SlideShare ist ein Scribd-Unternehmen logo

Compliance audit under the Information Technology Act, 2000

Als PPT, PDF herunterladen
Sagar Rahurkar
Sagar Rahurkar
Technologie
1 von 27
DATA PRIVACY UNDER THE INFORMATION TECHNOLOGY ACT, 2000
CASES  Nadeem Kashmiri and HSBC  Karan Bahree and Mphasis  My case - Hyundai
ISSUES  Liability of Company  Protection of data – Concern for outsourcing industry  Privacy of data – Individual’s concern
SEC. 43A – COMPENSATION FOR FAILURE TO PROTECT DATA If body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person  Liability– Damages by the way of compensation
ADJUDICATION  For claims upto Rs. 5 Crores – Adjudicating officer  For claims above Rs. 5 Crores - Civil courts (Unlimited liability)
WHO IS LIABLE?  Sec.85: Offences by companies • The company itself, being a legal person; • The top management including directors; and • The managers (persons directly responsible for the data) If it is proved that - • they had knowledge of a contravention; or • they have not used due diligence • that it was caused due to their negligence
ISSUES  Whatis Sensitive Personal data or Information?  Whatare Reasonable Security Practices and Procedures?
THE SOLUTION  The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011  Enforceable from 11th April, 11  To be read with Sec. 43A
SENSITIVE PERSONAL DATA OR INFORMATION Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
REASONABLE SECURITY PRACTICES  Implementing comprehensive documented information security programme and information security policies  Containing –  Managerial, technical, operational and physical security control measures commensurate with the information assets held by the person. Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
REASONABLE SECURITY PRACTICES  The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard OR  If following other than IS/ISO/IEC codes of best practices for data protection, shall get it duly approved and notified by the Central Government OR  An agreement between the parties regarding protection of “Sensitive Personal Information”
AUDITING  Necessary to get the codes or procedure certified or audited on regular basis  Needs to be done by the Government Certified Auditor  Will be known as “Govt. Certified IT Auditor”  Not appointed yet  CERT-IN has empanelled IT Auditors
POLICIES/CLAUSES
COLLECTION OF INFORMATION  About obtaining consent of the information provider  Consent in writing through letter/fax/email from the provider of the SPDI regarding purpose of usage before collection of such information  Need to specify –  Fact that SPDI is being collected  What type of SPDI it is  How long SPDI will be held Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
COLLECTION OF INFORMATION  Provider should know –  Purpose of collection  Intended recipients  Details of the agency collecting the information and agency retaining the information  Body Corporate not to retain information longer than required  Option should be given to withdraw the information provided  SPDI shall be used only for the purpose for which it has been collected  Shall appoint “Grievance Officer” to address any discrepancies and grievances about information in a timely manner – Max. time – One month
PRIVACY AND DISCLOSURE OF INFORMATION POLICY  Policy about handling of SPDI  Shall be published on website or should be available to view/inspect @ any time  Shall provide for –  Type of SPDI collected  Purpose of collection and usage  Clear and easily accessible statements of IT Sec. practices and policies  Statement that the reasonable security practices and procedures as provided under rule 8 have been complied Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
DISCLOSURE  Disclosure –  Prior permission of provider necessary before disclosure to third party OR  Disclosure clause needs to be specified in the original contract OR  Must be necessary by law  Third party receiving SPDI shall not disclose it further Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
TRANSFER OF INFORMATION  Transfer to be made only if it is necessary for performance of lawful contract  Disclosure clause should be a part of Privacy and Disclosure Policy  Transferee to ensure same level of data protection is adhered while and after transfer  Details of transferee should be given to provider Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
SEC 72(A) (CRIMINAL OFFENCE)  Punishment for Disclosure of information in breach of lawful contract -  Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract  IMP – Follow contract  Punishment - Imprisonment upto 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)
GRAMM–LEACH–BLILEY ACT (GLBA, USA)  Focuses on finance  Safeguards Rule - Disclosure of Nonpublic Personal Information  It requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.  This plan must include –  Denoting at least one employee to manage the safeguards,  Constructing a thorough risk analysis on each department handling the nonpublic information,  Develop, monitor, and test a program to secure the information, and  Change the safeguards as needed with the changes in how information is collected, stored, and used.
THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA, USA)  Focus on economic and national security interests of the United States  Emphasized on "risk-based policy for cost-effective security“  Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security  Not mandatory  No penalty for non-compliance
DATA PROTECTION DIRECTIVE (EU)  European Union directive regulating the processing of personal data within the EU  Protection of individual’s personal data and its free movement  Coming soon - European Data Protection Regulation  Not mandatory  No penalty for non-compliance
PREAMBLE OF THE IT ACT  Purpose behind enacting IT Act –  To provide legal recognition to e-commerce  To facilitate e-governance  To provide remedy to cyber crimes  To provide legal recognition to digital evidence o Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India
BENEFITS  Compliance with legislation  No liability on organisation  Increased reliability and security of systems  Systems rationalization  Improved management controls  Improved risk management and contingency planning
GET IN TOUCH HONE +9 19 6 2 3 4 4 4 4 4 8 M A IL O N TA C T@ A G A R R A H U R K A R .C O M S

