IT Act, an intermediary shall not be liable for any third-party
information, data, or communication link hosted by him if the
intermediary does not-
[i] initiate the transmission,
[ii] select the receiver of the transmission, and
[iii] select or modify the information contained in the transmission
And that the intermediary observes due diligence while discharging
his duties under this Act and also observes such other guidelines as
the Central Government may prescribe in this behalf.
13.Offences committed by Companies [Section 85]: Every person who, at
the time an offence was committed, was in charge of, and was
responsible to, the company for the conduct of businesses of the
18
company as well as the company, shall be guilty of the contravention
and shall be liable to be proceeded against and punished accordingly.
He/she will not be punished provided he/she proves that the
contravention took place without his knowledge or that he exercised all
due diligence to prevent such contravention.
If it is proved that the contravention has taken place with the consent or
connivance of, or is attributable to any neglect on the part of, any
director, manager, secretary or other officer of the company, such
director, manager, secretary or other officer shall also be deemed to be
guilty of the contravention and shall be liable to be proceeded against
and punished accordingly
6.6 PENALTIES FOR NON -COMPLIANCE OF IT ACT
Legal Provisions [Information Penalties in case of non-
Technology Act – 2000 [Amended compliance
in 2008]
Body corporate liable to pay
damages by way of compensation to
19
Section 43A - Compensation the person so affected
for failure to protect data
Section 44 - Penalty for failure to • Failure to furnish information
furnish information, return, etc – not exceeding rupees one
lakh fifty thousand for each
failure
• Failure to maintain book of
accounts or records – not
exceeding ten thousand rupees
for everyday during which the
failure continues
Section 45 – Residuary Penalty
Whoever contravenes any rules or
regulations made under this Act, for
the contravention of which no
penalty has been separately provided,
shall be liable to pay a compensation
not exceeding twenty-five thousand
rupees to the person affected by such
contravention or a penalty not
Section 67 C:- Preservation and exceeding twenty-five thousand
20
retention of information by rupees.
intermediaries
Imprisonment for a term, which may
extend to 3 years and shall also be
liable to fine
Section 69 – “Powers to issue
directions for interception or
monitoring or decryption of any
information through any computer
resource” - read with Information
7 years imprisonment and fine
Technology [Procedure and
Safeguards for Interception,
Monitoring and Decryption of
Information] Rules, 2009.
Section 69A – “Power to issue
directions for blocking for public
access of any information through
any computer resource” - read
7 years imprisonment and fine
with Information Technology
[Procedure and Safeguards for
Blocking for Access of Information
by Public] Rules, 2009.
3 years imprisonment and fine
Section 69B – “Power to authorize
21
to monitor and collect traffic data
or information through any
computer resource for Cyber
Security” - read with Information
Technology [Procedure and
Safeguard for Monitoring and
Collecting Traffic Data or
Information] Rules, 2009.
Section 70B - Indian Computer
Emergency Response Team to 1 year imprisonment and / or fine
serve as national agency for upto Rs 1 lakh.
incident response.
Imprisonment for a term, which may
Section 72A - Punishment for extend to 3 years or with fine, which
Disclosure of information in may extend to five lakh rupees, or
breach of lawful contract with both
No express provision vis-à-vis
penalties and compensation.
