SlideShare ist ein Scribd-Unternehmen logo

Data Privacy in India and data theft

Als PPT, PDF herunterladen
Amber Gupta
Amber Gupta

New data privacy rules and overview of data protection and data theft protection

1 von 21
Data Privacy IIA – Bombay Chapter August 23, 201 2 Amber Gupta Head - Compliance , Legal & Secretarial Aditya Birla Money
Disclaimer: “Views expressed here are the views of the individual and do not necessarily reflect the views or policies of the Organization.”
Overview No specific legislation governing data protection or privacy The Information Technology Act, 2000 main enactment  The Information Technology (Amendment Act) 2008 [Sec 43A and 72A]  Protection of Sensitive personal data or information  Maintenance of reasonable security practices and procedures  Civil and Criminal liabilities
International Privacy laws – some eg.  Federal Data Protection Act, Germany  Data Protection Act, UK  Personal Information Protection Act, Japan  Privacy Act, Australia National Privacy Principle for Private Organizations  Information Privacy Principles for Government Agencies 4
IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Government notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (“SPDI rules”) on April 11,2011. Clarification dated August 24, 2011, that these Rules would apply only to bodies corporate or persons located within India – i.e it will only apply to Indian companies to the extent they obtain personal data directly and not as part of an outsourced service provision arrangement. 5
SPDI Rules Applicability: To body corporate or any person, who on behalf of body corporate collects, receives, possesses, stores, deals or handle sensitive data or information should adhere to these Rules.  Personal information defined and it shall ‘”mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
SPDI Rules Sensitive Personal Data or Information (SPDI) defined as any information, not freely available relating to a person’s password, financial information, physical, physiological and mental health condition, sexual orientation, Medical records and history, biometric information or any detail relating to the above clauses as provided to body corporate for providing service or for processing, any information received under above clauses by body corporate for processing, storage or processed under lawful contract or otherwise
SPDI Rules POLICY FOR PRIVACY Provide a privacy policy for handling of or AND DISCLOSURE OF dealing in personal information including INFORMATION sensitive personal data or information The policy shall provide for: •Clear and easily accessible statements of its practices and policies; •type of personal or sensitive personal data or information collected; •purpose of collection and usage of such information; •disclosure of information including sensitive personal data or information; •reasonable security practices and procedures Policy shall be published on website
SPDI Rules COLLECTION OF Consent in writing to be obtained INFORMATION Information collected for a lawful purpose, considered necessary and connected with a function or activity of the body corporate or any person on its behalf. The provider of information to have •knowledge of the fact that the information is being collected, •the purpose for which the information is being collected, •the intended recipients of the information, •the name and address of the agency that is collecting the information, and •the agency that will retain the information.
SPDI Rules COLLECTION OF The provider of information permitted to review the INFORMATION information so provided and to correct / amend if found in accurate or deficient Provider of information have an option •not to provide the data or information sought to be collected. •option to withdraw its consent given earlier •Such withdrawal of the consent shall be sent in writing to the body corporate. Information not to be retained for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
SPDI Rules DISCLOSURE OF •Prior permission to be obtained in case of disclosure INFORMATION to any third party • Consent not necessary in case of sharing with Govt agencies or as mandated under the law •Not to publish the sensitive personal data or information • third party receiving information shall not disclose further
SPDI Rules TRANSFER OF Conditions: INFORMATION •The same level of data protection that is adhered to by the body corporate is adhered to by the transferee, •it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information •such person has consented to data transfer. GRIEVANCE HANDLING •Designate a Grievance Officer •Publish his name and contact details on its website, •Grievances to be resolved within one month
SPDI Rules TRANSFER OF Conditions: INFORMATION •The same level of data protection that is adhered to by the body corporate is adhered to by the transferee, •it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information •such person has consented to data transfer. GRIEVANCE HANDLING •Designate a Grievance Officer •Publish his name and contact details on its website, •Grievances to be resolved within one month
SPDI Rules REASONABLE Implement security practices and standards SECURITY PRACTICES •IS/ISO/IEC 27001 AND PROCEDURES. •Documentation of Practices and standards in form of information security programme that contain •managerial, •technical, •operational and physical security control measures •the codes of best practices (by any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices) for data protection. •Such standard or the codes of best practices to be certified or audited on at least once a year , through independent auditor, duly approved by the Central Government, or as and when there is a significant up gradation of its process and computer resource.,
Data Theft  Unauthorised copying or removal of confidential information  could be in form of theft of customer or company’s proprietary or intellectual property  Data theft involves issues of copyright violation, violation of privacy under IT Act 2000, as well criminal breach of trust and dishonest misappropriation under Indian Penal Code, 1860  Section 43(b), read with Section 66 and Sec 379, 405 & 420 of IPC  Section 43(b) “any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium” 15
Penal Provisions Sections Penal Provisions 43A (failure to protect data) Damages by way of compensation to the person so affected. •Upto Rs. 5 crore (adjudicating officer) •Above Rs. 5 crore (civil court) 65 (hacking / tampering) imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. 66C(identity theft) Imprisonment for a term, may extend to three years and shall also be liable to fine which may extend to rupees one lakh. 66E (Punishment for violation imprisonment which may extend to three years or with of privacy.) fine not exceeding two lakh rupees, or with both 67C (Preservation and imprisonment for a term which may extend to three Retention of information by years and shall also be liable to fine. intermediaries) 16
Penal Provisions Sections Penal Provisions 70 (unauthorized access of Imprisonment for a term, which may extend to 10 years protected systems) and shall also be liable to fine. 72 (Breach of confidentiality imprisonment for a term which may extend to 2 years, or and privacy) with fine which may extend to one lakh rupees, or with both. 72A (Disclosure of information Imprisonment for a term, which may extend to 3 years or in breach of lawful contract) with fine, which may extend to five lakh rupees, or with both. 85 (Offences by Companies) No express provision vis-à-vis penalties and compensation. Onus is on the Company / Personal Responsible 17
Case Study Umashankar Sivasubramaniam case decided against ICICI bank (phishing fraud) (2010) The adjudicating Officer held that :  The Respondent bank has failed to put in place a foolproof Internet Banking system with adequate levels of authentication and validation which would have prevented unauthorised access….found guilty of the offences made out under section 85 r/w section 43 of the Act Award Rs. 13 lakhs compensation 18
Case Study Nasscom vs Ajay Sood & Others (March 2005)  Delhi High Court declared phishing on the internet to be an illegal act, entailing injunction and recovery of damages  Personal data was illegally collected by misrepresenting the identity of legitimate party  DHC held that “misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to consumer but even to the person whose name, identity or password is misused Award Rs.1.6 million against the defendants 19
Case Study  M/S JUST DIAL PRIVATE LIMITED Vs. M/S INFOMEDIA 18 LIMITED & OTHERS (2010)  JUSTDIAL alleged that their extensive and valuable database was copied by Infomedia 18 limited, on their website askme.in.  JUST DIAL moved the High Court against ‘ASKME.IN’ for breach of copyright with respect to database.  JUST DIAL submitted that Infomedia 18, had substantially copied the data base of just dial, which was evident from the reproduction of same mistakes in the database of askme.in. They contended that a minimum of 14 yrs were spent in producing the data base and a lot of resource was put in for the same.  The Court granted an exparte injunction against Infomedia 18, restraining them from infringing the said copyright and from running the website askme. 20
Thank You 21

