Protection of Personal Information & Sensitive personal data or information in India

Meaning of personal information

Personal information means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

Meaning of “Sensitive personal data or information”

As per the law, “Sensitive personal data or information” of a person includes information relating to:

1. Passwords;
2. Financial information such as bank account or credit card or debit card or other payment instrument details;
3. Physical, physiological and mental health condition;
4. Sexual orientation;
5. Medical records and history;
6. Biometric information.

Right to privacy protection in India

The Supreme Court of India has also ruled that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. Currently, there is no express legislation governing data protection or privacy. However, a White Paper released by the Government of India on Data Protection framework for India and the law is expected to be formulated soon. Further, the Data (Privacy and Protection) Bill, 2017 was also introduced in the Lok Sabha in July 2017.

Laws governing the issues relating to the misuse of personal data and information in cases of transactions carried out by means of electronic communication in India

The following two acts govern the said issues under the current regime:

1. the Information Technology Act, 2000.
2. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Laws related to protection has been awarded to “sensitive” personal data and information in India

Whether any specific protection has been awarded to “sensitive” personal data and information handled by companies?

Yes, the law prescribes penalty in case a body corporate which is handling any sensitive personal data or information in a computer resource owned/ operated by it, is negligent in implementing and maintaining reasonable security practices and procedures and thereby, causes wrongful loss or wrongful gain to any person.

Whether any protection is available in cases where a person has secured access to personal information of a person without the person’s consent?

Yes, the law prescribes penalty in such cases where such a person has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned

Whether the government can intercept the information stored in any computer resource?

Yes, the government can intercept any information generated, transmitted, received or stored in any computer resource where it is satisfied that the same is necessary in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States, public order, for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

Whether the law prescribes any punishment for disclosure of information without consent?

Yes, the law prescribes penalty in cases where any person who has obtained access to any electronic record, book, register, correspondence, information, document or other material with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, without the consent of the person concerned and discloses such information to any other person.

Whether the law prescribes any punishment for disclosure of information in breach of lawful contract?

Yes, the law prescribes penalty for any person, while providing services under the terms of lawful contract, which has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of the lawful contract.

To know more about Cyber laws in India

For more information on laws related to protection of personal information and “sensitive” personal data and information in India, please write to us at: info@ssrana.com.