Centre for Internet & Society

Preliminary

  1. This Privacy Policy ("Policy") states the internal policy of the Centre for Internet & Society ("CIS") with regard to the collection, storage, security, processing and disclosure of personal data.
  2. This Policy constitutes compliance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011.

Collection of Personal Data

  1. CIS will not collect any personal data that is not necessary for the achievement of a purpose that is connected to a stated CIS function.
  2. CIS will not collect any personal data without obtaining the prior consent of the person to whom it pertains. CIS may obtain such consent in any manner, and through any medium, but will not employ threats, duress or coercion to obtain such consent.
  3. Personal data collected in respect of a grant of consent by the person to whom it pertains will, if that consent is subsequently withdrawn for any reason, be destroyed or anonymised.

Storage of Personal Data

  1. CIS will not store any personal data for a period longer than is necessary to achieve the purpose for which it was collected, or, if that purpose is achieved or ceases to exist for any reason, for any period following such achievement or cessation.
  2. Any personal data collected in relation to the achievement of a purpose will, if that purpose is achieved or ceases to exist for any reason, be destroyed or anonymised.
  3. CIS may store personal data for a period longer than is necessary to achieve the purpose for which it was collected, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation, if –
    • the person to whom it pertains grants consent to such storage;
    • it is required to be stored under the provisions of applicable law; or
    • it is the subject of a pending legal proceeding.

Processing of Personal Data

  1. CIS will not process any personal data that is not necessary for the achievement of the purpose for which it was collected unless the person to whom it pertains grants consent to such processing.

Security of Personal Data

  1. CIS will not collect, store or process any personal data in the absence of measures, including, but not restricted to, technological, physical and administrative measures, adequate to secure the confidentiality, secrecy, sanctity and safety of the personal data, including from theft, loss, damage or destruction.

  2. Any person who collects, stores or processes any personal data on behalf of CIS will be subject to a duty of confidentiality and secrecy in respect of it.

  3. CIS will, if the confidentiality, secrecy, sanctity or safety of any personal data collected, stored or processed by CIS is violated by theft, loss, damage or destruction, or as a result of any disclosure contrary to the provisions of this Policy, notify, to the extent possible, the person to whom the personal data pertains.

Disclosure of Personal Data

  1. CIS will not disclose to any person to whom any personal data does not pertain, or otherwise cause any such a person to receive, the content or nature of that personal data, including any other details in respect thereof, unless the person to whom it pertains grants consent to such disclosure. CIS may obtain such consent in any manner, and through any medium, but will not employ threats, duress or coercion to obtain such consent.

  2. CIS may disclose personal data with a person to whom it does not pertain, whether located in India or otherwise, for the purpose only of processing it to achieve the purpose for which it was collected, if such a disclosure is pursuant to an agreement that binds the person receiving it to same or stronger measures in respect of its storage, processing and disclosure as are contained in this Policy.

  3. If the disclosure of any personal data is necessary to –

    • prevent a reasonable threat to national security, defence or public order; or
    • prevent, investigate or prosecute a cognisable offence;
    CIS may, upon receiving an order in writing from a judicial authority or law enforcement officer, disclose the personal data that is the subject of the order without seeking the consent of the person to whom it pertains.
  4. CIS may, to the extent possible, notify the person to whom any personal data pertains of its disclosure and the identity of the person it was disclosed to, and any other details in respect thereof.

Accuracy of Personal Data

  1. CIS will reasonably afford any person whose personal data is collected, stored or processed by CIS the opportunity to review it and, where necessary, rectify anything that is inaccurate or not up to date.