Complying*with*the
**
Data*Privacy*Law*in*India
Rohas*Nagpal* Asian*School*of*Cyber*Laws*
Published!in!2012!by!Asian!School!of!Cyber!Laws.! Copyright!©!2012!by!Asian!School!o Copyright!©!2012!by!Asian!School!of!Cyber!Laws.!All!righ f!Cyber!Laws.!All!rights!reserved.! ts!reserved.! No!part!of!this!book!may!be!reproduced!or!otherwise!used!without!prior!written! permission!from!the!author!unless!such!use!is!expressly!permitted!by!applicable! law.! law.! No! invest investiga igatio tion! n! has! has! been! been! made! made! of! common commonDla Dlaw! w! tradem trademark ark rights rights in! any word.!Words!that!are!known!to!have!current!trademark!registrations!are!shown! with!an!initial!capital!and!are!also!identified!a with!an!initial!capital!and !are!also!identified!as!trademarks.! s!trademarks.! The!inclusion!or!exclusion!of!any!word,!or!its!capitalization,!in!this!book!is!not,! howe howeve ver, r, an expr expres essi sion on of the! the! publ publis ishe her' r's! s! opin opinio ion! n! as to whet whethe her! r! or not! not! it! is subject!to!proprietary!rights,!nor!is!it!to!be!regarded!as!affecting!the!validity!of! any!trademark.! This book is provided "as is" and Asian School of Cyber Laws makes no represen representatio tations!or! ns!or! warranties warranties,!,!expr express!or! ess!or! implied!either!in! implied!either!in! respect!of! respect!of!this!book! this!book! or!the!software,!websites!and!oth or!the!software,!websites!and!other!information!refe er!information!referred!to!in!this!book. rred!to!in!this!book. By way! way! of exam exampl ple, e, but! but! not! not! limi limita tati tion on,!,! Asia Asian! n! Scho School ol of Cybe Cyber! r! Laws Laws make makes! s! no repres represent entati ations ons or! warran warrantie ties! s! of! mercha merchanta ntabil bility ity or! fitnes fitness! s! for any partic particula ular! r! purpose!or!that!the!use!of!licensed!software,!database!or!documentation!will!not! infringe!any!third!party!patents,!copyrights,!tr infringe!any!third!party!patents,!copyrights,!trademarks!or!oth ademarks!or!other!right! er!right!
Follow*Asian*School*of*Cyber*Laws*on*facebook: https://www.facebook.com/asiansch https://www.f acebook.com/asianschoolofcyberlaws oolofcyberlaws
Rohas*Nagpal* Rohas! has! Nagpa gpal! is a! lawy lawyer er by qua qualifi lifica cattion, ion, a cybe cyber! r! crim crime e inve invest stig iga ator tor by! profession,!a!hacker!at!heart!and profession,!a!hacker!at!heart!and!a!programmer!by!pa !a!programmer!by!passion.! ssion.! He!advises!corporates,!law!firms,!Governments!and!law!enforcement!agencies!on! issues!relating!to!technology!law,!cyber!crime!investigation,!information!warfare! and!cyber!terrorism.!He!has!assisted!the!Government!of!India!in!drafting!rules! and regula regulatio tions! ns! under! under! the Infor Informat mation ion Techno Technolog logy! y! Act.! Act.! He! is! an! active active publi public! c! spea speake ker! r! on tech techno nolo logy gy issue issues! s! and! and! has! has! addr addres esse sed! d! thou thousa sand nds! s! of stud studen ents ts,!,! law! law! enforcement!personnel,!lawyers!a enforcement!personnel,!lawyers!and!other!profe nd!other!professionals!around!the ssionals!around!the!world.! !world.! Rohas conducts training programs in technology law and cyber crime inve invest stig igat atio ion! n! and! and! has! has! auth author ored ed seve severa ral! l! book books, s, pape papers rs and! and! arti articl cles es on thes these! e! topics.!! He!has!authored!several!books!in!digital!forensic!investigation,!technology!law! and!financial!law.!One!of!his!publications,!the!Cyber!Crime!Investigation!Manual,! has!been!referred!to!as!a!“bible!for!cyber!crime!investigators”!by!Times!of!India!–! the!world’s!largest!selling!English!newspaper.!He!is!also!the!author!of!the!first! ever!Commentary!on!the!Inform ever!Commentary!on!the!Information!Technology!Act. ation!Technology!Act. Papers authored by him include Internet Time Theft & the Indian Law (Bangalor (Bangalore,! e,! 2001),! 2001),! Legislativ Legislative! e! Approach! Approach! to! igital! igital! Signature Signatures! s! (Ecuador, (Ecuador, 2001),! 2001),! Indian! Indian!Lega Legal! l!posit position!on! ion!on!Cybe Cyber!Terrorism r!Terrorism,!Encryptio ,!Encryption!and! n!and! preventiv preventive!measures e!measures
(on! (on! beha behalf lf of the! the! Karn Karnat atak aka! a! Poli Police ce for! for! Otto Otto Schi Schily ly,!,! Inte Interi rior or Mini Minist ster er,!,! Fede Federa ral! l! Republic of Germany), efining Cyber Terrorism (Nagpur, 2002), The mathematics of terror (Nagpur, 2002) and Cyber Terrorism – A Global Perspective!(Spain,!2002).!! He has also also coDa coDaut uth hored red an! Inte nterne rnet! raf raft! t! title itled! d! Biom Biomet etri ric! c! base based d igit igital al Signature!scheme,!which!proposes!a!m Signature!scheme,!which!proposes!a!method!of!using!biome ethod!of!using!biometrics!to!generate!keys! trics!to!generate!keys! for!use!in!digital!signature!creation!and!verification.! He was! was! part part of the the team team that that deve develo lope ped! d! the! the! world rld’s sma smalle llest cyb cyber crim crime e investigat investigation! ion! device,! device,! pCHIP! pCHIP! a! Portable Portable Mega Investigat Investigation! ion! &! Forensic! Forensic! Solution. Solution. This!device!is!capable!of!capturing!volatile!evidence!from!a!live!computer,!has!an! easy!to!use!interface,!and!provides!de easy!to!use!interface,!and!provides!detailed!reports.! tailed!reports.! He!is!the!founder!of!CyberAttack,!an!open!comm He!is!the!founder!of!CyberAttack,!an!open!community!working!for!cyber!security. unity!working!for!cyber!security. He also! also! mainta maintains ins www.bu www.bugs. gs.ms, ms, a! specia specializ lized! ed! search search engine engine that! that! tracks tracks bugs! bugs! and vuln vulne erabi rabili liti tie es! in Micro icroso soft ft® ® pro product ducts. s. He is also lso the! the! founde under! r! of the! the! proudIndian.me!project!and!the!W proudIndian.me!project!and!the!Woman!2.0!Fou oman!2.0!Foundation.! ndation.! He!is!a!member!of!Information!Systems!Audit!and!Control!Association!(ISACA),! Inte Intern rnat atio iona nal! l! Asso Associ ciat atio ion! n! for! for! Cryp Crypto tolo logi gic! c! Rese Resear arch ch (IAC (IACR) R),!,! and! and! a! Sust Sustai aini ning ng Member!of!the!Internet!Society!(ISOC),!which!is!the!organizational!home!of!the! Internet!Engineering!Task!Force!(IETF),!the!Internet!Architecture!Board!(IAB),! the!Internet!Engineering!Steering!Group!(IESG),!and!the!Internet!Research!Task! Force (IRTF) D the standards setting ing and research arms of the Internet community.! In!1999,!Rohas!Nagpal!coDfounded!Cyber!Tribe!which!today!is!comprised!of!10! organi organizat zation ions! s! D! Asian! Asian! School School of! Cyber! Cyber! Laws,! Laws,! TechJu TechJuris ris Law Consu Consulta ltants nts,!,! ASCL! ASCL! Law!School,!ata64!Techno Law!School,!ata64!Techno Solutions Solutions Pvt.!Ltd.,!Republic! Pvt.!Ltd.,!Republic!of!Cyberia of!Cyberia,!Associatio ,!Association! n! of!igit of! igital! al!Fore Forensic!Investiga nsic!Investigators, tors, Security!Standar Security!Standards! ds!and!Control and!Controls! s! evelopm evelopment! ent! Orga Or gani niza zati tion on,! ,! Corp Corpor orat ate! e! Crim Crime! e! Cont Contro rol! l! Or Orga gani niza zati tion on,! ,! Lexc Lexcod ode! e! Regu Regula lato tory ry Compliance!Technologies!Pvt.!Ltd.!and! Compliance!Technologies!Pvt.!Ltd.!and!ata64!Technolo ata64!Technologies!Pvt.!Ltd.! gies!Pvt.!Ltd.!
