New data privacy rules for IT/BPO companies come into effect in India

Talk to Us

Shan Nair
+1 408.515.6887
info@nair-co.com
Manoj George
+1 650.678.2991
info@nair-co.com
Gary Pavlik
+1 978.821.3270
Gary.pavlik@nair-co.com
Barbara Ingetti
+1 239.948.9820
Barbara.Ingetti@nair-co.com
Venkat Eswaran
+91 998.754.9428
Venkatesh.Eswaran@nair-co.com
Giuseppina Sammartino
+44 (0) 117 929 9661
Giuseppina.Sammartino@nair-co.com

India’s new data privacy rules could affect U.S. IT companies

India recently issued new data privacy rules that impose considerable restrictions on how businesses handle personal information. The Information Technology Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), or "Privacy Rules" were issued in April.

The Privacy Rules, which implement an existing law (India’s Information Technology Act, 2008 and its recent amendment in 2008) can significantly affect businesses including multinational companies with back offices in India, IT and outsourcing companies in India and overseas companies that contract IT and outsourcing services with Indian companies.

As per the Privacy Rules, organizations must:

Notify individuals when their personal information is collected via letter, fax, or email,
Make a privacy policy available,
Take steps to secure personal information,
Offer a dispute resolution process related to the collection and use of personal information, etc.

Any personal data collected within India or moved into and outside India from another country comes under the preview of the Privacy Rules.

Details of the Privacy Rules:

The Indian Government has now been empowered to obtain sensitive personal information about individuals from companies without a warrant or the concerned person's consent;
Provisions for body Corporate or its agents to have a security program and information security policies in place, etc.

There are concerns about nearly unchecked power of the government (to obtain sensitive personal information). Under current rules, authorities’ request for obtaining information must be made in writing, stating the reason for seeking such information.

The Privacy Rules have defined sensitive personal data or information to include personal information relating to:

Financial information (including Bank account, credit card details, etc.)
Passwords
Medical records and history
Physical, physiological and mental health condition
Sexual orientation
Biometric information, etc.

Privacy Policy

Every corporate, person or agent who collects, possess, stores, deals or handles information should have in place a privacy policy for handling and/or dealing in personal/ sensitive information.
Such policy must be consistent with the rules.
The same should be made available to providers of information.
Such policy must be published on the website of the corporate.

Prior consent of data providers and use of such data
A corporate body or any person on its behalf must not only obtain a prior consent in writing (through letter or Fax or email from the provider of the sensitive personal data or information) from the provider of sensitive personal data/information, but also ensure that the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf.

Such Body corporate or any person on its behalf must also ensure that the person concerned is having the knowledge of the fact that the information is being collected, the purpose for such information being collected, etc.

It is pertinent to note that a holder of sensitive personal data or information must not retain that information for longer than is required for the purposes for which the information may lawfully be used. Also, any collected information can only be used for the purpose for which it has been collected.

Data providers shall enjoy the right to review the information that they have provided. Also, they shall have the right to amend any personal information which they have found to be inaccurate or deficient.

This effects outsourcing providers who may now need to notify calling in at a call center about their data handling practices and to obtain consent to handle personal data. Companies may also need to ensure their client’s data handling practices match the requirements laid down in the new rules.

Appointment of a Grievance Officer
Data collectors/ processors must designate a Grievance Officer and publish his/her name and contact details on their website. The role of such Grievance Officer shall be to redress grievances of information providers within one month from the date of receipt of each grievance.

Disclosure of data to third parties
To safeguard the interests of data providers, the rules have prescribed that disclosure of sensitive personal data or information to any third party shall require prior permission from the provider of such information. However, such prior permission would not be required if such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.

Transfer of Data
Transfer of sensitive personal data or information may be allowed only if it is necessary for the performance of a lawful contract or where the data provider has consented to such data transfer.

A body corporate or any person on its behalf may transfer sensitive personal data or information abroad, if the foreign country ensures the same level of that is adhered to by the body corporate as provided for under the Privacy Rules.

Security program and information security policies
A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards as prescribed under the Privacy Rules. Such security practices and standards include:

Having in place a comprehensive documented information security program and information security policies;
The aforesaid program and policies must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.

In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate that they have implemented security control measures as per their documented information security program and information security policies.

The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the federal Government.

Please call/email for more details

Disclaimer :

Published: July 25, 2011. The information provided on this page is intended merely to highlight issues for general information purposes only. It is not comprehensive nor does it provide legal advice. Any information is subject to change without notice. No liability whatsoever is accepted by Nair & Co.

About Us Nair & Co. Difference Our Team Global Offices Contact Us	Start Up Activity Accounting Human Resources Payroll Legal	Tax & Compliance Risk Assessment India Incubater Closing Down Operations Global Mobility Service	News Industry Alerts Webinars/Video Press Room Nair & Co in News	Success Stories Testimonial InterCompany Agreement Templates BPO Shared Services Blogs	Careers Press Contact FAQs Site Map Privacy Policy

© Nair&Co.,2011. All right reserved.