Centre for Internet & Society

On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011) in exercise of the powers conferred by Section 87(2)(ob), read with Section 43A of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.

A. Specific Objections

Rule 3

Sensitive personal data or information.— Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :

Password;

...

Call data records;

Comment

We suggest that this list be expanded to include information such as sexual orientation, religion and caste. In addition, “electronic communication records” including emails, chat logs and other communications using a computer should be designated sensitive personal information.

Rule 4

Body Corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle shall provide a privacy policy for handling of or dealing in user information including sensitive personal information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall provide for:

  • Type of personal or sensitive information collected under sub-rule (ii) of rule 3;

  • Purpose, means and modes of usage of such information;

  • Disclosure of information as provided in rule 6

Comment

We recommend that the privacy policy be made available for view to all individuals to whom the information held by the body corporate pertains. Currently the privacy policy will only be disclosed to the “providers of information” who may not be the individual concerned directly.

Rule 5

Collection of information.—

(1) Body corporate or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information.

Comment

We recommend the substitution of the term “individual to whom the data pertains” instead of the phrase “provider of the information”.

(2) Body corporate or any person on its behalf shall not collect sensitive personal information unless—

the information is collected for a lawful purpose connected with a function or activity of the agency; and

the collection of the information is necessary for that purpose.

Comment

We recommend a blanket prohibition of collection of biometric data unless a heightened security interest is demonstrated.

(3) While collecting information directly from the individual concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of.

Comment

We recommend a simpler phrase like “The body corporate.. shall take reasonable steps to inform the individual concerned” instead of the current complex phrasing. Reasonableness has generally been interpreted by courts contextually. For instance, the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

(4) Body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Comment

We recommend that this be converted into a mandatory obligation to delete or anonymise the information collected within a stipulated period (say 6 months) after the expiry of use for which it was collected.

(6) Body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary.

Comment

Individuals should have the right to review and modify information pertaining to them whether or not they themselves had provided the information to the body corporate. This right should be provided to them wherever the information that pertains to them is incorrect.

(7) Body corporate or any person on its behalf shall provide an option to the provider of the information to opt-in or opt-out.

Comment

We recommend that the wording be changed to “individual to whom the data pertains” instead of “provider of information”.

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.