Introduction*to*Data*Privacy*Law*in*India*
The!ata!Privacy!Law!in!India!is!contained!primarily!in:! 1. Section!43A!of!the!Information!Technology!Act! 2. Information!Technology!!(Reasonable!security!practices!and!procedures! and!sensitive!personal!data!or!informa and!sensitive!persona l!data!or!information)!Rules,!2011 tion)!Rules,!2011.!.! 3. Section!72A!of!the!Information!Technology!Act! This This eBoo eBook! k! focu focuse ses! s! on the! the! Info Inform rmat atio ion! n! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty practi practices ces and proced procedure ures! s! and sensit sensitive ive person personal! al! data! data! or! inform informati ation) on) Rules, Rules, 2011, 2011, which!came! which!came! into! into! effect effect on!11 on! 11 April, April, 2011.! 2011.!The These! se!are are referr referred!to! ed!to! as! Data$ Privacy$Rules!in!this!book.! This!eBook!also!provides:! 1. Checklists!for!compliance!! 2. Sample!policy!for!Customers! 3. Sample!policy!for!Employees! NonDcompliance!with!any!of!the!provisions!of!the! data$privacy$rules!is!penalized! with ith a! com compens pensat atio ion! n! /pena penalt lty! y! of upto pto Rs. 25,00 5,000 0 unde nder! sect sectio ion! n! 45! of the the Information!Technology!Act.! Addi Additi tion onal ally ly,! ,! in some some case cases! s! ther there! e! may! may! be liab liabil ilit ity! y! unde under! r! sect sectio ion! n! 43A! 43A! of the! the! Inform Informati ation! on! Techno Technolog logy! y! Act.! Act.! Under! Under! the origin original! al! Inform Informati ation! on! Techno Technolog logy! y! Act,! Act,! 2000,!compens 2000,!compensatio ation!claims!were n!claims!were!restricte !restricted!to!Rs.!1! d!to!Rs.!1!crore crore.!Now!claims!upt .!Now!claims!upto!Rs!5! o!Rs!5! crore!are!under!the!jurisdiction!of!Adjudicating!Officers.!Claims!above!Rs!5!crore! are!under!the!jurisdiction!of!the!re are!under!the!jurisdiction!of!the!relevant!courts.!! levant!courts.!! Addi Additi tion onal ally ly,! ,! in some some case cases! s! ther there! e! may! may! be liab liabil ilit ity! y! unde under! r! sect sectio ion! n! 72A! 72A! of the! the! Info Inform rmat atio ion! n! Tech Techno nolo logy gy Act. Act. This! This! sect sectio ion! n! prov provid ides es for! for! impr impris ison onme ment nt upto upto 3! years!and!/!or!fine!upto!Rs!5!lakh.!! The!Data$Privacy$Rules!relate!to!information!of!two!primary!types:! Personal* informatio information n"! which! informati ation$that$ on$that$rel relate ates$ s$ to$a$ 1. "Personal* which! means! means! any inform natura nat ural$ l$ person person,$,$ which, which, either either direct directly$ ly$ or$ indire indirectl ctly,$ y,$ in$ combin combinati ation$ on$ with$ with$ other$informat other$information$availa ion$available$or$likely$to$be$availab ble$or$likely$to$be$available$with$a$body$corporat le$with$a$body$corporate,$ e,$ is$capable$of$identifying$such$person.!
2. "Sensitive*personal*data*or*information "!of!a!person!which!means!such! personal!information!which!consists!of!info personal!information!which!consists!of!information!relating!to:! rmation!relating!to:! a. password1;! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1!Password!means!a!secret!word!or!phrase!or!code!or!passphrase!or!secret!key,!or!!encryption!or!
b. financial!infor financial!informatio mation!such!as! n!such!as!Bank!accou Bank!account!or!credit!card!or!debit! nt!or!credit!card!or!debit! card!or!other!payment!instrument!details!;! c. physical,!physiological!and!mental!health!condition;! d. sexual!orientation;! e. medical!records!and!history;!! f. Biometric!information2;! g. any any deta detail il relat elatin ing! g! to the the above bove cla clause uses! as! provi rovide ded! d! to bod body! corporate!for!providing!service;!and! h. any! any! of the! the! info inform rmat atio ion! n! rece receiv ived ed unde under! r! abov above! e! clau clause ses! s! by body body cor corpora porate te for! for! proc proce essin ssing, g, sto stored or! proce rocess sse ed unde nder! lawf lawfu ul! contract!or!otherwise:! Sens Sensit itiv ive e perso rsonal nal data or! inf informa ormati tio on! does not! not! incl inclu ude any any information!that!is!freely!available!or!accessible!in!public!domain! or!furnished!under!the!Right!to!Information!Act,!2005!or!any!other! law.! The! Data$Privacy$Rules!apply!to!all!those!who!collect,!receive,!possess,!store,!deal! or! handle ndle inf informa rmatio tion! of indi indivi vid duals uals durin uring! g! the! the! cou course rse of com commerc mercia iall or professional!activities.!These!include!companies,!partnerships,!associations,!sole! prop propri riet etor orsh ship ips! s! etc. etc. They They also also incl includ ude! e! prof profes essi sion onal als! s! like like doct doctor ors, s, lawy lawyer ers, s, chartered!accountants!etc.! Data$Privacy$Rules$include:! An!indicative!list!of!those!covered!by!the!Data$Privacy$Rules$ Insura ranc nce* e* comp compan anie iess in respect of information relating to their 1. Insu customers!and!employees.!