Empfohlen

DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
TrustArc
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptx
DineshPrasad64
 
Types of electronic contracts
Types of electronic contractsTypes of electronic contracts
Types of electronic contracts
Vijay Dalmia
 
E contract
E contractE contract
E contract
Benita Ezeigbo
 
Cyber laws in india
Cyber laws in indiaCyber laws in india
Cyber laws in india
Nikhil Naren
 

Empfohlen

DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
TrustArc
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptx
DineshPrasad64
 
Types of electronic contracts
Types of electronic contractsTypes of electronic contracts
Types of electronic contracts
Vijay Dalmia
 
E contract
E contractE contract
E contract
Benita Ezeigbo
 
Cyber laws in india
Cyber laws in indiaCyber laws in india
Cyber laws in india
Nikhil Naren
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
atuljaybhaye
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
Mathew Chacko
 
E contracting in india
E contracting in indiaE contracting in india
E contracting in india
atuljaybhaye
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
Sagar Rahurkar
 
Right to privacy
Right to privacyRight to privacy
Right to privacy
Roopanshi Virang
 
IT act 2008
IT act 2008IT act 2008
IT act 2008
sujithsunil
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
Electronic evidence digital evidence in india
Electronic evidence digital evidence in indiaElectronic evidence digital evidence in india
Electronic evidence digital evidence in india
Adv Prashant Mali
 
Cybercrime Investigations and IT Act,2000
Cybercrime Investigations and IT Act,2000Cybercrime Investigations and IT Act,2000
Cybercrime Investigations and IT Act,2000
Karnika Seth
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000
Vijay Dalmia
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
Network Intelligence India
 
It act 2000
It act 2000It act 2000
It act 2000
Rishav Mishra
 
Information technology act, 2000
Information technology act, 2000Information technology act, 2000
Information technology act, 2000
Prateek Sinha
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
Cyberspace jurisdiction meaning and concept
Cyberspace jurisdiction meaning and conceptCyberspace jurisdiction meaning and concept
Cyberspace jurisdiction meaning and concept
gagan deep
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)
Ms. Parasmani Jangid
 
The cyber law regime in India
The cyber law regime in IndiaThe cyber law regime in India
The cyber law regime in India
Shankey Gupta
 
Objectives of it act 2000
Objectives of it act 2000Objectives of it act 2000
Objectives of it act 2000
Amlin David
 
Cyber law-it-act-2000
Cyber law-it-act-2000Cyber law-it-act-2000
Cyber law-it-act-2000
Mayuresh Patil
 
IS Audit Checklist- by Software development company in india
IS Audit Checklist- by Software development company in indiaIS Audit Checklist- by Software development company in india
IS Audit Checklist- by Software development company in india
iFour Consultancy
 
cyber_security
cyber_securitycyber_security
cyber_security
Jana Baxter
 

Weitere ähnliche Inhalte

Was ist angesagt?

Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
Sagar Rahurkar
 

Was ist angesagt? (20)

IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
E contracting in india
E contracting in indiaE contracting in india
E contracting in india
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Right to privacy
Right to privacyRight to privacy
Right to privacy
 
IT act 2008
IT act 2008IT act 2008
IT act 2008
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
Electronic evidence digital evidence in india
Electronic evidence digital evidence in indiaElectronic evidence digital evidence in india
Electronic evidence digital evidence in india
 
Cybercrime Investigations and IT Act,2000
Cybercrime Investigations and IT Act,2000Cybercrime Investigations and IT Act,2000
Cybercrime Investigations and IT Act,2000
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
It act 2000
It act 2000It act 2000
It act 2000
 
Information technology act, 2000
Information technology act, 2000Information technology act, 2000
Information technology act, 2000
 
Data protection
Data protectionData protection
Data protection
 
Cyberspace jurisdiction meaning and concept
Cyberspace jurisdiction meaning and conceptCyberspace jurisdiction meaning and concept
Cyberspace jurisdiction meaning and concept
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)
 
The cyber law regime in India
The cyber law regime in IndiaThe cyber law regime in India
The cyber law regime in India
 
Objectives of it act 2000
Objectives of it act 2000Objectives of it act 2000
Objectives of it act 2000
 
Cyber law-it-act-2000
Cyber law-it-act-2000Cyber law-it-act-2000
Cyber law-it-act-2000
 

Andere mochten auch

Information technology act 2000
Information technology act 2000Information technology act 2000
Information technology act 2000
Akash Varaiya
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
Miguel Rebollo
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 

Andere mochten auch (20)

IS Audit Checklist- by Software development company in india
IS Audit Checklist- by Software development company in indiaIS Audit Checklist- by Software development company in india
IS Audit Checklist- by Software development company in india
 
cyber_security
cyber_securitycyber_security
cyber_security
 
Chapter 4 Computer Ethics and Security
Chapter 4 Computer Ethics and Security Chapter 4 Computer Ethics and Security
Chapter 4 Computer Ethics and Security
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)
 
Information technology act 2000
Information technology act 2000Information technology act 2000
Information technology act 2000
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
 
IDB Compliance Technology
IDB Compliance TechnologyIDB Compliance Technology
IDB Compliance Technology
 
Entity Level Controls And
Entity Level Controls AndEntity Level Controls And
Entity Level Controls And
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
 
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOTELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
Tech Audit overview
Tech Audit overviewTech Audit overview
Tech Audit overview
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
International Auditing Standards (ISA)
International Auditing Standards (ISA)International Auditing Standards (ISA)
International Auditing Standards (ISA)
 
Information Technology and Compliance at KMCO Gaming
Information Technology and Compliance at KMCO GamingInformation Technology and Compliance at KMCO Gaming
Information Technology and Compliance at KMCO Gaming
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 

Ähnlich wie Compliance audit under the Information Technology Act, 2000

New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
 
Data protection act new 13 12-11
Data protection act new 13 12-11Data protection act new 13 12-11
Data protection act new 13 12-11
mrmwood
 

Ähnlich wie Compliance audit under the Information Technology Act, 2000 (20)

New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxDATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptx
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
 
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in India
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
 
Data protection act new 13 12-11
Data protection act new 13 12-11Data protection act new 13 12-11
Data protection act new 13 12-11
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Compliance audit under the Information Technology Act, 2000

