Data Privacy Law - Slides - Association of Corporate Counsel
advertisement
India Data Privacy Law – Its impact on Business Ecosystem Shivaji Rao, Regional General Counsel, Asia PAC and Sub-Saharan Africa, John Deere. Data Privacy & Data Security Law in India Information Technology Act (2000) & (2008) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Press Note Technology (Clarification on Privacy Rules) August 2011 Credit Information Companies (regulation) Act, 2005 Credit Information Companies Regulations, 2006 Credit Information Companies Rules, 2006 Information Technology Act (2000), (2008) & 2011 Rules any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a corporate entity, is capable of identifying such person. Personal information (i) (ii) Important Definitions (iii) (iv) (v) (vi) (vii) Sensitive (viii) personal data password; financial information e.g. bank account/credit or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to the above clauses as provided to a corporate entity for providing services; and any of the information received under the above clauses for storing or processing under lawful contract or otherwise (a business entity cannot collect SPD unless it obtains the prior consent of the provider of the information. Consent must be provided by letter, fax or email). Information Technology Act (2000), (2008) & 2011 Rules Consent Rule 5 provides that a body corporate or any person on its behalf must obtain consent in writing through letter or fax or email from the provider of sensitive personal data or information regarding purpose of usage before collection. Lawful Purpose Important Provisions Retention, and Opt Out Disclosure to 3rd Parties May not collect sensitive personal data or information unless collected for a lawful purpose connected with a function/activity of the body corporate or a person on its behalf and the collection is considered necessary for that purpose. Not to retain sensitive information for longer than is required for the purposes for which the information may lawfully be used. Providers of information have a right of review to ensure accuracy. disclosure of sensitive personal data or information by body corporate to any third party requires prior permission from the provider who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed in the contract between the body corporate and provider of information (Rule 6). Information Technology Act (2000), (2008) & 2011 Rules Privacy Policy Required Important Provisions Contents of Privacy Policy Data Protection any entity or person on behalf of an entity that collects, receives, possesses, stores, deals or handles information of a provider of information, must provide a privacy policy for handling of or dealing in personal information (including sensitive personal data or information) and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy must be published on the website of the body corporate or any person on its behalf. Privacy Policy must contain: (a) clear and easily accessible statements of its practices and policies; (b) type of personal/sensitive personal data or information collected under Rule 3; (c) purpose of collection and usage of such information; (d) disclosure of information, including sensitive personal data or information as provided in Rule 6; (e) reasonable security practices and procedures as provided under Rule 8. Information collected must be protected pursuant to Rule 8. Information Technology Act (2000), (2008) & 2011 Rules Data Transfer Rule 7 clearly indicate that ‘…may transfer sensitive personal data or information including any information …’ if any of the following conditions are satisfied: (a) the recipient entity maintains same level of security as mentioned under these Rules; (b) transfer may be allowed to perform the obligations of lawful contract; or (c) such person has been consented for data transfer. (i) Important Provisions Security Practices & Procedures Body corporate or a person shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and procedures and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control that are adequate to protect the nature of the business; (ii) Implementation of International Standard IEC 27001 may also fall under the compliance of this rule; (iii) The Body corporate or a person who have implemented either IEC 27001 Standard or the codes of the best practices for data protection as approved and notified shall be deemed to have been complied with reasonable security practices and procedures provided that the same have been certified or audited on regular basis by entities through independent auditor, duly approved by the Central Government. Information Technology Act (2000), (2008) & 2011 Rules The Information Technology (the Indian Computer Emergency Response Team and manner of Performing Functions and Duties) Rules, 2013 denotes that the following Cyber Security incidents need to be notified to CERT-In: Breach Notification o o o o o Important Provisions o o o o o Govt Audit Rights • Targeted scanning / probing of critical systems networks / Systems Compromise of critical systems / information Unauthorized access of IT systems / data Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, link of external website etc., Malicious code attacks such as spreading of virus / worm / Trojan / Botnets / Spyware Attacks on servers such as Database, Mail and DNS and network devices such as Routers Identify theft, spoofing and phishing attacks Denial of Service (DoS) and Distributed Denial of Services (DDoS) attacks Attacks on critical infrastructure, SCADA systems and wireless networks Attacks on applications such as E-Governance and E-Commerce etc. The appropriate government may cause an audit to be conducted of the affairs of the service providers and authorized agents in the State at such intervals as deemed necessary by nominating such audit agencies. The audit may include security, confidentiality, and privacy of information, as well as many other things. Information Technology Act (2000), (2008) & 2011 Rules Sec 72 of the IT Act, 2000 denotes regarding penalty for breach of confidentiality and privacy Important Provisions - Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees (US$ 1600 approx.), or with both. Enforcement Mechanism Sec 72 A Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees (US$ 8000 approx.), or with both. Information Technology Act (2000), (2008) & 2011 Rules, Ctd. Important Provisions