Section 85 - Offences by
However, the onus is on the
Companies
company and its Directors, Secretary
and Officers to prove their innocence
6.7 COMPLIANCE UNDER “THE INFORMATION TECHNOLOGY
[REASONABLE SECURITY PRACTICES AND PROCEDURES
22
AND SENSITIVE PERSONAL DATA OR INFORMATION]
RULES, 2011”
1. Rule 4 - Mandatory ‘Privacy Policy’ for handling of or dealing in
personal information including sensitive personal data or information
2. Rule 5 – Collection of information
• Mandatory consent from provider of information while
collecting information
• Disclosure of purpose and intended recipients
• Review of Information by the provider
• Option for the provider of information to pull out
• Duty to keep the information secure
• Mandatory appointment of Grievance Officer to address
complaints
3. Rule 6 – Disclosure of Information
• Disclosure to third parties require prior consent; Third parties
should not disclose it further
• Disclosure to certain Government Agencies mandated under
law without prior permission
• Body corporate should not publish Sensitive Personal
Information / Data
4. Rule 7 – Transfer of Information
• Requires prior consent of provider of information
• Allowed only if its an obligation under a contract
• Same level of data protection should be ensured
23
5. Rule 8 - Reasonable security practices and procedures while dealing
with Sensitive Personal Information
• Comprehensive documented information security programme
and information security policies
• International Standard IS/ISO/IEC 27001 on “Information
Technology / Security Techniques / Information Security
Management System” approved as compliant
• Other codes must be duly approved by the Central Government
• Audit ‘reasonable security practices and procedures’ by an
auditor at least once a year or after every significant
upgradation
6.8 COMPLIANCE UNDER “THE INFORMATION
TECHNOLOGY [INTERMEDIARY GUIDELINES] RULES,
2011”
Apart from the aforementioned compliance requirements, “Intermediaries”
must also adhere to the guidelines under Section 79 of the Information
Technology Act. An ‘Intermediary’ shall not knowingly host or publish any
information or shall not initiate the transmission, select the receiver of
transmission, and select or modify the information contained in the
transmission. Upon obtaining actual knowledge of a violation must act
expeditiously [within thirty -six hours] to remove access to such
information.
24
An ‘Intermediary’ is under a legal obligation to:
1. publish the terms and conditions of use of its website, user agreement
and privacy policy
2. inform its users that in case of non-compliance with terms, the
Intermediary has the right to immediately terminate the access rights
of the users
3. provide information to government agencies that are lawfully
authorized for investigative, protective, cyber security or intelligence
activity
4. report cyber security incidents and also share cyber security incidents
related information with the Indian Computer Emergency Response
Team.
5. not deploy or install or modify the technological measures which may
change the normal course of operation of the computer resource
6. publish the details of the Grievance Officer on its website and the
designated agent to receive notification of claimed infringements
An ‘Intermediary’ must also notify users of the computer resource not to
host, display, upload, modify, publish, transmit, update, share or store any
information that:
1. belongs to another person
2. is harmful, threatening, abusive, harassing, blasphemous,
objectionable, defamatory, vulgar, obscene, pornographic, pedophilic,
libelous, invasive of another's privacy, hateful, or racially, ethnically
or otherwise objectionable, disparaging, relating or encouraging
25
money laundering or gambling, or otherwise unlawful in any manner
whatever
3. infringes any patent, trademark, copyright or other proprietary rights
4. violates any law for the time being in force
5. impersonate another person
6. contains software viruses or any other computer code, files or
programs designed to interrupt, destroy or limit the functionality of
any computer resource
6.9 COMPLIANCE UNDER “THE INFORMATION
TECHNOLOGY [PROCEDURE AND SAFEGUARDS FOR
INTERCEPTION, MONITORING AND DECRYPTION OF
INFORMATION] RULES, 2009”
1. Rule 13 – Intermediary to provide facilities
The intermediary should extend all facilities, co-operation and
assistance for interception or monitoring or decryption mentioned in
the directions / requisition
2. Rule 14 – Intermediary to designate officers
The intermediary should designate separate officer to receive
requisition and to handle requisitions for interception or monitoring or
decryption of information
3. Rule 15 – Acknowledgement of Instructions
The intermediary should acknowledge the instructions received by
way of letters / fax / electronically signed email to the concerned
agencies within two hours on receipt of intimation.
26
4. Rule 16 – Maintenance of Records by intermediary
The intermediary should maintain proper records mentioning therein,
the intercepted or monitored or decrypted information, the particulars
of persons, computer resource, email account[s], website address, etc.
whose information has been intercepted or monitored or decrypted,
the name and other particulars of the officer or the authority to whom
the intercepted or monitored or decrypted information has been
disclosed, the number of copies, including corresponding electronic
records of the intercepted or monitored or decrypted information
made and the mode or the method by which such copies, including
corresponding electronic record are made, the date of destruction of
the copies, including corresponding electronic record and the duration
within which the directions remain in force.
5. Rule 18 – Submission of list of requisitions / instructions
The intermediary should forward every fifteen days a list of
interception or monitoring or decryption authorizations received by
them during the preceding fortnight to the nodal officers of the
agencies authorized. The list should include details such as the
reference and date of orders of the concerned competent authority
such as Union Home Secretary or Secretary in-charge of the Home
Department in the State Government or Union Territory including
orders issued under emergency cases, date and time of receipt of such
orders and the date and time of implementation of such orders.