Empfohlen

Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
Sagar Rahurkar
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
Hairul Hafiz Hasbullah
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 

Empfohlen

Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
Sagar Rahurkar
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
Hairul Hafiz Hasbullah
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentation
Alan Teh
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
Schellman & Company
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protection
atuljaybhaye
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
grahamwell
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
TrustArc
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
Thoughtworks
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
himanshu jain
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K Pathak
Dipayan Sarkar
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
mrmwood
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data protection act
Data protection act Data protection act
Data protection act
Iqbal Bocus
 
IPR AND SOFTWARE PROTECTION
IPR AND SOFTWARE PROTECTIONIPR AND SOFTWARE PROTECTION
IPR AND SOFTWARE PROTECTION
R KUMARAVENKATESAN
 

Weitere ähnliche Inhalte

Was ist angesagt?

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 

Was ist angesagt? (20)

General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentation
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protection
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Data protection
Data protectionData protection
Data protection
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochure
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K Pathak
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdf
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 

Andere mochten auch

Data protection act
Data protection act Data protection act
Data protection act
Iqbal Bocus
 
Industrial design [compatibility mode]
Industrial design [compatibility mode]Industrial design [compatibility mode]
Industrial design [compatibility mode]
Delwin Arikatt
 
Intellectual Property Rights
Intellectual Property RightsIntellectual Property Rights
Intellectual Property Rights
harshhanu
 

Andere mochten auch (6)

Data protection act
Data protection act Data protection act
Data protection act
 
IPR AND SOFTWARE PROTECTION
IPR AND SOFTWARE PROTECTIONIPR AND SOFTWARE PROTECTION
IPR AND SOFTWARE PROTECTION
 
Industrial design [compatibility mode]
Industrial design [compatibility mode]Industrial design [compatibility mode]
Industrial design [compatibility mode]
 
Design act 2000
Design act 2000Design act 2000
Design act 2000
 
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
 
Intellectual Property Rights
Intellectual Property RightsIntellectual Property Rights
Intellectual Property Rights
 

Ähnlich wie Data Privacy in India and data theft

GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection Law
FatmaAkram2
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 

Ähnlich wie Data Privacy in India and data theft (20)

Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
New Data Privacy Rules By Amit Khandelwal
New Data Privacy Rules By Amit KhandelwalNew Data Privacy Rules By Amit Khandelwal
New Data Privacy Rules By Amit Khandelwal
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection Law
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Terms of Service and Privacy Policies
Terms of Service and Privacy PoliciesTerms of Service and Privacy Policies
Terms of Service and Privacy Policies
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 