2. Banks in respect of information relating to their customers and employees.! 3. Hospitals in resp respec ect! t! of info inform rmat atio ion! n! rela relati ting ng to thei their! r! cust custom omer ers! s! and! and! employees.! business* organizatio organizations ns (man 4. All! business* (manuf ufac actu turi ring ng,!,! trad tradin ing! g! etc) etc) in resp respec ect! t! of information!relating!to!their!employees.! Doctor ors, s, stoc stock* k* brok broker ers* s* an and* d* char charte tere red* d* acco accoun unta tant ntss in respect of 5. Doct information!relating!to!their!clients.!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2!Biometrics!means!the!technologies!that!measure!and!analyse!human!body!characteristics,!such!
as!'fingerprints',!'eye!retinas!and!irises',!'voice!patterns',!"facial!patterns',!'hand!measurements'! and!'NA'!for!authentication!purposes;!
Retail ilss stor stores es,* ,* rest restau aura rant nts, s, ecom ecomme merc rce* e* comp compan anie iess that collect 6. Reta payment!through!debit!cards,!credit!cards!etc.!
7. Call*centers,*BPOs,*LPOs!etc.! All!these!entities!are!required!by!law!to!provide!a!data privacy*policy!on!their! website.!This!policy!should!provide!details!relating!to:! 1. 2. 3. 4. 5.
clear!and!easily!accessible!statements!of!its!practices!and!policies,! type!of!information!collected,! purpose!of!collection!and!usage!of purpose!of!collection!and!usage!of!such!information,! !such!information,! disclosure!of!information! reasonable!security!practices!and!procedures!
All! All! thes these! e! enti entiti ties es must must obta obtain in cons consen ent! t! from from the! the! prov provid ider er of the! the! info inform rmat atio ion! n! regarding!purpose!of!usage!before!collection!of!such!information.! The next! next! few pages! pages! contai contain! n! a! sample sample policy policy for! for! custom customers ers and for! for! employ employees ees.!.! These!are!followed!by!checklists!for!compliance.!
Privacy(Policy( Customers)( To!be!published!on!the!official!website.!
Privacy!!policy!!for!!handli Privacy!!policy!!for!!handling!!of!! ng!!of!!or!!dealin or!!dealing!!in! g!!in!!person !personal!!informa al!!information!!includ tion!!including!! ing!! sensitive!personal!data!or!!information!!as!mandated!by!Rule!4!of!Information!! Techno Technolog logy! y! (Reaso (Reasonab nable! le! securi security! ty! practi practices ces and proced procedure ures! s! and sensit sensitive ive personal!data!or!information)!Rules,!2011.!
Definitions(
For the purpo purposes ses of this! this! and relate related! d! docum document ents,! s,! unless unless the contex context! t! otherw otherwise ise requires,! 1. "Act"!means!the!Information!Technolo "Act"!means!the!Information!Technology!Act,!2000!(21!o gy!Act,!2000!(21!of!2000); f!2000); 1. 2.!"Biometrics"!means!the!technologies!that!measure!and!analyse!human! body character characteristics, istics, such as!'fingerprints' as!'fingerprints',!,!'eye 'eye retinas!and! retinas!and! irises',!'voice! irises',!'voice! patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication!purposes;! 2. "Body!!corporate"!means!!“______________ "Body!!corporate"!means!!“_____________________________________ _____________________________________” ______________” 3. "Cyber!incidents" "Cyber!incidents" means! means!any!real! any!real!or!suspected or!suspected adverse!event!in! adverse!event!in! relation relation to cybe cyber! r! secu securi rity ty that that viol violat ates es an expl explic icit itly ly or impl implic icit itly ly appl applic icab able le secu securi rity ty poli policy cy resu result ltin ing! g! in unau unauth thor oriz ized ed acce access ss,!,! deni denial al of serv servic ice! e! or disruption,!unauthorised!!use!!of!!a!!computer!!resource!!for!!processing or stor storag age! e! of info inform rmat atio ion! n! or chan change ges! s! to data data,! ,! info inform rmat atio ion! n! with withou out t authorisation; 4. "Data"!means!a! representation!of!information,!knowledge,!facts,! representation!of!information,!knowledge,!facts,!concepts concepts or inst instru ruct ctio ions ns which which are! are! bein being! g! prep prepar ared ed or have have been been prep prepar ared ed in a formalised!manner,!and!is!intended!to!be!processed,!is!being!processed!or has!been!processed!in!a!computer!system!or!computer!network,!and!may be!in!any!form!(including!computer!printouts!magnetic!or!optical!storage media,!punched!cards,!punched!tapes)!or!stored!internally!in!the!memory of!the!computer; 5. "Informa "Information" tion" includes! includes!data data,!,! message! message! ,! text, images,! images,! sound,! sound,! voice,! voice,! codes, codes, computer programmes, software and data bases or micro film or computer!generated!micro!fiche; 6. "Interme "Intermediary diary"! "! with!respe with! respect! ct! to! any! particula particular! r! electroni electronic! c! records,! records,!mean meanss any!person!who!on!behalf!of!another!person!receives,!stores!or!transmits that that reco record rd or prov provid ides es any! any! serv servic ice! e! with with resp respec ect! t! to that that reco record rd and and includes! includes! telecom! telecom! service! service! providers providers,!,! network! network! service! service! providers providers,!,! internet internet service! service! providers providers,!,! webVhostin webVhosting! g! service! service! providers providers,!,! search! search! engines,! engines,!onlin online e payment!sites,!onlineVauction!sites,!onlineVmark payment!sites,!onlineVauction!sites,!onlineVmarket!places!and!cyber!caf et!places!and!cyber!cafes; es; 7. "Pas "Passw swor ord" d" mean means! s! a! secr secret et word word or phra phrase se or code code or pass passph phra rase se or secr secre et! key, key, or! encry ncryp ption tion or decryp crypttion! ion! keys keys tha that! one! one! uses! ses! to! gain gain admittance!or!access!to!information; 8. "Perso "Personal nal inform informati ation" on" means! means! any inform informati ation! on! that! that! relate relates! s! to! a! natura naturall person person,!,! which, which, either either direct directly! ly! or! indire indirectl ctly,! y,! in! combin combinati ation! on! with! with! other other inform informati ation! on!ava availa ilable ble or!lik or! likely ely to!be! to! be!ava availa ilable ble with! with! a! body! body! corpor corporate ate,!,! is capable!of!identifying!such!person.