6. Rule 19 – Intermediary to ensure effective check on handling of
instructions
The intermediary should provide technical assistance and the
equipment wherever requested by the agency authorized.
27
7. Rule 20 – Intermediary to ensure effective check on handling of
instructions [Internal Checks]
The intermediary should put in place adequate and effective internal
checks to ensure the unauthorized interception of messages does not
take place and extreme secrecy is maintained and utmost care and
precaution is taken in the matter of interception or monitoring or
decryption of information as it affects privacy of citizens and also that
no other person of the intermediary shall have access to such
intercepted or monitored or decrypted information.
8. Rule 21 – Responsibility of Intermediary
The intermediary is responsible for their respective actions of their
employees also. In case of established violations action should be
taken.
6.10 COMPLIANCE UNDER “THE TELECOM COMMERCIAL
COMMUNICATIONS CUSTOMER PREFERENCE
REGULATIONS, 2010”
1. Registration of telemarketer
2. Securing registration number
3. Due Payment of Deposit
• The Telemarketer is required to deposit with the Originating
Access Provider an amount of rupees one lakh only [Rs.
1,00,000/-] as refundable security deposit.
• Telemarketer also undertakes to deposit any additional security
deposit.
28
4. Telemarketer to be responsible for any misuse of telecom resources
allotted it for the purposes of telemarketing.
5. Telemarketer shall ensure that telecom resources allocated to them for
voice calls are only used for making any telemarketing calls.
6. Telemarketers shall also ensure use of correct header for sending
promotional or transactional message.
7. Telemarketer to make necessary arrangements and provisions for
downloading updated data from the National Consumer Preference
Register
a. Updation of National Customer Preference Register [“NCPR”]
by Access Providers [Schedule 2 [A]]
• NCPR to be updated with the data received from the
Access Providers twice a week on every Tuesday and
Friday from 0000 Hrs to 0600 Hrs. During this period
NCPR shall not be available for use by the telemarketers
and Access Providers.
• The data shall be available for download by the
telemarketers from 0700 Hrs to 1300 Hrs on every
Tuesday and Friday respectively.
• The telemarketers shall update their national customer
preference data with this data every Tuesday and Friday.
• In order that there is synchronization between the
telemarketers and Access Providers, the data updated and
downloaded on Tuesday will be used from 0000 Hrs of
Wednesday to 2359 Hrs of Friday and the data updated
and downloaded on Friday will be used from 0000 Hrs of
Saturday to 2359 Hrs of Tuesday.
29
b. Downloading and use of the data from National Customer
Preference Register [Schedule 2 [B]]
• Every registered telemarketer shall be allowed to
download NCPR data from website www.nccptrai.gov.in
• The agency maintaining NCPR should provide unique
user name and password to each Access Provider and
registered telemarketer to download the data from NCPR.
• Every registered telemarketer shall be provided dump of
updated NCPR data by the respective Access Provider.
• The database updated on Tuesday shall be operational
from 0000 Hrs of Wednesday to 2359 Hrs of Friday.
Similarly, the database updated on Friday shall be
operational from 0000 Hrs of Saturday to 2359 Hrs of
Tuesday.
8. Telemarketer to be responsible for maintaining complete
confidentiality of the data downloaded from the National Customer
Preference Register for the purposes of telemarketing.
9. Scrub the telephone number of such subscriber with the data base
received from the National Customer Preference register.
10. Failure to follow the scrubbing process
• Telecom resources allotted shall be disconnected by the Access
Provider from whom the telemarketer has taken the telecom
resource.
• Name shall be entered into the black list maintained by the
agency maintaining the National Telemarketer Register for a
period of two years.
30
11. Blacklisting of Telemarketer, upon:
• failure to furnish the additional security amount as agreed to by
it in the agreement entered into with the Originating Access
Provider.
• upon service of the sixth notice in a calendar year by any
Access Provider on such telemarketer for sending unsolicited
commercial communication.
12. The Telemarketer shall obtain the Telecom Resources from a
Licensed Telecom Service Provider only.
13. Formalities pertaining to provision of telecom resources to the
telemarketers
• Telemarketer may apply for telecom resources from one or
more Access Providers.