Data Privacy in India and data theft

  • 1. Data Privacy IIA – Bombay Chapter August 23, 201 2 Amber Gupta Head - Compliance , Legal & Secretarial Aditya Birla Money
  • 2. Disclaimer: “Views expressed here are the views of the individual and do not necessarily reflect the views or policies of the Organization.”
  • 3. Overview No specific legislation governing data protection or privacy The Information Technology Act, 2000 main enactment  The Information Technology (Amendment Act) 2008 [Sec 43A and 72A]  Protection of Sensitive personal data or information  Maintenance of reasonable security practices and procedures  Civil and Criminal liabilities
  • 4. International Privacy laws – some eg.  Federal Data Protection Act, Germany  Data Protection Act, UK  Personal Information Protection Act, Japan  Privacy Act, Australia National Privacy Principle for Private Organizations  Information Privacy Principles for Government Agencies 4
  • 5. IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Government notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (“SPDI rules”) on April 11,2011. Clarification dated August 24, 2011, that these Rules would apply only to bodies corporate or persons located within India – i.e it will only apply to Indian companies to the extent they obtain personal data directly and not as part of an outsourced service provision arrangement. 5
  • 6. SPDI Rules Applicability: To body corporate or any person, who on behalf of body corporate collects, receives, possesses, stores, deals or handle sensitive data or information should adhere to these Rules.  Personal information defined and it shall ‘”mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
  • 7. SPDI Rules Sensitive Personal Data or Information (SPDI) defined as any information, not freely available relating to a person’s password, financial information, physical, physiological and mental health condition, sexual orientation, Medical records and history, biometric information or any detail relating to the above clauses as provided to body corporate for providing service or for processing, any information received under above clauses by body corporate for processing, storage or processed under lawful contract or otherwise
  • 8. SPDI Rules POLICY FOR PRIVACY Provide a privacy policy for handling of or AND DISCLOSURE OF dealing in personal information including INFORMATION sensitive personal data or information The policy shall provide for: •Clear and easily accessible statements of its practices and policies; •type of personal or sensitive personal data or information collected; •purpose of collection and usage of such information; •disclosure of information including sensitive personal data or information; •reasonable security practices and procedures Policy shall be published on website
  • 9. SPDI Rules COLLECTION OF Consent in writing to be obtained INFORMATION Information collected for a lawful purpose, considered necessary and connected with a function or activity of the body corporate or any person on its behalf. The provider of information to have •knowledge of the fact that the information is being collected, •the purpose for which the information is being collected, •the intended recipients of the information, •the name and address of the agency that is collecting the information, and •the agency that will retain the information.
  • 10. SPDI Rules COLLECTION OF The provider of information permitted to review the INFORMATION information so provided and to correct / amend if found in accurate or deficient Provider of information have an option •not to provide the data or information sought to be collected. •option to withdraw its consent given earlier •Such withdrawal of the consent shall be sent in writing to the body corporate. Information not to be retained for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
  • 11. SPDI Rules DISCLOSURE OF •Prior permission to be obtained in case of disclosure INFORMATION to any third party • Consent not necessary in case of sharing with Govt agencies or as mandated under the law •Not to publish the sensitive personal data or information • third party receiving information shall not disclose further
  • 12. SPDI Rules TRANSFER OF Conditions: INFORMATION •The same level of data protection that is adhered to by the body corporate is adhered to by the transferee, •it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information •such person has consented to data transfer. GRIEVANCE HANDLING •Designate a Grievance Officer •Publish his name and contact details on its website, •Grievances to be resolved within one month