Enforcement Mechanism Sec 43 A Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees (US$ 800000 approx.), to the person so affected. Sec 66C Punishment for identity theft - shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh (US$ 1600 approx.) How it impacts on Business Ecosystem in India Data collection Breach Notification Consent Organization Data use, storage and Transfer Privacy Policy and Access Data security practices Collection of Personal Data Consent Data use, storage and Transfer Data security practices Privacy Policy and Collection of ‘personal information’ and ‘sensitive personal data’ in the course in the course of business: • Procurement - Suppliers, OEMs, • Sales - Dealers, distributors, Customers, consultants, etc • HR process – employees • Commercial Contracts Breach Notification When collecting personal data, do you clearly inform the individual the purpose(s) for which it will be collected, used or disclosed and obtain his/her consent? • Entity Management – BODs, Shareholders etc. Are we legally allowed to extract the publicly available data? How do we make sure that such data is legal? Recommendation: Have an enabling covenant in the contract w.r.t data collection Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and • Consent in writing from the provider of sensitive personal data before collection.; • Collect sensitive personal data for a lawful purpose and the collection is considered necessary for that purpose.; • shall not retain sensitive information for longer than it is required for the purposes Breach Notification Recommendation: Have an enabling covenant in the contract w.r.t data collection and its purpose Data acquisition Consent Data use, storage and Transfer Data security practices • Consent before collection and use, • For data transfer – o the recipient entity maintains same level of security; o o transfer may be allowed to perform the obligations of lawful contract; or Such person has been consented for data transfer. • Reasonable security measures for data storage Privacy Policy and Breach Notification Do you have full visibility & control on – (a) personal data and SPD is collected and why? (b) who collects it? (c) how it is stored [ in country or outside country] and (d) sharing / disclosing (sales team, analytics, service providers) Recommendation: Have an enabling covenant in the contract w.r.t data use and transfer Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and • Comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control ; • No retention of data longer than needed • IEC 27001 standards for data security • Certified or audited on regular basis by entities through independent auditor, duly approved by the Central Government. Breach Notification Have you reflected on (a) assessed the personal data protection risks (b) classified and secured safely, and span of access and control within your organization and put in place personal data security policies? Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and access Breach Notification • Any entity or person that collects, receives, possesses, stores, deals or handles information of a provider of information, must provide a privacy policy; Practical example: • Privacy Policy must contain: o clear and easily accessible statements of its practices and policies; o type of personal/sensitive personal data or information collected o purpose of collection and usage of such information; o disclosure of information, including sensitive personal data o reasonable security practices and procedures Regarding drafting and implementing data privacy policy. Training to internal stakeholders is a priority Data acquisition Consent Data use, storage and Transfer Data security practices Privacy Policy and Breach notification to Computer Emergency Response Team on occurrence of – • Targeted scanning of critical systems networks • Unauthorized access of IT systems / data • Defacement or intrusion into a website • Malicious code attacks such as spreading of virus • Attacks on servers • Attacks on critical infrastructure Breach Notification Checklist / FAQs • How well does your organization protects personal data & sensitive personal data? • What is the action plan you have? • Do you have data inventory management in place? • When collecting personal data, do you clearly inform the individual the purpose(s) for which it will be collected, used or disclosed and obtain his/her consent? • If you collect personal data from third parties, do you ensure that the third party has obtained consent from the individuals to disclose the personal data to you for your intended purposes? • • Do you limit the use of personal data collected to only purposes that you have obtained consent for? Reference: Checklist / FAQs • Do you put in place the appropriate contractual arrangements or binding corporate rules to govern the transfer of personal data overseas? • Do you limit the disclosure of personal data collected to only purposes that you have obtained consent for? • Have you established a formal procedure to handle requests for access to personal data? • Do you have a list of third party organizations to whom personal data was disclosed and for what purposes? • Have you assessed the personal data protection risks within your organization and put in place personal data security policies? • Is the personal data kept in a secure manner? • Do you conduct or schedule regular audits on the data protection processes within your organization? Reference: Checklist / FAQs • Have you developed and implemented data protection policies for your organization to meet its obligations under the IT Rules? Are your organization's data protection policies made available to the public? • Have the individuals on your marketing list given their clear and unambiguous consent, evidenced in written or other accessible form, to being contacted by you by phone call, text messages (e.g.. SMS/ MMS) or fax for your intended telemarketing purposes? • In relation to individuals who have not given their clear and unambiguous consent for telemarketing, have you established an internal process for checking with the DNC registry prior to your telemarketing campaigns? • If you purchase databases of contact information from third parties for your telemarketing activities, do you ensure that the third party has obtained the necessary consents for the collection, use and disclosure of the personal data by you? Reference: Thank You