9. “Sensitive!personal!data!or!information!of!a!person”!means!such!personal! information!which!consists!of!information!relating!to;! (i) password;! (ii) financ financial ial inform informati ation! on! such! such! as! Bank! Bank! accoun account! t! or! credit credit card or debit car card or other payment instrument details!;! (iii) physical,!physiological!and!mental!health!condition;!! (iv) sexual!orientation;! (v) medical!records!and!history;!! (vi) Biometric!information;! (vii) any!detail!relating!to!the!above!clauses!as!provided!to! body!corporate!for!providing!service;!and! (viii) any of the inform informati ation! on!rec receiv eived! ed!und under! er!abo above! ve! clause clauses! s! by!body!corporate!for!processing,!stored!or!processed! under!lawful!contract!or!otherwise:! provid provided! ed! that, that, any inform informati ation! on! that! that! is! freely freely availa available ble or! accessible!in!public!domain!or!furnished!under!the!Right!to! Information!Act,!2005!or!any!other!law!for!the!time!being!in! forc force! e! shal shall! l! not! not! be rega regard rded ed as sens sensit itive ive pers person onal al data data or information.!
Declaration(under(Rule(5(of(Information((Technology((Reasonable((security(( prac practi tice ces( s( an and( d( proce procedur dures es an and( d( sens sensit itiv ive( e( perso persona nal( l( da data ta or info inform rmat atio ion) n) Rules,(2011.(
Body!Corporate!makes!the!following!declaration!under!Rule!5!of!the!Information! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es and! and! sens sensit itiv ive! e! personal!data!or!information)!Rules,!2011:! 1. The! The! sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! (see (see Anne Annexu xure re 1) is! bein being! g! collected!for!a!lawful!purpose!(see!Annexure!2)!connected!with!a!function! or!activity!of!Body!Corporate!or!a or!activity!of!Body!Corporate!or!any!person!on!its!behal ny!person!on!its!behalf.! f.! 2. The!collection!of!the!sensitive!personal!data!or!information!is!considered! necessary!for!the!purpose!above.! 3. Body Body Corp Corpor orat ate! e! shal shall! l! not! not! reta retain in that that info inform rmat atio ion! n! for! for! long longer er than than is required!for!the!purposes!for!which!the!information!may!lawfully!be!used! or!is!otherwise!required!under!any!o or!is!otherwise!required!under!any!other!law!for!th ther!law!for!the!time!being!in!force.! e!time!being!in!force.! 4. The!information!collected!shall!be!used!for!the!purpose!for!which!it!has! been!collected.! 5. Body!Corpora Body!Corporate!or! te!or!any!perso any!person!on! n!on!its!behalf its!behalf!shall!permit!the!provide !shall!permit!the!providers!of! rs!of! information,!as!and!when!requested!by!them,!to!review!the!information! they!had!provided they!had!provided!and!ensure!that!any!person !and!ensure!that!any!personal!inform al!information ation!or! !or!sensi sensitive! tive! personal!data!or!information!found!to!be!inaccurate!or!deficient!shall!be!
corrected!or!amended!as!feasible:!provided!that!Body!Corporate!shall!not! be! resp respo onsib nsible le for! for! the! the! aut authent hentic icit ity! y! of the! pers perso onal! nal! inf informa rmatio tion! or! sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! supp suppli lied ed by the! the! prov provid ider er of inform informati ation! on! to! Body! Body! Corpo Corporat rate! e! or! any other! other! person person acting acting on! behalf behalf of! Body!Corporate!.! 6. Body Corpo orpora rate te sha shall kee keep! the! the! info inform rmat atio ion! n! secu secure re as per! per! secu securi rity ty pract ractic ices es and proc proce edur dures provi rovide ded d in The! The! Int Interna ernattiona ional! l! Stand tandar ard! d! IS/IS IS/ISO/I O/IEC EC 27001! 27001! on! Inform Informati ation! on! Techno Technolog logy! y! V! Secur Security ity Techni Technique ques! s! V! Information!Security!Management!System!V!Requirements.!Any!person!on! beh behalf of Bo Body dy Corpor rporat ate! e! shal shall! l! kee keep! the the inf informa rmatio tion! secu secure re as per securi security! ty! practi practices ces and proced procedure ures! s! provid provided! ed! eithe either! r! in! Schedu Schedule! le! II! of! the Info Inform rmat atio ion! n! Tech Techno nolo logy gy (Cer (Certi tify fyin ing! g! Auth Author orit itie ies) s) Rule Rules, s, 2000 2000 or The! The! Intern Internati ationa onal! l! Standa Standard! rd! IS/ISO IS/ISO/IE /IEC! C! 27001! 27001! on! Inform Informati ation! on! Techno Technolog logy! y! V! Secu Securi rity ty Tech Techni niqu que es! V! Info nformat rmatio ion! n! Secu ecurity rity Manag nageme ement Syste ystem! m! V! Requirements.! 7. Body!Corp Body! Corporat orate! e! shall address! address!any! any! discrepan discrepancies! cies! and!griev and! grievance ances! s! of! their! their! provider!of!the!information!with!respect!to!processing!of!information!in!a! time bound manner. For this purpose Body Corporate designates! _______________________!as!the!Grievance!Officer.!His!/!her!contact!number!is! _________________________ and his / her email address is ____ ______ ________ ______ ________ ______ _______ _______ _____. _. The! The! Gr Grie ieva vanc nce! e! Offi Office cerr shall hall red redress ress the the grievances!of!provider!of!information!expeditiously!but!within!one!month! from!the!date!of!receipt!of!grievance.!
Declaration(under(Rule(6(of(Information((Technology((Reasonable((security(( prac practi tice ces( s( an and( d( proce procedur dures es an and( d( sens sensit itiv ive( e( perso persona nal( l( da data ta or info inform rmat atio ion) n) Rules,(2011.(
Body!Corporate!makes!the!following!declaration!under!Rule!6!of!the!Information! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es and! and! sens sensit itiv ive! e! personal!data!or!information)!Rules,!2011:! 1. This This sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! may! may! be disc disclo lose sed! d! to any! any! person,!if!such!disclosure!is!required!for!a!lawful!purpose!connected!with! a!function!or!activity!of!Body!Corporat a!function!or!activity!of!B ody!Corporate!or!any!person!on e!or!any!person!on!its!behalf.! !its!behalf.! 2. This!sensitive!personal!data!or!information!may!be!disclosed!where!the! disclosure!is!necessary!for!compliance!of!a!legal!obligation.! 3. This This sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! shal shall! l! be shar shared ed,!,! with withou out! t! obtaining! obtaining!prior prior consent! consent! from provider!of! provider!of! informatio information,! n,! with Governme Government! nt! age agencie ncies! s! manda andate ted! d! under nder the the law! law! to obta btain info inform rmat atio ion! n! incl includ udin ing! g! sensitive!personal!data!or!information!for!the!purpose!of!verification!of! iden identi tity ty,! ,! or for! for! prev preven enti tion on,! ,! dete detect ctio ion, n, inve invest stig igat atio ion! n! incl includ udin ing! g! cybe cyber! r! incidents,!prosecution,!and!punishment!of!offences.!
