IIA – Bombay Chapter

August 23, 201 2

Amber GuptaHead - Compliance , Legal & Secretarial

Aditya Birla Money

Data Privacy

Disclaimer:

“Views expressed here are the views of the individual and do not necessarily reflect the views or policies of the Organization.”

2

OverviewNo specific legislation governing data protection or

privacy

The Information Technology Act, 2000 main enactment

The Information Technology (Amendment Act) 2008 [Sec 43A and 72A]

Protection of Sensitive personal data or information

Maintenance of reasonable security practices and procedures

Civil and Criminal liabilities

3

International Privacy laws – some eg.

Federal Data Protection Act, Germany Data Protection Act, UK Personal Information Protection Act, Japan Privacy Act, Australia

National Privacy Principle for Private Organizations Information Privacy Principles for Government

Agencies

4

IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Government notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (“SPDI rules”) on April 11,2011.

Clarification dated August 24, 2011, that these Rules would apply only to bodies corporate or persons located within India – i.e it will only apply to Indian companies to the extent they obtain personal data directly and not as part of an outsourced service provision arrangement.

5

SPDI Rules

Applicability: To body corporate or any person, who on behalf of

body corporate collects, receives, possesses, stores, deals or handle sensitive data or information should adhere to these Rules.

Personal information defined and it shall ‘”mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

6

SPDI Rules

Sensitive Personal Data or Information (SPDI) defined as

any information, not freely available relating to a person’s password,financial information,physical, physiological and mental health condition, sexual orientation, Medical records and history, biometric information or anydetail relating to the above clauses as provided to body

corporate for providing service or for processing,any information received under above clauses by body

corporate for processing, storage or processed under lawful contract or otherwise

7

8

POLICY FOR PRIVACY AND DISCLOSURE OF INFORMATION

Provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information  The policy shall provide for: •Clear and easily accessible statements of its practices and policies; •type of personal or sensitive personal data or information collected; •purpose of collection and usage of such information;•disclosure of information including sensitive personal data or information; •reasonable security practices and procedures  Policy shall be published on website

SPDI Rules

9

COLLECTION OF INFORMATION

Consent in writing to be obtained

 Information collected for a lawful purpose, considered necessary and connected with a function or activity of the body corporate or any person on its behalf. The provider of information to have •knowledge of the fact that the information is being collected, •the purpose for which the information is being collected, •the intended recipients of the information, •the name and address of the agency that is collecting the information, and •the agency that will retain the information. 

SPDI Rules

10

COLLECTION OF INFORMATION

The provider of information permitted to review the information so provided and to correct / amend if found in accurate or deficient

Provider of information have an option •not to provide the data or information sought to be collected. •option to withdraw its consent given earlier •Such withdrawal of the consent shall be sent in writing to the body corporate.

Information not to be retained for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

SPDI Rules

11

DISCLOSURE OF INFORMATION

•Prior permission to be obtained in case of disclosure to any third party

• Consent not necessary in case of sharing with Govt agencies or as mandated under the law

•Not to publish the sensitive personal data or information

• third party receiving information shall not disclose further

SPDI Rules

12

TRANSFER OF INFORMATION

Conditions:

•The same level of data protection that is adhered to by the body corporate is adhered to by the transferee,

•it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information

•such person has consented to data transfer.

GRIEVANCE HANDLING

•Designate a Grievance Officer •Publish his name and contact details on its website, •Grievances to be resolved within one month

SPDI Rules

13

TRANSFER OF INFORMATION

Conditions:

•The same level of data protection that is adhered to by the body corporate is adhered to by the transferee,

•it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information

•such person has consented to data transfer.

GRIEVANCE HANDLING

•Designate a Grievance Officer •Publish his name and contact details on its website, •Grievances to be resolved within one month

SPDI Rules

14

REASONABLE SECURITY PRACTICES AND PROCEDURES.

Implement security practices and standards •IS/ISO/IEC 27001 •Documentation of Practices and standards in form of information security programme that contain

•managerial, •technical, •operational and physical security control measures

•the codes of best practices (by any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices) for data protection.

•Such standard or the codes of best practices to be certified or audited on at least once a year , through independent auditor, duly approved by the Central Government, or as and when there is a significant up gradation of its process and computer resource.,

SPDI Rules

Data TheftUnauthorised copying or removal of confidential information could be in form of theft of customer or company’s proprietary

or intellectual property Data theft involves issues of copyright violation, violation of

privacy under IT Act 2000, as well criminal breach of trust and dishonest misappropriation under Indian Penal Code, 1860

Section 43(b), read with Section 66 and Sec 379, 405 & 420 of IPC

Section 43(b)

“any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium”

15

16

Penal Provisions

Sections Penal Provisions

43A (failure to protect data) Damages by way of compensation to the person so affected. •Upto Rs. 5 crore (adjudicating officer)•Above Rs. 5 crore (civil court)

65 (hacking / tampering) imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

66C(identity theft) Imprisonment for a term, may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

66E (Punishment for violation of privacy.)

imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both

67C (Preservation and Retention of information by intermediaries)

imprisonment for a term which may extend to three years and shall also be liable to fine.

17

Penal Provisions

Sections Penal Provisions

70 (unauthorized access of protected systems)

Imprisonment for a term, which may extend to 10 years and shall also be liable to fine.

72 (Breach of confidentiality and privacy)

imprisonment for a term which may extend to 2 years, or with fine which may extend to one lakh rupees, or with both.

72A (Disclosure of information in breach of lawful contract)

Imprisonment for a term, which may extend to 3 years or with fine, which may extend to five lakh rupees, or with both.

85 (Offences by Companies) No express provision vis-à-vis penalties and compensation. Onus is on the Company / Personal Responsible

Case Study

Umashankar Sivasubramaniam case decided against ICICI bank (phishing fraud) (2010)

The adjudicating Officer held that : The Respondent bank has failed to put in place a

foolproof Internet Banking system with adequate levels of authentication and validation which would have prevented unauthorised access….found guilty of the offences made out under section 85 r/w section 43 of the Act

Award Rs. 13 lakhs compensation

18

Case Study

Nasscom vs Ajay Sood & Others (March 2005) Delhi High Court declared phishing on the

internet to be an illegal act, entailing injunction and recovery of damages

Personal data was illegally collected by misrepresenting the identity of legitimate party

DHC held that “misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to consumer but even to the person whose name, identity or password is misused

Award Rs.1.6 million against the defendants

19

Case Study M/S JUST DIAL PRIVATE LIMITED Vs.   M/S INFOMEDIA 18

LIMITED & OTHERS (2010)

JUSTDIAL alleged that their extensive and valuable database was copied by Infomedia 18 limited, on their website askme.in.

JUST DIAL moved the High Court against ‘ASKME.IN’ for breach of copyright with respect to database.

JUST DIAL submitted that Infomedia 18, had substantially copied the data base of just dial, which was evident from the reproduction of same mistakes in the database of askme.in. They contended that a minimum of 14 yrs were spent in producing the data base and a lot of resource was put in for the same.

The Court granted an exparte injunction against Infomedia 18, restraining them from infringing the said copyright and from running the website askme.

20

Thank You

21