• Telemarketer to comply with subscriber verification guidelines
issued by Department of Telecommunication.
• In case of promotional message or transactional message,
agreement as stipulated in the regulations must be entered into
by and between the telemarketer and access provider.
• Telecom resources provided to a telemarketer for making voice
calls should not have facility for receiving incoming call and
sending of SMS.
• Telecom resources provided to a telemarketer for sending
transactional message should not have facility for receiving
incoming call or SMS.
14. Use alpha-numeric identifier for sending commercial communication
in the format having nine alpha numeric characters and related.
31
15. Telemarketers to be allotted and should only use “140” number series
for commercial communication.
16. Calls to the subscriber whose telephone number does not appear in the
National Customer Preference Register shall be sent only between
0900 Hrs to 2100 Hrs.
17. Not to send commercial communications to any subscriber whose
telephone number appears on the National Customer Preference
Register, except for sending SMS in respect of categories of
preference opted by the customer.
18. Restrictions on ‘Transfer of Registration’ - The Telemarketer shall
not, without the prior written consent of TRAI, either directly or
indirectly, assign or transfer this registration in any manner
whatsoever to a third party or enter into any agreement for sub-
Leasing and/or partnership relating to any subject matter of the
registration to any third party either in whole or in part i.e. no
subleasing/partnership/third party interest shall be created.
19. Requirement to furnish information - The Telemarketer shall furnish
to TRAI, on demand in the manner and as per the time frame such
documents, accounts, estimates, returns, reports or other information
in accordance with the rules/ orders as may be prescribed from time to
time.
20. Prohibition of certain Activities by the Telemarketer
• The Telemarketer shall not engage on the strength of this
registration in the provision of any service other than
telemarketing and/ or requiring separate License / permission.
• Telemarketer will not infringe on the jurisdiction of Licensed
Telecom Service Providers and they shall neither provide
32
switched telephony nor use telecom resources as Public Call
Office [“PCO”].
21. The Telemarketer shall make available on demand to the person
authorized by TRAI, full access to their equipments for technical
scrutiny and for inspection, which can be visual inspection or an
operational inspection.
22. The Telemarketer will ensure that their equipment installations should
not become a safety hazard and is not in contravention of any statute,
rule or regulation and public policy.
23. The Telemarketer shall be required to provide the call data records of
all the specified calls handled by the system at specified periodicity,
as and when required by the security agencies.
24. Wherever considered appropriate, TRAI may conduct any inquiry
either suo-motu or on complaint to determine whether there has been
any breach in compliance of the guidelines for registration by the
Telemarketer and upon such inquiry the Telemarketer shall extend all
reasonable facilities without any hindrance
25. Suspension or Termination of Registration:
• Telecom Regulatory Authority of India [“TRAI”] reserves the
right to suspend the operation of this registration at any time, if,
in the opinion of TRAI, it is necessary or expedient to do so in
public interest or in the interest of the security of the State or
for the proper conduct of the TELEGRAPH. If situation so
warrant, it shall not be necessary for TRAI to issue a notice for
seeking comments of the Telemarketer for this purpose and the
decision of TRAI shall be final and binding.
33
• Registration may be terminated for any failure to comply with
the guidelines for Registration of Telemarketer.
26. Liability for making any unsolicited commercial communication,
through the telecom resources allotted to it, to any subscriber whose
telephone number appears in the National Customer Preference
Register
• on the issue of first notice, a sum of rupees twenty -five
thousand only [Rs.25000/-] shall be deducted from the security
deposit of the telemarketer.
• on the issue of second notice, a sum of rupees seventy -five
thousand only [Rs. 75000/] shall be deducted from the security
deposit.
• on the issue of third notice, a sum of rupees eighty thousand
only [Rs. 80000/-] shall be deducted from the security deposit.
• on the issue of fourth notice, a sum of rupees one lakh twenty
thousand only [Rs. 120,000/-] shall be deducted from the
security deposit.
• on the issue of fifth notice, a sum of rupees one lakh fifty
thousand only [Rs. 150,000/-] shall be deducted from the
security deposit.
• on the issue of sixth notice, a sum of rupees two lakh fifty
thousand only [Rs. 250,000/-] shall be deducted from the
security deposit.