  • 1. DATA PRIVACY UNDER THE INFORMATION TECHNOLOGY ACT, 2000
  • 2. CASES  Nadeem Kashmiri and HSBC  Karan Bahree and Mphasis  My case - Hyundai
  • 3. ISSUES  Liability of Company  Protection of data – Concern for outsourcing industry  Privacy of data – Individual’s concern
  • 4. SEC. 43A – COMPENSATION FOR FAILURE TO PROTECT DATA If body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person  Liability– Damages by the way of compensation
  • 5. ADJUDICATION  For claims upto Rs. 5 Crores – Adjudicating officer  For claims above Rs. 5 Crores - Civil courts (Unlimited liability)
  • 6. WHO IS LIABLE?  Sec.85: Offences by companies • The company itself, being a legal person; • The top management including directors; and • The managers (persons directly responsible for the data) If it is proved that - • they had knowledge of a contravention; or • they have not used due diligence • that it was caused due to their negligence
  • 7. ISSUES  Whatis Sensitive Personal data or Information?  Whatare Reasonable Security Practices and Procedures?
  • 8. THE SOLUTION  The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011  Enforceable from 11th April, 11  To be read with Sec. 43A
  • 9. SENSITIVE PERSONAL DATA OR INFORMATION Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • 10. REASONABLE SECURITY PRACTICES  Implementing comprehensive documented information security programme and information security policies  Containing –  Managerial, technical, operational and physical security control measures commensurate with the information assets held by the person. Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • 11. REASONABLE SECURITY PRACTICES  The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard OR  If following other than IS/ISO/IEC codes of best practices for data protection, shall get it duly approved and notified by the Central Government OR  An agreement between the parties regarding protection of “Sensitive Personal Information”
  • 12. AUDITING  Necessary to get the codes or procedure certified or audited on regular basis  Needs to be done by the Government Certified Auditor  Will be known as “Govt. Certified IT Auditor”  Not appointed yet  CERT-IN has empanelled IT Auditors
  • 14. COLLECTION OF INFORMATION  About obtaining consent of the information provider  Consent in writing through letter/fax/email from the provider of the SPDI regarding purpose of usage before collection of such information  Need to specify –  Fact that SPDI is being collected  What type of SPDI it is  How long SPDI will be held Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • 15. COLLECTION OF INFORMATION  Provider should know –  Purpose of collection  Intended recipients  Details of the agency collecting the information and agency retaining the information  Body Corporate not to retain information longer than required  Option should be given to withdraw the information provided  SPDI shall be used only for the purpose for which it has been collected  Shall appoint “Grievance Officer” to address any discrepancies and grievances about information in a timely manner – Max. time – One month
  • 16. PRIVACY AND DISCLOSURE OF INFORMATION POLICY  Policy about handling of SPDI  Shall be published on website or should be available to view/inspect @ any time  Shall provide for –  Type of SPDI collected  Purpose of collection and usage  Clear and easily accessible statements of IT Sec. practices and policies  Statement that the reasonable security practices and procedures as provided under rule 8 have been complied Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • 17. DISCLOSURE  Disclosure –  Prior permission of provider necessary before disclosure to third party OR  Disclosure clause needs to be specified in the original contract OR  Must be necessary by law  Third party receiving SPDI shall not disclose it further Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • 18. TRANSFER OF INFORMATION  Transfer to be made only if it is necessary for performance of lawful contract  Disclosure clause should be a part of Privacy and Disclosure Policy  Transferee to ensure same level of data protection is adhered while and after transfer  Details of transferee should be given to provider Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • 19. SEC 72(A) (CRIMINAL OFFENCE)  Punishment for Disclosure of information in breach of lawful contract -  Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract  IMP – Follow contract  Punishment - Imprisonment upto 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)
  • 20. GRAMM–LEACH–BLILEY ACT (GLBA, USA)  Focuses on finance  Safeguards Rule - Disclosure of Nonpublic Personal Information  It requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.  This plan must include –  Denoting at least one employee to manage the safeguards,  Constructing a thorough risk analysis on each department handling the nonpublic information,  Develop, monitor, and test a program to secure the information, and  Change the safeguards as needed with the changes in how information is collected, stored, and used.
  • 21. THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA, USA)  Focus on economic and national security interests of the United States  Emphasized on "risk-based policy for cost-effective security“  Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security  Not mandatory  No penalty for non-compliance
  • 22. DATA PROTECTION DIRECTIVE (EU)  European Union directive regulating the processing of personal data within the EU  Protection of individual’s personal data and its free movement  Coming soon - European Data Protection Regulation  Not mandatory  No penalty for non-compliance
  • 23. PREAMBLE OF THE IT ACT  Purpose behind enacting IT Act –  To provide legal recognition to e-commerce  To facilitate e-governance  To provide remedy to cyber crimes  To provide legal recognition to digital evidence o Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India
  • 24. BENEFITS  Compliance with legislation  No liability on organisation  Increased reliability and security of systems  Systems rationalization  Improved management controls  Improved risk management and contingency planning
  • 25.
  • 26.
  • 27. GET IN TOUCH HONE +9 19 6 2 3 4 4 4 4 4 8 M A IL O N TA C T@ A G A R R A H U R K A R .C O M S

Hinweis der Redaktion

  1. Rule 3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;― (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.