This document summarizes regulatory compliance under the Information Technology Act, 2000 regarding data protection in India. It discusses key cases related to data protection, the liability of companies under Section 85 of the act, and compensation for failure to protect data under Section 43A. It also examines what constitutes sensitive personal data, reasonable security practices and procedures, roles of adjudicating officers and courts, and guidelines around collection, use and transfer of personal information. Overall, the document provides an overview of the IT Act's provisions for data protection in India.

1. REGULATORY COMPLIANCE UNDER
THE INFORMATION TECHNOLOGY ACT, 2000
ADV. SAGAR RAHURKAR

2. CASES
 Nadeem Kashmiri and HSBC
 Karan Bahree and Mphasis
 My case - Hyundai

3. ISSUES
 Liability of Company (Sec. 85)
 Protection of data – Concern for outsourcing
industry
 Privacy of data – Individual’s concern

4. SEC. 43A – COMPENSATION FOR FAILURE TO
PROTECT DATA
If body corporate, possessing, dealing or
handling any sensitive personal data or
information in a computer resource which it
owns, controls or operates, is negligent in
implementing and maintaining reasonable
security practices and procedures and
thereby causes wrongful loss or wrongful
gain to any person
 Liability
– Damages by the way of
compensation

5. ADJUDICATION
 For claims upto Rs. 5 Crores –
Adjudicating officer
 For claims above Rs. 5 Crores - Civil
courts (Unlimited liability)

6. WHO IS LIABLE?
 Sec.85: Offences by companies
• The company itself, being a legal person;
• The top management including directors; and
• The managers (persons directly responsible for the data)
If it is proved that -
• they had knowledge of contravention; or
• they have not used due diligence
• that it was caused due to their negligence

7. ISSUES
 Whatis Sensitive Personal data or
Information?
 Whatare Reasonable Security
Practices and Procedures?

8. THE SOLUTION
 The Information Technology (Reasonable
security practices and procedures and sensitive
personal data or information) Rules, 2011
 Enforceable from 11th April, 11
 To be read with Sec. 43A

9. SENSITIVE PERSONAL DATA OR
INFORMATION
Passw
ord
Financ Health
ial info
condition
SP
DI
Bio-
metric Health
s Sexual records
orientati
on
Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

10. REASONABLE SECURITY PRACTICES
 Implementing comprehensive documented
information security programme and information
security policies
 Containing –
 Managerial, technical, operational and physical
security control measures commensurate with the
information assets held by the person.
Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011

11. REASONABLE SECURITY PRACTICES
 The International Standard IS/ISO/IEC 27001 on
“Information Technology – Security Techniques –
Information Security Management System – Requirements”
is one such standard OR
 If following other than IS/ISO/IEC codes of best practices
for data protection, shall get it duly approved and notified
by the Central Government OR
 An agreement between the parties regarding protection of
“Sensitive Personal Information”

12. AUDITING
 Necessary to get the codes or procedure certified or
audited on regular basis
 Needs to be done by the Government Certified Auditor
 Will be known as “Govt. Certified IT Auditor”
 Not appointed yet
 CERT-IN has empanelled IT Auditors

13. POLICIES/CLAUSES

14. COLLECTION OF INFORMATION
 About obtaining consent of the information provider
 Consent in writing through letter/fax/email from the provider
of the SPDI regarding purpose of usage before collection of
such information
 Need to specify –
 Fact that SPDI is being collected
 What type of SPDI is collected?
 How long SPDI will be held?
Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011

15. COLLECTION OF INFORMATION
 Provider should know –
 Purpose of collection
 Intended recipients
 Details of the agency collecting the information and agency
retaining the information
 Body Corporate not to retain information longer than required
 Option should be given to withdraw the information provided
 SPDI shall be used only for the purpose for which it has been
collected
 Shall appoint “Grievance Officer” to address any discrepancies
and grievances about information in a timely manner – Max. time
– One month

16. PRIVACY AND DISCLOSURE OF
INFORMATION POLICY
 Policy about handling of SPDI
 Shall be published on website or should be available to view/inspect @
any time
 Shall provide for –
 Type of SPDI collected
 Purpose of collection and usage
 Clear and easily accessible statements of IT Sec. practices and policies
 Statement that the reasonable security practices and procedures as provided
under rule 8 have been complied
Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

17. DISCLOSURE
 Disclosure –
 Prior permission of provider necessary before disclosure
to third party OR
 Disclosure clause needs to be specified in the original
contract OR
 Must be necessary by law
 Third party receiving SPDI shall not disclose it
further
Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

18. TRANSFER OF INFORMATION
 Transfer to be made only if it is necessary for
performance of lawful contract
 Disclosure clause should be a part of Privacy and
Disclosure Policy
 Transferee to ensure same level of data
protection is adhered while and after transfer
 Details of transferee should be given to provider
Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011

19. SEC 72(A) (CRIMINAL OFFENCE)
 Punishment for Disclosure of information in
breach of lawful contract -
 Knowingly or intentionally disclosing “Personal
Information" in breach of lawful contract
 IMP – Follow contract
 Punishment - Imprisonment upto 3 years or fine
up to 5 lakh or with both (Cognizable but Bailable)

20. GRAMM–LEACH–BLILEY ACT (GLBA,
USA)
 Focuses on finance
 Safeguards Rule - Disclosure of Nonpublic Personal
Information
 It requires financial institutions to develop a written information
security plan that describes how the company is prepared for, and
plans to continue to protect clients’ nonpublic personal
information.
 This plan must include –
 Denoting at least one employee to manage the safeguards,
 Constructing a thorough risk analysis on each department handling
the nonpublic information,
 Develop, monitor, and test a program to secure the information, and
 Change the safeguards as needed with the changes in how
information is collected, stored, and used.

21. THE FEDERAL INFORMATION SECURITY
MANAGEMENT ACT OF 2002 (FISMA, USA)
 Focus on economic and national security interests of
the United States
 Emphasized on “risk-based policy for cost-effective
security”
 Responsibility attached to federal agencies, NIST and
the Office of Management and Budget (OMB) to
strengthen information system security
 Not mandatory
 No penalty for non-compliance

22. DATA PROTECTION DIRECTIVE (EU)
 European Union directive regulating the processing of
personal data within the EU
 Protection of individual’s personal data and its free
movement
 Coming soon - European Data Protection Regulation
 Not mandatory
 No penalty for non-compliance

23. PREAMBLE OF THE IT ACT
 Purpose behind enacting IT Act –
 To provide legal recognition to e-commerce
 To facilitate e-governance
 To provide remedy to cyber crimes
 To provide legal recognition to digital evidence
o Preamble doesn’t specify that the Act aims @
establishing IT Security framework in India

24. BENEFITS
 Compliance with legislation
 No liability on organisation
 Increased reliability and security of systems
 Systems rationalization
 Improved management controls
 Improved risk management and contingency
planning

27. GET IN TOUCH
PHONE
+919623444448
EMAIL
CONTACT@SAGARRAHURKAR.COM