27. On issue of first notice by the Access Provider to the telemarketer for
sending unsolicited commercial communication to the subscriber
whose telephone number appears in the National Customer Preference
34
Register, the telemarketer shall deposit additional security amount of
rupees two lakh only [Rs. 2,00,000/-] and on issue of third notice by
the Access Provider to the telemarketer for sending similar unsolicited
commercial communication, the telemarketer shall deposit an
additional security of amount of rupees four lakh only [Rs. 4,00,000/-
].
28. Failure to deposit the additional security deposit or no amount is
available in the security deposit of the telemarketer due to deductions
made, the telecom resources allotted to the telemarketer for the
purposes of telemarketing shall be disconnected and the name of
telemarketer shall be intimated by the Access Provider to the agency
maintaining the National Telemarketer Register for entering the name
of such telemarketer in the black list and the name of such
telemarketer shall not be removed from the black-list before the
completion of the period of two years from the date of entering his
name in such black list and the registration of the telemarketer shall be
cancelled by TRAI under the provisions of the regulations.
29. In case of issue of sixth notice by the Access Provider to the
telemarketer for sending unsolicited commercial communication as
provided under clause 10[f] of this Agreement, without prejudice to
the amount which shall be deducted from the security deposit of the
telemarketer under clause 10[f], the telecom resources allotted to the
telemarketer shall be disconnected without any further notice. The
Access Provider shall intimate the name of such telemarketer to the
agency maintaining the National Telemarketer Register for entering
the name of the telemarketer in the black list and the name of such
telemarketer shall not be removed from the black list before the
35
completion of the period of two years from the date of entering his
name in such black list and the registration of the telemarketer shall be
cancelled by TRAI under the provisions of the regulations
6.11 ACHIEVING E-SECURITY THROUGH DOCUMENTED
POLICIES
The Policies required to e-secure an organization are listed below:
1. Information and Communication Technology Policy - A policy to
govern the ICT structure of a company by providing the acceptable
standards of IT usage or related services.
2. Privacy Policy - A policy to govern the collection, usage, handling,
processing and disclosure of personal information / data of a
customer. It is like reconciling privacy expectations with privacy
rights.
3. Cyber Law Policy - A policy to seek compliance with the cyber laws
for the time being in force in the Union of India such as the
Information Technology Act, various ‘Rules’ and clarifications.
4. E-Security Policy - A policy to ensure that the basic computer
security [e-security] perimeters are well in place. Perimeters like
firewalls with secure passwords, correct maintenance of routers,
encryption, etc.
5. Software Usage Policy - A policy to counter Soft-lifting,
Counterfeiting, Renting, Original equipment manufacturer [“OEM”]
unbundling, Uploading and downloading, Hard disk loading, etc with
respect to software.
36
6. Internet Usage Policy - A policy to keep employees in line while
they are online by banning inappropriate sites, prohibit the wasting of
computer resources, enforce language guidelines, keep web copy
clean and using various other measures to secure internet usage.
7. E-Mail Policy - A policy clarifying contentious points like E-Mail
retention and deletion and rules to work by.
8. Cyber Insurance Policy - A policy to govern cyber insurance to help
limit employment practices liability, limit E-mail risks, insure against
Copyright & Trademark Infringement, Patent Infringement, protect
your computer assets and guard against E-Theft, to name a few.
9. E-Writing Policy - A policy formulated for safe and secure electronic
writing understanding the employees’ electronic writing concerns,
managerial writing and assessing / addressing employees’ electronic
writing needs.
10. E-Crisis Communications Policy - An e-crisis management policy is
document prepared on the lines of the long-established formula
‘hoping for the best, preparing for the worst’. The policy lays down
guidelines for assessing the potential for electronic crises and the
methodology to handle the crisis.
6.12 TECHNO-LEGAL COMPLIANCE FOR ORGANIZATIONS –
A DETAILED LOOK
The text enables an organization to conduct a complete Techno-Legal
Compliance assessment with reference to the Information Technology Act,
2000 [Amended in 2008]. With specific regard to the new responsibilities
37
which arise as a result of the Indian Rules recently issued under Section 43A
and 79 of the IT [Amendment] Act; Chief Privacy / Security Officers, Data
Protection Managers, In-House Counsels or any other officer designated by
the organization for securing Information and Communications Technology
[ICT] infrastructure security and operations should take strict note of the
following:
1. Retention of Electronic Records [Sec. 7]:
• The documents, records or information must be retained for any
specific period in electronic form, as required by the law for the
time being in force in India.