4. Body!Corporate!or!any!person!on!its! behalf!shall!not!publish!the!sensitive personal!data!or!information. 5. The!third!party!rece The!third!party!receiving!the iving!the!sensitiv !sensitive!person e!personal!data al!data!or!informa !or!information!fro tion!from m Body!Corporate!or!any!person!on!its!behalf!under!subVrule!(1)!shall!not disclose!it!further. 6. This!sensitive!personal!data!or!information!shall!be!disclosed!to! any!third party!by!an!order!under!the!law party!by!an!order!under!the!law!for!the!time!being!in!fo !for!the!time!being!in!force. rce. Declaration(under(Rule(7(of(Information((Technology((Reasonable((security(( prac practi tice ces( s( an and( d( proce procedur dures es an and( d( sens sensit itiv ive( e( perso persona nal( l( da data ta or info inform rmat atio ion) n) Rules,(2011.( Body!Corporate!makes!the!following!declaration!under!Rule!7!of!the!Information! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es and! and! sens sensit itiv ive! e! personal!data!or!information)!Rules,!2011:! Body!Corporate!or!any!person!on!its!behalf!may!transfer!sensitive!personal!data! or info inform rmat atio ion! n! incl includ udin ing! g! any! any! info inform rmat atio ion, n, to any! any! othe other! r! body body corp corpor orat ate! e! or a! pers person on in Indi India, a, or loca locate ted! d! in any! any! othe other! r! coun countr try, y, that that foll follow ows! s! the! the! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es prov provid ided ed eith either er in! Sche Schedu dule le II of the! the! Info Inform rmat atio ion! n! Technolo Technology! gy! (Certifyin (Certifying! g! Authoriti Authorities)! es)! Rules,! Rules,! 2000 or! The! Internati International onal Standard Standard IS/ISO/IEC 27001 on Information Technology V Security Techniques V Information!Security!Management Information!Security!Management!System!–!Requireme !System!–!Requirements.! nts.!
Annexure(1(
Type!of!personal!or!sensitive!personal!data!or!information!collected!under!rule!3! of!Informat of!Information ion Techno Technolog logy! y! (Reaso (Reasonab nable!! le!! securi security!! ty!! practi practices ces and proced procedure ures!! s!! and!sensitive!personal!data!or!informat and!sensitive!persona l!data!or!information)!Rules,!2011. ion)!Rules,!2011. Personal(Information(
Sensitive(personal(data(or(information(
Annexure(2(
Purp Purpos ose! e! of coll collec ecti tion on and! and! usag usage! e! of pers person onal al or sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! coll collec ecte ted! d! unde under! r! rule rule 3! of Info Inform rmat atio ion! n! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! security!!practices!!and!!procedures!!and!sensitive!personal!data!or!information)! Rules,!2011.!
Consent,(in(writing(through(letter(or(Fax(or(emai Consent,(in(writing (through(letter(or(Fax(or(email,(from(the(provid l,(from(the(provider(of(the( er(of(the( sensitive(personal(data((or(information(regarding(purpose(of(usage(before( collection(of(such(information.(
1. I!understand!and!I!have!the!knowledge!that!my!sensitive!personal!data!or information!is!being!collected!by!“________________”. 2. I! un unde ders rsta tand nd an and! d! I! ha have ve th the! e! kn know owle ledg dge! e! of th the! e! pu purp rpos ose! e! fo for! r! wh whic ich! h! my sensitive!personal!data!or!information!is!being!collected. 3. I!have!the!kno I!have!the!knowledge!of!the wledge!of!the!intended!recipients!of!th !intended!recipients!of!the!information. e!information. 4. I ha have ve th the! e! kn know owle ledg dge! e! of th the! e! na name me an and! d! ad addr dres ess! s! of th the! e! ag agen ency cy th that at is collecting!the!information,!and!the!age collecting!the!infor mation,!and!the!agency!that!will!retain!th ncy!that!will!retain!the!information. e!information. 5. I!understand!that!I!have!the!option!not!to!provide!the!data!or!information sought!to!be!collected!by!“________________”!. 6. I!permit!“_________ I!permit!“______________ _______”!.or!any!person __”!.or!any!person!on! !on!its!behal its!behalf!to!transfer f!to!transfer!sensitive !sensitive personal!data!or!information!to!any!other!body!corporate!or!a!person!in India,!or!located!in!any!other!country,!that!follows!the!security!practices and pro roce ced dure res! s! pr prov ovid ided ed eit ith her in Sch che edu dulle! II of! th the e Inf nfo orm rmat atio ion n Tech Te chno nolo logy gy (C (Cer erti tify fyin ing! g! Au Auth thor orit itie ies) s) Ru Rule les, s, 20 2000 00 or Th The! e! In Inte tern rnat atio iona nall Stan and dard IS IS/ /IS ISO O/I /IEC EC 2700 001! 1! on In Info form rma ati tio on! Te Tech chn nol olog ogy! y! V! Sec ecu urit ity y Techniques!V!Information!Security!Man Techniques!V!Inform ation!Security!Management!System!V!Req agement!System!V!Requirements. uirements. 7. I! un unde ders rsta tand nd th that at I! al also so ha have ve an op optio tion! n! (w (whi hile le av avai aili ling ng th the! e! se serv rvice ices! s! of “_________ “____ __________ _______”! __”! .or! othe otherwise rwise)! )! to! withd withdraw! raw! my! conse consent! nt! given earl earlier! ier! to “___ “_ ____ ____ ____ ____ ____ ____ ___” _”.!.! I! un unde ders rsta tand nd an and! d! ac acce cept pt th that at su such ch wi with thdr draw awal al of th the e cons co nsen ent! t! sh shal all! l! be se sent nt in wr writ itin ing! g! to “_ “___ ____ ____ ____ ____ ____ ____ ___” _” .a .and nd in su such ch ca case se “________________”!.shall!have!the!option!not!to!provide!goods!or!services!for which!the!said!information!was!sought.
Privacy(Policy( Employees)( To!be!published!on!the!official!website.!
Privacy!!policy!!for!!handli Privacy!!policy!!for!!handling!!of!! ng!!of!!or!!dealin or!!dealing!!in! g!!in!!person !personal!!informa al!!information!!includ tion!!including!! ing!! sensitive!personal!data!or!!information!!as!mandated!by!Rule!4!of!Information!! Techno Technolog logy! y! (Reaso (Reasonab nable! le! securi security! ty! practi practices ces and proced procedure ures! s! and sensit sensitive ive personal!data!or!information)!Rules,!2011.!
