Understanding the Protection of Sensitive Personal Data Under Indian IT Law

An Overview of the Protection of Sensitive Personal Data

In the digital age, where data has become the new oil, the protection of sensitive personal data stands paramount. This concept is embedded in Indian IT law under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, enacted under Section 43A of the Information Technology Act, 2000.

What Constitutes Sensitive Personal Data?

As per Rule 3 of the IT Rules, 2011, sensitive personal data includes information relating to:

1. Passwords

2. Financial information such as bank account, credit or debit card details

3. Physical, physiological, and mental health conditions

4. Sexual orientation

5. Medical records and history

6. Biometric information

It's important to note that any information freely available or accessible in the public domain doesn't fall under the ambit of "sensitive personal data".

Regulations Imposed on the Collectors of Sensitive Personal Data

The collectors of sensitive personal data must comply with the IT Rules, 2011. The key obligations include:

1. Privacy Policy: As per Rule 4, the entity collecting the information must have a privacy policy available for view by providers of information.

2. Collection Limitation: Rule 5(1) states that data must be collected only for a lawful and necessary purpose related to a function or activity of the collector.

3. Consent: Rule 5(2) mandates the necessity of obtaining consent from the provider of the information regarding the purpose of usage before collection.

4. Security Safeguards: Rule 8 requires the body corporate or any person acting on behalf of it to maintain reasonable security practices to protect the information from unauthorised access, damage, use, modification, disclosure or impairment.

5. Grievance Redressal Mechanism: Rule 5(9) requires an entity to address the grievances of the data provider within one month of receiving the complaint.

Violations and Penalties

Any negligence in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person will lead to compensation to the affected person as per Section 43A of the IT Act, 2000. However, there is no prescribed upper limit for the compensation in the Act.

Landmark Cases Related to Data Protection

1. Aadhaar Case (Justice K.S. Puttaswamy (Retd.) vs Union Of India): This landmark judgement by the Supreme Court of India recognised the fundamental right to privacy and emphasized the need for a robust data protection regime.

2. Shreya Singhal vs Union Of India: The Supreme Court reiterated the importance of informational privacy and held that sharing of data without the individual's consent would infringe the individual’s right to privacy.

Conclusion: Protection of Sensitive Personal Data

In conclusion, the protection of sensitive personal data is an integral part of the legal framework in India. Compliance with the provisions set out in the IT Rules, 2011, can help in fostering a safer and more secure digital environment. In this era of digitalisation, understanding these regulations, obligations, and penalties is essential for both individuals and entities dealing with sensitive personal data.