• The information contained therein remains accessible so as to
be usable for subsequent reference.
• The electronic record is retained in the format in which it was
originally generated, sent or received or in a format which can
be demonstrated to represent accurately the information
originally generated, sent or received.
• The details which will facilitate the identification of the origin,
destination, date and time of dispatch or receipt of such
electronic record are available in the electronic record.
2. Audit of Documents [Sec. 7A]:
• The documents, records or information processed and
maintained in the electronic form have been subjected to an
audit.
38
• The said audit is performed in a manner required by the specific
law for the time being in force in India.
3. Penalty by way of compensation for Damage to computer,
computer system, etc without permission of the owner [Sec. 43]:
• Securing access to computer or computer system
• Downloading, copying and extracting data
• Introducing computer virus or contaminant
• Damaging or disrupting the computer
• Denying access to any person authorized to do so
• Assisting someone in gaining access to the computer
• Tampering and manipulating any computer
• Stealing, destroying, deleting or altering any information and
assisting someone in doing so
4. Penalty for Failure to protect data [Sec. 43A]:
• The body corporate must not be negligent in implementing and
maintaining reasonable security practices and procedures while
dealing with Sensitive Personal Information
• Please refer to Annexure “A” for a detailed compliance with
rules under this section
5. Penalty for Failure to furnish information, return, etc [Sec. 44]:
• Furnish document, record or report to an authority under legal
obligation as to any law for the time being in force, demanding
so
39
• File any return as demanded by law or otherwise
• Maintain books of account or records as demanded by law or
otherwise
6. Offences under the Act [Sec. 65 - 74]:
• Tampering with computer source documents; knowingly or
intentionally concealing, destroying or altering computer source
code [Sec. 65]
• Computer related offences – dishonest and fraudulent [Sec. 66]:
• Receiving stolen computer source and Data [Sec. 66B]
• Identity Theft [Sec. 66C]
• Cheating by personation using computer source [66D]
• Violation of privacy [66E]
• Cyber Terrorism [66F]
• Publishing obscene material [Sec. 67]:
• Material with sexually explicit act [Sec. 67A]
• Material with children in sexually explicit act [Sec. 67B]
• Preservation and retention of information by
Intermediaries [Sec. 67C]
• Breach of Confidentiality and Privacy; Confidentiality
regarding accessed electronic record, book, register,
correspondence, information or document without the
permission [Sec. 72]
• Disclosure of information in breach of contract; Information
disclosed in order to cause wrongful gain or wrongful loss [Sec.
72A]
40
• Publishing false particulars in Electronic Signature Certificate
[Sec. 73]
• Using Electronic Signature Certificate for fraudulent purposes
[Sec. 74]
7. Exemption from liability of intermediaries in certain cases [Sec.
79]:
• Intermediary, with respect to any particular electronic records,
means any person who on behalf of another person receives
stores or transmits that record or provides any service with
respect to that record. And includes telecom service providers,
network service providers, internet service providers, web-
hosting service providers, search engines, online payment sites,
online-auction sites, online-market places and cyber cafes.
• Please refer to Annexure “B” for a detailed compliance with
rules under this section
8. Abetment of offences: Abetment in consequence of instigation,
conspiracy or aiding [Sec. 84B] AND Attempt to commit offences;
Attempt to commit an offence or attempt to cause an offense to be
committed [Sec. 84C]
6.13 NEW [DRAFT] RULES UNDER SECTION 43A OF THE
INFORMATION TECHNOLOGY ACT
41
6.13.1 THE INFORMATION TECHNOLOGY [REASONABLE
SECURITY PRACTICES AND PROCEDURES AND
SENSITIVE PERSONAL INFORMATION] RULES, 2011
The Central Government has notified draft rules to provide further clarity to
the application of Section 43A of the Indian Information Technology Act,
2000 [Amended in 2008]. These rules may be called the Information
Technology [Reasonable security practices and procedures and sensitive
personal information] Rules, 2011.
6.13.1.1 SECTION 43A - COMPENSATION FOR FAILURE TO
PROTECT DATA
Where a body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns, controls
or operates, is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation, to the person so affected.
