Data Privacy in India

selective randomness solitude in India info is a set of values, it end be facts, numbers, text or images. The password selective info originated from a Latin word Datum in mid 18th century, which means something given. Data that is accurately timely organized processed for a purpose and presented inwardly a context that makes it meaningful relevant forms an information. breeding is very of import asset as it can impact the behavior, decision or issue of things.In todays technology world, with the tremendous use of Internet rise in transfer of info, encompassing multiple technologies geographies, preserving the info assumes a greater importance. Moreover, retirement concerns excessively exist wherever individualisedly identifiable information is collected, stored transferred in digital form or otherwise.Article 21 of constitution of India speaks of justly to life ad hominem liberty.Thus, failure of disclosure sways can become the pretend for privacy issues. Data privacy issues can arise as a result of information that atomic number 18 collected from different sources, such asMedical healthrecordsCourt proceedings or criminal recordsBank lucubrate transactionBiometrics Genetic informationsResidenceand geographic recordsRace EthnicityThe main take exception in selective information privacy is to process, stored share info while defend it.Protecting the information comes in light due the susceptibility of data increase rate of cyber crime. Cyber crime means some(prenominal) criminal activities make employ the medium of computers, the Internet, cyber space and the worldwide web. To name a a couple of(prenominal) cyber crime are Hacking, Email spooling, Data theft, Identity theft, Spreading viruses worms, and so onData theft is a potential crime resulting in data privacy breach which can happen due to the following hapless Networking / Internet connection ChoicesImproper Shredding/ Deleting/ Document Management Practice sIdentity stealing Resulting From Public DatabasesTax Records TheftInadequate Protection or observe processPoor E-mailing StandardsFailing to Choose a Secure watchwordNot Securing New Computers, Hard Drives dongles, etcThus to address the above data privacy breach issues, the concepts of data protection were introduced in Information applied science correspond 2000 (Amended 2008), through branch 43A, which deals with implementation ofreasonable security practicesfor afflictive personal data or informationand provides for the compensation of the person affected bysuch data breach .Section 72A, states that in case of breach of data privacy , there would be imprisonment for a period extending to 3 years and/or a fine which can be upto Rs. 5,00,000 for a person who causeswrongful loss or gainby disclosing personal information of a nonher person while providing services for the designated straight purpose as per contract.The Ministry of communication Information Technology, rele ased rules- IT (reasonable security practices procedures sensitive personal data or Information) Rules,2011, which throws light on1. Applicability2. Collection of sensitive data3. Processing of sensitive data4. price of admission to sensitive data5. Disclosure of sensitive data6. topic of sensitive data7. warranter measures Penalties1. ApplicabilityThe rule says that the Body inembodied have to implement such security practices standards that commensurable with the information assets protection policy.Rules also set show up that ISO 27001/IEC 27001 or any international standard in par with these standards could also be implemented by a frame embodied.The Body corporate needs to get certified/audited by an independent auditor approve by Central Government annually2. Collection of sensitive personal dataData must(prenominal)iness be collected for a logical purpose for a function of the physical structure corporate for which such data is required necessary. Prior wri tten consent of the data provider must be obtained for the data collection.3. Processing and Retention of DataThe timeframes for retention of elegant Data is not specifically defined in the Data silence rules. However , it says that the rules do not override any provisions of any other laws, wherein it is specified that the maximum period of retention of sensitive data is for say 5 years or so.Sensitive Data should be used only for the purpose for which it is collected not otherwise. Section 67C of the IT Act requires the intermediaries to retains such information, and for such period of time, as mandated by the Central Government.4. Access RestrictionsSensitive Personal Data/ Information (SPDI) can be reviewed/ revise by the information provider. They can withdraw the consent at any point of time as well. The rules provide that they could be transfer of SPDI in case of necessity for performance of lawful contract.The detail procedure the timeline deep down which the data provi der has the right to access the information make changes is not clearly defined in the Data privacy rules.5. Disclosure of InformationSPDI can not be disclosed unless prior consent of the data provider is obtained. However, in the following instances such disclosures can be makeUnder a provision of a contract between the body corporate and Provider orMade to Government agencies as stipulated by law to obtain Sensitive Data for the purposes of verification of identity, or for the prevention, detection, investigation, prosecution and punishment of offences, including cyber incidents orIn pursuant to an order under the law.6. Publication of sensitive dataNeither the body corporate nor the Data processor are permitted to publish Sensitive Data in any manner. A third party that receives Sensitive Data from any body corporate or Data Processor is prohibited from disclosing it further.A body corporate and a Data Processor are required to publish on their respective websites a privacy po licy in regard to the touch on of Sensitive Data7. Security measures PenaltiesThe Data Privacy Rules require that they must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected and with the nature of business.The International Standard IS/ISO/IEC 27001 is recognize as an approved security practices that the body corporate or the information provider should implement to comply with security measures under the Data Privacy Rules.If there is an information security breach, then the body corporate information provider needs to prove that they have implemented the security control measures as per information security program and policies.Body corporate has to plant a Grievance Officer to resolve the grievances of the Data Provider. The communication exposit of the Grievance Officer must be available on the website of the body corporate. It is the duty of the grievance officer to resolve/a ddress the grievances within 1 month.ConclusionHuman resources, software , hardware, information security design can be utilized for addressing the data privacy issues. Ignorance of the implication of the Acts regulation is a major hindrance. The laws regulations relating to data protection are constantly changing frankincense its important to keep up-to-date of any changes implement such procedures practices to competitiveness the Data privacy breaches. As the regulations acts prescribes that such data privacy breaches are liable for criminal prosecution penalties, it is the responsibility of SPDI Provider the organization using the data to ensure proper adequate controls are in perspective as a counter measure for such data privacy breaches.