data privacy iia bombay chapteriiabombaychapter.com/resources/data privacy - by amber gupta.pdf ·...
TRANSCRIPT
IIA – Bombay Chapter
August 23, 201 2
Amber Gupta
Head - Compliance , Legal & Secretarial
Aditya Birla Money
Data Privacy
for private circulation only
Disclaimer:
“Views expressed here are the views of the individualand do not necessarily reflect the views or policies ofthe Organization.”
Overview No specific legislation governing data protection or privacy
The Information Technology Act, 2000 main enactment
The Information Technology (Amendment Act) 2008[Sec 43A and 72A]
Protection of Sensitive personal data or information
Maintenance of reasonable security practices and procedures
Civil and Criminal liabilities
International Privacy laws – some eg.
Federal Data Protection Act, Germany
Data Protection Act, UK
Personal Information Protection Act, Japan
Privacy Act, Australia National Privacy Principle for Private Organizations
Information Privacy Principles for Government Agencies
4
IT (Reasonable security practices and procedures andsensitive personal data or information) Rules, 2011.
Government notified Information Technology (Reasonablesecurity practices and procedures and sensitive personal dataor information) Rules, 2011. (“SPDI rules”) on April 11,2011.
Clarification dated August 24, 2011, that these Rules wouldapply only to bodies corporate or persons located withinIndia – i.e it will only apply to Indian companies to the extent they
obtain personal data directly and not as part of an outsourced service
provision arrangement.
5
SPDI Rules
Applicability:
To body corporate or any person, who on behalf of bodycorporate collects, receives, possesses, stores, deals or handlesensitive data or information should adhere to these Rules.
Personal information defined and it shall ‘”mean any information thatrelates to a natural person, which, either directly or indirectly, incombination with other information available or likely to be available witha body corporate, is capable of identifying such person.
SPDI Rules
Sensitive Personal Data or Information (SPDI) defined as
any information, not freely available relating to a person’s
password,
financial information,
physical, physiological and mental health condition,
sexual orientation,
Medical records and history,
biometric information or any
detail relating to the above clauses as provided to bodycorporate for providing service or for processing,
any information received under above clauses by bodycorporate for processing, storage or processed under lawfulcontract or otherwise
POLICY FOR PRIVACY AND DISCLOSURE OF INFORMATION
Provide a privacy policy for handling of ordealing in personal information includingsensitive personal data or information
The policy shall provide for:
• Clear and easily accessible statements of itspractices and policies;
• type of personal or sensitive personal data orinformation collected;
• purpose of collection and usage of suchinformation;
• disclosure of information including sensitivepersonal data or information;
• reasonable security practices and procedures
Policy shall be published on website
SPDI Rules
COLLECTION OF INFORMATION
Consent in writing to be obtained
Information collected for a lawful purpose,considered necessary and connected with afunction or activity of the body corporate or anyperson on its behalf.
The provider of information to have• knowledge of the fact that the information is
being collected,• the purpose for which the information is being
collected,• the intended recipients of the information,• the name and address of the agency that is
collecting the information, and• the agency that will retain the information.
SPDI Rules
COLLECTION OF INFORMATION
The provider of information permitted to review theinformation so provided and to correct / amend iffound in accurate or deficient
Provider of information have an option• not to provide the data or information sought to be
collected.• option to withdraw its consent given earlier• Such withdrawal of the consent shall be sent in
writing to the body corporate.
Information not to be retained for longer than isrequired for the purposes for which the informationmay lawfully be used or is otherwise required under anyother law for the time being in force.
SPDI Rules
DISCLOSURE OF INFORMATION
•Prior permission to be obtained in case of disclosureto any third party
• Consent not necessary in case of sharing with Govtagencies or as mandated under the law
•Not to publish the sensitive personal data orinformation
• third party receiving information shall not disclosefurther
SPDI Rules
TRANSFER OF INFORMATION
Conditions:
• The same level of data protection that is adheredto by the body corporate is adhered to by thetransferee,
• it is necessary for the performance of the lawfulcontract between the body corporate or anyperson on its behalf and provider of information
• such person has consented to data transfer.
GRIEVANCE HANDLING • Designate a Grievance Officer • Publish his name and contact details on its
website, • Grievances to be resolved within one month
SPDI Rules
TRANSFER OF INFORMATION
Conditions:
• The same level of data protection that is adheredto by the body corporate is adhered to by thetransferee,
• it is necessary for the performance of the lawfulcontract between the body corporate or anyperson on its behalf and provider of information
• such person has consented to data transfer.