Explanation: For the purposes of this Section-
[i] "body corporate" means any company and includes a firm, sole
proprietorship or other association of individuals engaged in
commercial or professional activities.
[ii] "reasonable security practices and procedures" means security
practices and procedures designed to protect such information from
42
unauthorized access, damage, use, modification, disclosure or
impairment, as may be specified in an agreement between the parties
or as may be specified in any law for the time being in force and in the
absence of such agreement or any law, such reasonable security
practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or
associations as it may deem fit.
[iii] "Sensitive personal data or information" means such personal
information as may be prescribed by the Central Government in
consultation with such professional bodies or associations as it may
deem fit.
6.13.1.2 SENSITIVE PERSONAL DATA AND INFORMATION
[RULE 3]
The ‘Rules’ defines “Sensitive Personal Data or Information” [Rule 3] as
information collected, received, stored, transmitted or processed by body
corporate or intermediary or any person, consisting of and relating to:
1. Password
Rule 2 [h] - "Password" means a secret word or phrase or code or
pass phrase or secret key, or encryption or decryption
keys that one uses to gain admittance or access to
information;
2. Financial information such as bank account or credit card or debit
card or other payment instrument details
43
3. Physical, physiological and mental health condition
4. Sexual orientation
5. Medical records and history
6. Biometric information
Rule 2 [b] - "Biometrics" means the technologies that measure and
analyze human body characteristics, such as
'fingerprints', 'eye retinas and irises', 'voice patterns',
"facial patterns', 'hand measurements' and 'DNA' for
authentication purposes;
7. Any detail relating to the above clauses as provided to body corporate
for providing service
8. The information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise
Rule 3 further bars any information that is freely available or accessible in
public domain or accessible under the Right to Information Act, 2005 or any
other law for the time being in force within the territory of the Union of
India as sensitive personal data or information for purposes of these rules.
6.13.2MANNER IN WHICH INFORMATION MUST BE
COLLECTED [RULE 5]
Rule 5 lists in details the mode and manner in which the Information
must be collected. The list is as follows:
1. Body corporate or any person on its behalf shall obtain consent in
writing through letter or Fax or email from the provider of the
44
sensitive personal data or information regarding purpose of usage
before collection of such information.
2. Body corporate or any person on its behalf shall not collect sensitive
personal data or information unless —
(a) the information is collected for a lawful purpose connected with
a function or activity of the body corporate or any person on its
behalf; and
(b) the collection of the sensitive personal data or information is
considered necessary for that purpose.
3. While collecting information directly from the person concerned, the
body corporate or any person on its behalf should take such steps as
are, in the circumstances, reasonable to ensure that the person
concerned is having the knowledge of —
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of —
(i) the agency that is collecting the information; and
[ii] the agency that will retain the information.
4. Body corporate or any person on its behalf holding sensitive personal
data or information shall not retain that information for longer than is
required for the purposes for which the information may lawfully be
used or is otherwise required under any other law for the time being in
force.
5. The information collected shall be used for the purpose for which it
has been collected.
45
6. Body corporate or any person on its behalf permit the providers of
information, as and when requested by them, to review the
information they had provided and ensure that any personal
information or sensitive personal data or information found to be
inaccurate or deficient shall be corrected or amended as feasible:
Provided that a body corporate shall not be responsible for the
authenticity of the personal information or sensitive personal data or
information supplied by the provider of information to such boy
corporate or any other person acting on behalf of such body corporate.
7. Body corporate or any person on its behalf shall, prior to the
collection of information including sensitive personal data or
information, provide an option to the provider of the information to
not to provide the data or information sought to be collected. The
provider of information shall, at any time while availing the services
or otherwise, also have an option to withdraw its consent given earlier
to the body corporate. Such withdrawal of the consent shall be sent in
writing to the body corporate. In the case of provider of information
not providing or later on withdrawing his consent, the body corporate
shall have the option not to provide goods or services for which the
said information was sought.
8. Body corporate or any person on its behalf shall keep the information
secure as provided in Rule 8.
9. Body corporate shall address any discrepancies and grievances of
their provider of the information with respect to processing of
information in a time bound manner. For this purpose, the body
corporate shall designate a Grievance Officer and publish his name
and contact details on its website. The Grievance Officer shall redress
46
the grievances or provider of information expeditiously but within one
month from the date of receipt of grievance.
