CIS Para-wise Comments on Draft Reasonable Security Practices Rules, 2011
On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011) in exercise of the powers conferred by Section 87(2)(ob), read with Section 43A of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.
A. Specific Objections
Sensitive personal data or information.— Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :
Call data records;
We suggest that this list be expanded to include information such as sexual orientation, religion and caste. In addition, “electronic communication records” including emails, chat logs and other communications using a computer should be designated sensitive personal information.
Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in rule 6
Collection of information.—
(1) Body corporate or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information.
We recommend the substitution of the term “individual to whom the data pertains” instead of the phrase “provider of the information”.
(2) Body corporate or any person on its behalf shall not collect sensitive personal information unless—
the information is collected for a lawful purpose connected with a function or activity of the agency; and
the collection of the information is necessary for that purpose.
We recommend a blanket prohibition of collection of biometric data unless a heightened security interest is demonstrated.
(3) While collecting information directly from the individual concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of.
We recommend a simpler phrase like “The body corporate.. shall take reasonable steps to inform the individual concerned” instead of the current complex phrasing. Reasonableness has generally been interpreted by courts contextually. For instance, the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.
(4) Body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.
We recommend that this be converted into a mandatory obligation to delete or anonymise the information collected within a stipulated period (say 6 months) after the expiry of use for which it was collected.
(6) Body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary.
Individuals should have the right to review and modify information pertaining to them whether or not they themselves had provided the information to the body corporate. This right should be provided to them wherever the information that pertains to them is incorrect.
(7) Body corporate or any person on its behalf shall provide an option to the provider of the information to opt-in or opt-out.
We recommend that the wording be changed to “individual to whom the data pertains” instead of “provider of information”.