GRIEVANCE HANDLING • Designate a Grievance Officer • Publish his name and contact details on its
website, • Grievances to be resolved within one month
SPDI Rules
REASONABLE SECURITY PRACTICES AND PROCEDURES.
Implement security practices and standards• IS/ISO/IEC 27001• Documentation of Practices and standards in form
of information security programme that contain•managerial,•technical,•operational and physical security controlmeasures
• the codes of best practices (by any industryassociation or an entity formed by such anassociation, whose members are self-regulating byfollowing other than IS/ISO/IEC codes of bestpractices) for data protection.
• Such standard or the codes of best practices to becertified or audited on at least once a year , throughindependent auditor, duly approved by the CentralGovernment, or as and when there is a significantup gradation of its process and computer resource.,
SPDI Rules
Data Theft
Unauthorised copying or removal of confidential information
could be in form of theft of customer or company’s proprietary orintellectual property
Data theft involves issues of copyright violation, violation of privacy underIT Act 2000, as well criminal breach of trust and dishonestmisappropriation under Indian Penal Code, 1860
Section 43(b), read with Section 66 and Sec 379, 405 & 420 of IPC
Section 43(b)
“any person without permission of the owner or any other personwho is in-charge of a computer, computer system or computernetwork downloads, copies or extracts any data, computer database or information from such computer, computer system orcomputer network including information or data held or stored inany removable storage medium”
15
16
Penal Provisions
Sections Penal Provisions
43A (failure to protect data) Damages by way of compensation to the person soaffected.• Upto Rs. 5 crore (adjudicating officer)• Above Rs. 5 crore (civil court)
65 (hacking / tampering) imprisonment up to three years, or with fine which mayextend up to two lakh rupees, or with both.
66C(identity theft) Imprisonment for a term, may extend to three years andshall also be liable to fine which may extend to rupees onelakh.
66E (Punishment for violationof privacy.)
imprisonment which may extend to three years or withfine not exceeding two lakh rupees, or with both
67C (Preservation andRetention of information byintermediaries)
imprisonment for a term which may extend to threeyears and shall also be liable to fine.
17
Penal Provisions
Sections Penal Provisions
70 (unauthorized access ofprotected systems)
Imprisonment for a term, which may extend to 10 yearsand shall also be liable to fine.
72 (Breach of confidentiality and privacy)
imprisonment for a term which may extend to 2 years, orwith fine which may extend to one lakh rupees, or withboth.
72A (Disclosure of information in breach of lawful contract)
Imprisonment for a term, which may extend to 3 years or with fine, which may extend to five lakh rupees, or with both.
85 (Offences by Companies) No express provision vis-à-vis penalties and compensation. Onus is on the Company / Personal Responsible
Case Study
Umashankar Sivasubramaniam case decided against ICICI bank (phishing fraud) (2010)
The adjudicating Officer held that : The Respondent bank has failed to put in place a foolproof
Internet Banking system with adequate levels of authentication and validation which would have prevented unauthorised access….found guilty of the offences made out under section 85 r/w section 43 of the Act
Award Rs. 13 lakhs compensation
18
Case Study
Nasscom vs Ajay Sood & Others (March 2005)
Delhi High Court declared phishing on the internet to be an illegal act, entailing injunction and recovery of damages
Personal data was illegally collected by misrepresenting the identity of legitimate party
DHC held that “misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to consumer but even to the person whose name, identity or password is misused
Award Rs.1.6 million against the defendants
19
Case Study
M/S JUST DIAL PRIVATE LIMITED Vs. M/S INFOMEDIA 18 LIMITED &
OTHERS (2010)
JUSTDIAL alleged that their extensive and valuable database was copied by Infomedia18 limited, on their website askme.in.
JUST DIAL moved the High Court against ‘ASKME.IN’ for breach of copyright withrespect to database.
JUST DIAL submitted that Infomedia 18, had substantially copied the data base of justdial, which was evident from the reproduction of same mistakes in the database ofaskme.in. They contended that a minimum of 14 yrs were spent in producing the database and a lot of resource was put in for the same.
The Court granted an exparte injunction against Infomedia 18, restraining them frominfringing the said copyright and from running the website askme.
20