Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)

September 4, 2017


Unlike the European Union which adopted the Data Protection Directive in 1995 and has most recently passed the General Data Protection Regulation that is scheduled to become enforceable with effect from May 25, 2018, India does not currently have a separate data protection law and when the Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) first came into force on October 17, 2000 it lacked provisions for protection and the procedure to be followed to ensure the safety and security of sensitive personal information of an individual.

This led to the introduction of the Information Technology Bill, 2006 in the Indian Parliament which later led to the Information Technology (Amendment) Act, 2008 whose provisions came into force on October 27, 2009. The Information Technology (Amendment) Act, 2008 inserted Section 43A in the IT Act and the Central Government, in exercise of the powers conferred by clause (ob) of sub-section (2) of Section 87 read with Section 43A of the IT Act, 2000 notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the “2011 Rules”).

Important Provisions of IT Act related to Data Protection

  • Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
  • Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

The Department of Information Technology notified Information Technology the 2011 Rules on April 11, 2011 vide notification no. G.S.R. 313(E). The main highlights of the 2011 Rules are as follows–

  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 only apply to bodies corporate and persons located in India. This was clarified vide a press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology wherein it was stated the 2011 Rules were applicable to a body corporate or any person located within India[1] .
  • Rule 3 of the 2011 Rules provides a list of items that are to be treated as “sensitive personal data”, and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. It is further clarified that any information is freely available or accessible in the public domain is not considered to be sensitive personal data.
  • Rule 4 imposes a duty on Body Corporates seeking sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected and the reasonable security practices that have been undertaken to maintain the confidentiality of such information.
  • Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate:
    • Obtain consent from the person(s) providing information in writing or by Fax or by e-mail before collecting such sensitive personal data. Vide the press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology it was clarified that consent includes consent given by any mode of electronic communication;
    • Information shall not be collected unless it is for lawful purpose, and is considered necessary for the purpose. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required;
    • Ensure that the person(s) providing information are aware about the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies retaining and collecting the information;
    • Retain the information for no longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force;
    • Offer the person(s) providing information an opportunity to review the information provided and make corrections, if required;
    • Before collection of the information, provide an option to the person(s) providing information to not provide the information sought;
    • Maintain the security of the information provided; and
    • Designate a Grievance Officer, whose name and contact details should be on the website who shall be responsible to address grievances of information providers expeditiously. A maximum period of one month has been provided for resolution of such grievances.
  • Rule 6 provides that a Body Corporate must seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if request for such information is made by government agencies mandated under law or any other third party by an order under law.
  • Rule 8 provides the reasonable security processes and procedures that may be implemented by Body Corporates. International Standards (IS / ISO / IEC 27001) is one such standard which can be implemented by a body corporate to maintain data security. It is pertinent to note that an audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

Other Clarifications Issued by Ministry of Communications and Information Technology

It was clarified that any Body Corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India was not subject to the requirements of Rules 5 & 6. However, body corporates providing services to the provider of information under a contractual obligation directly with them, as the case may be, are subject to Rules 5 & 6.

Recent Comments by the Government in the Supreme Court

An important debate that arisen before the Supreme Court of India is whether there is a fundamental right to privacy[2] . The matter was referred to a nine-judge constitutional bench and a decision is forthcoming in this regard. An important point that was raised before the Court in a hearing on August 1, 2017 is that Central Government has constituted a committee of experts, led by former Supreme Court judge, Justice B.N. Srikrishna, to identify “key data protection issues” and suggest a draft data protection Bill[3] . Reading from an office memorandum dated July 31, 2017 the Additional Solicitor General of India informed the Court that the Ministry of Electronics and Information Technology would work with the panel and hand over all necessary information to the Committee within the next eight weeks, after which the latter would start its deliberations.


[2] Justice K.S.Puttaswamy (Retd.) And Anr V. Union Of India, W.P. (C) 494 of 2012



For more information please contact us at :