Definitions(
For the purpo purposes ses of this! this! and relate related! d! docum document ents,! s,! unless unless the contex context! t! otherw otherwise ise requires,! 1. "Act"!means!the!Information!Technolo "Act"!means!the!Information!Technology!Act,!2000!(21!o gy!Act,!2000!(21!of!2000);! f!2000);! 1. 2.!"Biometrics"!means!the!technologies!that!measure!and!analyse!human! body character characteristics, istics, such as!'fingerprints' as!'fingerprints',!,!'eye 'eye retinas!and! retinas!and! irises',!'voice! irises',!'voice! patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication!purposes;! 2. "Body!!corporate"!means!!“______________ "Body!!corporate"!means!!“_____________________________________ _____________________________________”! ______________”! 3. "Cyber!incidents"!means!any!real!or!suspected!adverse!event!in!relation! to cybe cyber! r! secu securi rity ty that that viol violat ates es an expl explic icit itly ly or impl implic icit itly ly appl applic icab able le secu securi rity ty poli policy cy resu result ltin ing! g! in unau unauth thor oriz ized ed acce access ss,!,! deni denial al of serv servic ice! e! or disruption,!unauthorised!!use!!of!!a!!computer!!resource!!for!!processing!! or stor storag age! e! of info inform rmat atio ion! n! or chan change ges! s! to data data,! ,! info inform rmat atio ion! n! with withou out! t! authorisation;! 4. "Data"!means!a!representation!of!information,!knowledge,!facts,!concepts! or inst instru ruct ctio ions ns which which are! are! bein being! g! prep prepar ared ed or have have been been prep prepar ared ed in a! formalised!manner,!and!is!intended!to!be!processed,!is!being!processed!or! has!been!processed!in!a!computer!system!or!computer!network,!and!may! be!in!any!form!(including!computer!printouts!magnetic!or!optical!storage! media,!punched!cards,!punched!tapes)!or!stored!internally!in!the!memory! of!the!computer;! 5. "Information"!includes!data,!message!,!text,!images,!sound,!voice,!codes,! computer programmes, software and data bases or micro film or computer!generated!micro!fiche;! 6. "Interme "Intermediary diary"! "! with!respe with! respect! ct! to! any! particula particular! r! electroni electronic! c! records,! records,!mean means! s! any!person!who!on!behalf!of!another!person!receives,!stores!or!transmits! that that reco record rd or prov provid ides es any! any! serv servic ice! e! with with resp respec ect! t! to that that reco record rd and! and! includes! includes! telecom! telecom! service! service! providers providers,!,! network! network! service! service! providers providers,!,! internet! internet! service! service! providers providers,!,! webVhostin webVhosting! g! service! service! providers providers,!,! search! search! engines,! engines,!onlin online! e! payment!sites,!onlineVauction!sites,!onlineVmark payment!sites,!onlineVauction!sites,!onlineVmarket!places!and!cyber!caf et!places!and!cyber!cafes;! es;! 7. "Pas "Passw swor ord" d" mean means! s! a! secr secret et word word or phra phrase se or code code or pass passph phra rase se or secr secre et! key, key, or! encry ncryp ption tion or decryp crypttion! ion! keys keys tha that! one! one! uses! ses! to! gain gain admittance!or!access!to!information;! 8. "Perso "Personal nal inform informati ation" on" means! means! any inform informati ation! on! that! that! relate relates! s! to! a! natura natural! l! person person,!,! which, which, either either direct directly! ly! or! indire indirectl ctly,! y,! in! combin combinati ation! on! with! with! other! other! inform informati ation! on!ava availa ilable ble or!lik or! likely ely to!be! to! be!ava availa ilable ble with! with! a! body! body! corpor corporate ate,!,! is! capable!of!identifying!such!person.!
9. “Sensitive!personal!data!or!information!of!a!person”!means!such!personal! information!which!consists!of!information!relating!to;! (i) password;! (ii) financ financial ial inform informati ation! on! such! such! as! Bank! Bank! accoun account! t! or! credit credit card or debit car card or other payment instrument details!;! (iii) physical,!physiological!and!mental!health!condition;!! (iv) sexual!orientation;! (v) medical!records!and!history;!! (vi) Biometric!information;! (vii) any!detail!relating!to!the!above!clauses!as!provided!to! body!corporate!for!providing!service;!and! (viii) any of the inform informati ation! on!rec receiv eived! ed!und under! er!abo above! ve! clause clauses! s! by!body!corporate!for!processing,!stored!or!processed! under!lawful!contract!or!otherwise:! provid provided! ed! that, that, any inform informati ation! on! that! that! is! freely freely availa available ble or! accessible!in!public!domain!or!furnished!under!the!Right!to! Information!Act,!2005!or!any!other!law!for!the!time!being!in! forc force! e! shal shall! l! not! not! be rega regard rded ed as sens sensit itive ive pers person onal al data data or information.!
Declaration(under(Rule(5(of(Information((Technology((Reasonable((security(( prac practi tice ces( s( an and( d( proce procedur dures es an and( d( sens sensit itiv ive( e( perso persona nal( l( da data ta or info inform rmat atio ion) n) Rules,(2011.(
Body!Corporate!makes!the!following!declaration!under!Rule!5!of!the!Information! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es and! and! sens sensit itiv ive! e! personal!data!or!information)!Rules,!2011:! 1. The! The! sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! (see (see Anne Annexu xure re 1) is! bein being! g! collected!for!a!lawful!purpose!(see!Annexure!2)!connected!with!a!function! or!activity!of!Body!Corporate!or!a or!activity!of!Body!Corporate!or!any!person!on!its!behal ny!person!on!its!behalf.! f.! 2. The!collection!of!the!sensitive!personal!data!or!information!is!considered! necessary!for!the!purpose!above.! 3. Body Body Corp Corpor orat ate! e! shal shall! l! not! not! reta retain in that that info inform rmat atio ion! n! for! for! long longer er than than is required!for!the!purposes!for!which!the!information!may!lawfully!be!used! or!is!otherwise!required!under!any!o or!is!otherwise!required!under!any!other!law!for!th ther!law!for!the!time!being!in!force.! e!time!being!in!force.! 4. The!information!collected!shall!be!used!for!the!purpose!for!which!it!has! been!collected.! 5. Body!Corpora Body!Corporate!or! te!or!any!perso any!person!on! n!on!its!behalf its!behalf!shall!permit!the!provide !shall!permit!the!providers!of! rs!of! information,!as!and!when!requested!by!them,!to!review!the!information! they!had!provided they!had!provided!and!ensure!that!any!person !and!ensure!that!any!personal!inform al!information ation!or! !or!sensi sensitive! tive! personal!data!or!information!found!to!be!inaccurate!or!deficient!shall!be!
corrected!or!amended!as!feasible:!provided!that!Body!Corporate!shall!not! be! resp respo onsib nsible le for! for! the! the! aut authent hentic icit ity! y! of the! pers perso onal! nal! inf informa rmatio tion! or! sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! supp suppli lied ed by the! the! prov provid ider er of inform informati ation! on! to! Body! Body! Corpo Corporat rate! e! or! any other! other! person person acting acting on! behalf behalf of! Body!Corporate!.! 6. Body Corpo rporate ate shal shalll keep! eep! the! the! info inform rmat atio ion! n! secu secure re as per! per! secu securi rity ty pract ractic ices es and proc proce edur dures provi rovide ded d in The! The! Int Interna ernattiona ional! l! Stand tandar ard! d! IS/IS IS/ISO/I O/IEC EC 27001! 27001! on! Inform Informati ation! on! Techno Technolog logy! y! V! Secur Security ity Techni Technique ques! s! V! Information!Security!Management!System!V!Requirements.!Any!person!on! beh behalf of Bo Body dy Corpor rporat ate e shal shall! l! kee keep! the the inf informa rmation tion secu secure re as per securi security! ty! practic practices! es! and proced procedure ures! s! provid provided! ed! either either in! Schedu Schedule! le! II! of! the Info Inform rmat atio ion! n! Tech Techno nolo logy gy (Cer (Certi tify fyin ing! g! Auth Author orit itie ies) s) Rule Rules, s, 2000 2000 or The! The! Intern Internati ationa onal! l! Standa Standard! rd! IS/ISO IS/ISO/IE /IEC! C! 27001! 27001! on! Inform Informati ation! on! Techno Technolog logy! y! V! Securi curity ty Tech Techni niqu que es! V! Info Inform rma atio tion! Secu ecurity rity Manage nageme ment nt Syste ystem! m! V! Requirements.! 7. Body Corporat Corporate! e! shall address! address!any! any! discrepan discrepancies! cies! and!griev and! grievance ances! s! of! their! their! provider!of!the!information!with!respect!to!processing!of!information!in!a! time ime bound manner. For this purpose Body Corporate designates _______________________!as!the!Grievance!Officer.!His!/!her!contact!number!is! _________________________ and his / her email address is ____ _______ ______ _______ _______ ______ ________ ______ _____. The! The! Gr Grie ieva vanc nce! e! Offi Office cerr sha shall redr redres ess! s! the! the! grievances!of!provider!of!information!expeditiously!but!within!one!month! from!the!date!of!receipt!of!grievance.!