6.13.3REASONABLE SECURITY PRACTICES AND PROCEDURES
[RULE 8]
The long -awaited compliance issue with “Reasonable Security Practices
and Procedures” has also been taken care of, in the most prolific manner, in
the ‘Rules’.
1. A body corporate or a person on its behalf shall be considered to have
complied with reasonable security practices and procedures, if they
have implemented such security practices and standards and have a
comprehensive documented information security programme and
information security policies that contain managerial, technical,
operational and physical security control measures that are
commensurate with the information assets being protected with the
nature of business.
2. The international Standard IS/ISO/IEC 27001 on "Information
Technology - Security Techniques - Information Security
Management System - Requirements" is one such standard referred to
in sub-rule [1].
3. The body corporate or a person on its behalf who have implemented
either IS/ISO/IEC 27001 standard or the codes of best practices for
data protection as approved and notified under sub-rule [3] shall be
deemed to have complied with reasonable security practices and
47
procedures provided that such standard or the codes of best practices
have been certified or audited on a regular basis by entities through
independent auditor, duly approved by the Central Government. The
audit of reasonable security practices and procedures shall be carried
cut by an auditor at least once a year or as and when the body
corporate or a person on its behalf undertakes significant up gradation
of its process and computer resource.
4. The International Standard IS/ISO/IEC 27001 on “Information
Technology / Security Techniques / Information Security
Management System” has been adopted by the country. Industry
associations or industry cluster who are following other codes [and
not IS/ISO/IEC 27001] of best practices for data protection and fulfills
the preliminary requirement, must get their codes of best practices
approved by the government.
5. The rule further iterates that in the event of an information security
breach, any such person, including the body corporate shall be
required to demonstrate that they have implemented security control
measures as per their documented information security programmes
and information security policies.
6.13.4PRIVACY POLICY AND EXTENT OF DISCLOSURE [RULE
4]
Rule 4 of the ‘Rules’ bestows the Body Corporate to provide policy for
privacy and further describes the extent to which disclosure of information
can take place. The rule purports that the body corporate or any person who
on behalf of body corporate collects, receives, possess, stores, deals or
48
handle information of provider of information, shall provide a privacy policy
for handling of or dealing in personal information including sensitive
personal data or information and ensure that the same are available for view
by such providers of information who has provided such information under
lawful contract. Such policy shall be published on website of body corporate
or any person on its behalf and shall provide for:
1. Clear and easily accessible statements of its practices and policies
2. Type of personal or sensitive personal data or information collected
under Rule 3
3. Purpose of collection and usage of such information
4. Disclosure of information including sensitive personal data or
information as provided in Rule 6
5. Reasonable security practices and procedures as provided under Rule
8
6.13.5DISCLOSURE TO THIRD PARTIES [RULE 6]
The ‘Rules’ lays down the methodology to be followed in order to legibly
disclose information to third parties. Disclosure of information by body
corporate to any third party shall require the prior permission from the
provider of such information. The information shall be provided to
government agencies for the purpose of verification of identity, or for
prevention, detection, investigation, prosecution, and punishment of
offences. The government agency shall send a written request stating clearly
the purpose of seeking such information.
49
Other sub-rules states that:
1. Information shall be disclosed to any third party by an order under the
law for the time being in force.
2. The body corporate or any person on its behalf shall not publish the
sensitive personal information.
3. The third party receiving the information from body corporate shall
not disclose it further.
6.13.6TRANSFER OF INFORMATION [RULE 7]:
A body corporate or any person on its behalf may transfer sensitive personal
data or information including any information, to any other body corporate
or a person in India, or located in any other country, that ensures the same
level of data protection that is adhered to by the body corporate as provided
for under these Rules. The transfer may be allowed only if it is necessary for
the performance of the lawful contract between the body corporate or any
person on its behalf and provider of information or where such person has
consented to data transfer.
6.14 NEW [DRAFT] RULES UNDER SECTION 79 OF THE
INFORMATION TECHNOLOGY ACT: THE INFORMATION
TECHNOLOGY [DUE DILIGENCE OBSERVED BY
INTERMEDIARIES GUIDELINES] RULES, 2011
50
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module 6
Discover the best professional documents and content resources in AnyFlip Document Base.
Search