  • 13. SPDI Rules TRANSFER OF Conditions: INFORMATION •The same level of data protection that is adhered to by the body corporate is adhered to by the transferee, •it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information •such person has consented to data transfer. GRIEVANCE HANDLING •Designate a Grievance Officer •Publish his name and contact details on its website, •Grievances to be resolved within one month
  • 14. SPDI Rules REASONABLE Implement security practices and standards SECURITY PRACTICES •IS/ISO/IEC 27001 AND PROCEDURES. •Documentation of Practices and standards in form of information security programme that contain •managerial, •technical, •operational and physical security control measures •the codes of best practices (by any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices) for data protection. •Such standard or the codes of best practices to be certified or audited on at least once a year , through independent auditor, duly approved by the Central Government, or as and when there is a significant up gradation of its process and computer resource.,
  • 15. Data Theft  Unauthorised copying or removal of confidential information  could be in form of theft of customer or company’s proprietary or intellectual property  Data theft involves issues of copyright violation, violation of privacy under IT Act 2000, as well criminal breach of trust and dishonest misappropriation under Indian Penal Code, 1860  Section 43(b), read with Section 66 and Sec 379, 405 & 420 of IPC  Section 43(b) “any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium” 15
  • 16. Penal Provisions Sections Penal Provisions 43A (failure to protect data) Damages by way of compensation to the person so affected. •Upto Rs. 5 crore (adjudicating officer) •Above Rs. 5 crore (civil court) 65 (hacking / tampering) imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. 66C(identity theft) Imprisonment for a term, may extend to three years and shall also be liable to fine which may extend to rupees one lakh. 66E (Punishment for violation imprisonment which may extend to three years or with of privacy.) fine not exceeding two lakh rupees, or with both 67C (Preservation and imprisonment for a term which may extend to three Retention of information by years and shall also be liable to fine. intermediaries) 16
  • 17. Penal Provisions Sections Penal Provisions 70 (unauthorized access of Imprisonment for a term, which may extend to 10 years protected systems) and shall also be liable to fine. 72 (Breach of confidentiality imprisonment for a term which may extend to 2 years, or and privacy) with fine which may extend to one lakh rupees, or with both. 72A (Disclosure of information Imprisonment for a term, which may extend to 3 years or in breach of lawful contract) with fine, which may extend to five lakh rupees, or with both. 85 (Offences by Companies) No express provision vis-à-vis penalties and compensation. Onus is on the Company / Personal Responsible 17
  • 18. Case Study Umashankar Sivasubramaniam case decided against ICICI bank (phishing fraud) (2010) The adjudicating Officer held that :  The Respondent bank has failed to put in place a foolproof Internet Banking system with adequate levels of authentication and validation which would have prevented unauthorised access….found guilty of the offences made out under section 85 r/w section 43 of the Act Award Rs. 13 lakhs compensation 18
  • 19. Case Study Nasscom vs Ajay Sood & Others (March 2005)  Delhi High Court declared phishing on the internet to be an illegal act, entailing injunction and recovery of damages  Personal data was illegally collected by misrepresenting the identity of legitimate party  DHC held that “misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to consumer but even to the person whose name, identity or password is misused Award Rs.1.6 million against the defendants 19
  • 20. Case Study  M/S JUST DIAL PRIVATE LIMITED Vs. M/S INFOMEDIA 18 LIMITED & OTHERS (2010)  JUSTDIAL alleged that their extensive and valuable database was copied by Infomedia 18 limited, on their website askme.in.  JUST DIAL moved the High Court against ‘ASKME.IN’ for breach of copyright with respect to database.  JUST DIAL submitted that Infomedia 18, had substantially copied the data base of just dial, which was evident from the reproduction of same mistakes in the database of askme.in. They contended that a minimum of 14 yrs were spent in producing the data base and a lot of resource was put in for the same.  The Court granted an exparte injunction against Infomedia 18, restraining them from infringing the said copyright and from running the website askme. 20