Declaration(under(Rule(6(of(Information((Technology((Reasonable((security(( prac practi tice ces( s( an and( d( proce procedur dures es an and( d( sens sensit itiv ive( e( perso persona nal( l( da data ta or info inform rmat atio ion) n) Rules,(2011.(
Body!Corporate!makes!the!following!declaration!under!Rule!6!of!the!Information! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es and! and! sens sensit itiv ive! e! personal!data!or!information)!Rules,!2011:! 1. This This sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! may! may! be disc disclo lose sed! d! to any! any! person,!if!such!disclosure!is!required!for!a!lawful!purpose!connected!with! a!function!or!activity!of!Body!Corpor a!function!or!activity!o f!Body!Corporate!or!any!person ate!or!any!person!on!its!behalf.! !on!its!behalf.! 2. This!sensitive!personal!data!or!information!may!be!disclosed!where!the! disclosure!is!necessary!for!compliance!of!a!l disclosure!is!necessary!f or!compliance!of!a!legal!obligation.! egal!obligation.! 3. This This sens sensit itive ive pers person onal al data data or info inform rmat atio ion! n! shal shall! l! be shar shared ed,!,! with withou out! t! obtaining!prior! obtaining!prior! consent! consent! from provider!of! provider!of! informatio information,! n,! with Governme Government! nt! agenc gencie ies! s! mand andated ted under nder the the law! law! to obta obtain in info inform rma atio tion! incl inclu uding! ing! sensitive!personal!data!or!information!for!the!purpose!of!verification!of! iden identi tity ty,! ,! or for! for! prev preven enti tion on,! ,! dete detect ctio ion, n, inve invest stig igat atio ion! n! incl includ udin ing! g! cybe cyber! r! incidents,!prosecution,!and!punishment!of!offences.!
4. Body!Corporate!or!any!person!on!its!behalf!shall!not!publish!the!sensitive! personal!data!or!information.! 5. The!third!party!receiving!the!sensitive!personal!data!or!information!from! Body!Corporate!or!any!person!on!its!behalf!under!subVrule!(1)!shall!not! disclose!it!further.! 6. This!sensitive!personal!data!or!information!shall!be!disclosed!to!any!third! party!by!an!order!under!the!law party!by!an!order!under!the!law!for!the!time!being!in!fo !for!the!time!being!in!force.! rce.! Declaration(under(Rule(7(of(Information((Technology((Reasonable((security(( prac practi tice ces( s( an and( d( proce procedur dures es an and( d( sens sensit itiv ive( e( perso persona nal( l( da data ta or info inform rmat atio ion) n) Rules,(2011.( Body!Corporate!makes!the!following!declaration!under!Rule!7!of!the!Information! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es and! and! sens sensit itiv ive! e! personal!data!or!information)!Rules,!2011:! Body!Corporate!or!any!person!on!its!behalf!may!transfer!sensitive!personal!data! or info inform rmat atio ion! n! incl includ udin ing! g! any! any! info inform rmat atio ion, n, to any! any! othe other! r! body body corp corpor orat ate! e! or a! pers person on in Indi India, a, or loca locate ted! d! in any! any! othe other! r! coun countr try, y, that that foll follow ows! s! the! the! secu securi rity ty prac practi tice ces! s! and! and! proc proced edur ures es prov provid ided ed eith either er in Sche Schedu dule le II of the! the! Info Inform rmat atio ion! n! Technolo Technology! gy! (Certifyin (Certifying! g! Authoriti Authorities)! es)! Rules,! Rules,! 2000 or! The! Internati International onal Standard! Standard! IS/ISO/IEC 27001 on Information Technology V Security Techniques V Information!Security!Management Information!Security!Management!System!–!Requireme !System!–!Requirements.! nts.!
Annexure(1(
Type!of!personal!or!sensitive!personal!data!or!information!collected!under!rule!3! of!Informat of!Information ion Techno Technolog logy! y! (Reaso (Reasonab nable!! le!! securi security!! ty!! practi practices ces and proced procedure ures!! s!! and!sensitive!personal!data!or!informat and!sensitive!persona l!data!or!information)!Rules,!2011. ion)!Rules,!2011. Personal(Information(
Sensitive(personal(data(or(information(
Annexure(2(
Purp Purpos ose! e! of coll collec ecti tion on and! and! usag usage! e! of pers person onal al or sens sensit itiv ive! e! pers person onal al data data or info inform rmat atio ion! n! coll collec ecte ted! d! unde under! r! rule rule 3! of Info Inform rmat atio ion! n! Tech Techno nolo logy gy (Rea (Reaso sona nabl ble! e! security!!practices!!and!!procedures!!and!sensitive!personal!data!or!information)! Rules,!2011.!
Consent,(in(writing(through(letter(or(Fax(or(emai Consent,(in(writing (through(letter(or(Fax(or(email,(from(the(provid l,(from(the(provider(of(the( er(of(the( sensitive(personal(data((or(information(regarding(purpose(of(usage(before( collection(of(such(information.(
1. I!understand!and!I!have!the!knowledge!that!my!sensitive!personal!data!or! information!is!being!collected!by!“________________”.! 2. I! un unde ders rsta tand nd an and! d! I! ha have ve th the! e! kn know owle ledg dge! e! of th the! e! pu purp rpos ose! e! fo for! r! wh whic ich! h! my sensitive!personal!data!or!information!is!being!collected.! 3. I!have!the!kno I!have!the!knowledge!of!the wledge!of!the!intended!recipients!of!th !intended!recipients!of!the!information.! e!information.! 4. I! ha have ve th the! e! kn know owle ledg dge! e! of th the! e! na name me an and! d! ad addr dres ess! s! of th the! e! ag agen ency cy th that at is collecting!the!information,!and!the!age collecting!the!infor mation,!and!the!agency!that!will!retain!th ncy!that!will!retain!the!information.! e!information.! 5. I!understand!that!I!have!the!option!not!to!provide!the!data!or!information! sought!to!be!collected!by!“________________”!.! 6. I!permit!“_________ I!permit!“______________ _______”!.or!any!person __”!.or!any!person!on! !on!its!behal its!behalf!to!transfer f!to!transfer!sensitive! !sensitive! personal!data!or!information!to!any!other!body!corporate!or!a!person!in! India,!or!located!in!any!other!country,!that!follows!the!security!practices! and pro roce ced dure res! s! pro rovi vide ded d eit ith her! in Sch ched edu ule II! of the Inf nfor orma mati tion on Tech Te chno nolo logy gy (C (Cer erti tify fyin ing! g! Au Auth thor orit itie ies) s) Ru Rule les, s, 20 2000 00 or Th The! e! In Inte tern rnat atio iona nal! l! Stan and dard IS IS/ /IS ISO O/I /IEC EC 2700 001! 1! on In Info form rma ati tio on! Te Tech chn nol olog ogy! y! V! Sec ecu urit ity y Techniques!V!Information!Security!Man Techniques!V!Inform ation!Security!Management!System!V!Req agement!System!V!Requirements.! uirements.! 7. I! un unde ders rsta tand nd th that at I! al also so ha have ve an op optio tion! n! (w (whi hile le av avai aili ling ng th the! e! se serv rvice ices! s! of “_________ “____ __________ _______”! __”! .or! othe otherwise rwise)! )! to! withd withdraw! raw! my! conse consent! nt! given earl earlier! ier! to! “___ “_ ____ ____ ____ ____ ____ ____ ___” _”.!.! I! un unde ders rsta tand nd an and! d! ac acce cept pt th that at su such ch wi with thdr draw awal al of th the! e! cons co nsen ent! t! sh shal all! l! be se sent nt in wr writ itin ing! g! to “_ “___ ____ ____ ____ ____ ____ ____ ___” _” .a .and nd in su such ch ca case se “________________”!.shall!have!the!option!not!to!provide!goods!or!services!for! which!the!said!information!was!sought.!
Information Technology Audit & Compliance Checklists
Information Technology Audit & Compliance
Sensitive Personal Data or Information Rules
Checklist Code: Code: Applicable Law: Law:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-1 Clear and easily accessible statements of its practices and policies Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-2 Type of personal or sensitive personal data or information collected Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-3 Purpose of collection and usage of personal inf ormation Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-4 Disclosure of Information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-5 Reasonable security practices and procedures Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-6 Obtaining consent prior to collection of information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-7 Purposes for collection of information in formation Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-8 Person concerned has knowledge of information being collected Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-9 Retention of information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-10 Usage of information solely for the purpose for which it has been collected Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-11 Review and amendment of information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-12 Option to not provide information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-13 Option to provider to withdraw consent Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-14 Security of information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-15 Designation of Grievance Officer Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-16 Redressal of grievances Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-17 Disclosure of information to third parties Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance: Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-18 Prohibition on publication of information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-19 Disclosure of information by third parties Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
ITAC-SPDIR-20 Transfer of information Checklist Number: Number: Primary Law:
Audit Question
Answer
Auditor's Comments
Liability for non-compliance:
Notes:
(c) 2012 Asian School of Cyber Laws. All rights reserved.
Information Technology Audit & Compliance Checklists
Annexure
Section 43A of the Information Technology Act, 2000 (as amended)
Section 45 of the Information Technology Act, 2000 (as amended)
Section 72A of the Information Technology Act, 2000 (as amended)
(c) 2012 Asian School of Cyber Laws. All rights reserved.
:
[ II 3(i)]
MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011
G.S. G.S.R. 313(E).—In 313(E).—In exercise of the powers conferred by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely.-1. Short title and commencement — (1) These rules may be called the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (2) They shall come into force on the date of their publication in the Official Gazette. 2. Definitions — (1) In these rules, unless the context otherwise requires,-(a) "Act" means the Information Technology Act, 2000 (21 of 2000); (b) "Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial
patterns',
'hand
measurements'
and
'DNA'
for
authentication
purposes; (c)
"Body corporate" means the body corporate as defined in clause (i) of explanation to section 43A of the Act;
(d) "Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting
in
unauthorised
access,
denial
of
service
or
disruption,
unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation; (e)
"Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;
(f)
"Information" means information as defined in clause (v) of sub-section (1) of section 2 of the Act;
(g) "Intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;
THE GAZETTE OF INDIA : EXTRAORDINARY
[ PART II-SEC. 3(i)]
(h) "Password" means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information; (i)
"Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the the meanings respectively respectively assigned assigned to them in the Act. Act. 3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;— (i)
password;
(ii)
financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii)
physical, physiological and mental health condition;
(iv)
sexual orientation;
(v)
medical records and history;
(vi)
Biometric information;
(vii)
any detail relating to the above clauses as provided to body corporate for providing service; and
(viii)
any of the information informatio n received under above clauses by body corporate for processing, processing, stored or processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules. 4.
Body corporate corporate to provide policy for for privacy privacy and disclosure of information. information.— — (1)
The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for— (i)
Clear and easily easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected under rule 3;
[ II 3(i)]
:
(iii)
purpose of collection and usage of such information;
(iv)
disclosure of information including sensitive personal data or information as
(v)
provided in rule 6; reasonable security practices and procedures as provided under rule 8.
5. Collection of information.— (1) Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information. (2) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless — (a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and (b) the collection of the sensitive personal data or information is considered considered necessary f or or that purpose. (3) While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of — (a) the fact that the information is being collected; (b) the purpose for which the information is being collected; collected; (c) the intended recipients recipients of the information; and (d) the name and address of — (i) the agency that is collecting collecting the information; information; and and (ii) the agency that will retain the information. (4) Body corporate corporate or any person person on its behalf behalf holding sensitive personal personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.. (5) The information collected collected shall be be used for the purpose purpose for which it has has been collected. (6) Body corporate or any person on its behalf behalf permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible: Provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by 1330 GI/11-2A
THE GAZETTE OF INDIA : EXTRAORDINARY
[ PART II-SEC. 3(i)]
the provider of information to such boy corporate or any other person acting on behalf of such body corporate. (7) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought. (8) Body corporate or any any person on its behalf behalf shall keep the information information secure as provided in rule 8. (9) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ' from the date of receipt of grievance. 6. Disclosure of information.— information.— (1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person. (2) Notwithstanding Notwithstanding anything contain contain in sub-rule sub-rule (1), any sensitive sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force. 1330 GI/11-2B
[ II 3(i)]
:
(3) The body corporate or any person on its behalf shall not publish the sensitive personal data or information. (4) The third party receiving receiving the sensitive sensitive personal personal data data or information information from from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further. 7. Transfer of information.-A information.-A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer. 8. Reasonable Security Practices and Procedures.— Procedures.— (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. (2) The international Standard Standard IS/ISO/IEC 27001 on "Information Technology Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1). (3) Any industry association association or an entity formed by such an association, association, whose members members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation. implementation. (4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.
