Comments on Draft Sensitive Personal Information Rules
Comments on Reasonable Security Practices and Procedures and Sensitive Personal Information (Draft) Rules, 2011
1. DEFINITIONS
1.1. The Draft Reasonable Security Practices and Procedures and Sensitive Personal Information Rules, 2011 which are sought to be formed under Section 43A seek to further augment the prohibition against the negligent disclosure of sensitive personal data or information. In order for the rules to meet their purpose it is appropriate for the term, “sensitive personal data” to be defined in the definition clause itself. The rules at present do not contain such a definition, but only contain an illustrative list of what constitutes “sensitive personal data”, under Rule 3. A more prudent approach may be first to define, “personal data” and then to qualify what classes of personal data constitute, “sensitive personal data”. The definition of “personal data” under the EU Data Protection Directive №95/46/EC may be relied upon in this regard. Other recommended terms for definitions are, the data subjects from whom information is gathered and/or processed.
[caption id=”” align=”alignright” width=”300" caption=”Image via Wikipedia”]
[/caption]
1.2. The list which is contained under Rule 3, defines, “sensitive personal data or information”, to consist of, “(i) password; (ii) user details provided at the time of registration or therafter; (iii) information related to financial information such as Bank account / credit card / debit card/ other payment instrument details of the users; (iv) Physiological and mental health condition; (v) Medical records and history; (vi) Biometric information; (vii) Information received by body corporate for processing, stored or processed under lawful contract or otherwise; (viii) Call data records;”. This list may be expanded to include political affiliations, memberships of organizations as well as sexual orientation.
1.3. In regard to this list, sub-rule (vii) which reads as, “Information received by body corporate for processing, stored or processed under lawful contract or otherwise” stands out. When compared to the precision of the other sub-rules, sub-rule (vii) is overly broad and would include all information which is gathered. It would advisable to qualify the term by amending it to, “information which is capable of personally identifying a person, individually or when aggregated”. It is also pointed out that sub-rule (vii) is also a departure from the approach of the rules as well as Section 43A, which only seeks to protect, “sensitive personal data” as opposed to mere “personal data”. This also ties in with the necessity to define, “personal data” and “sensitive personal data” separately.
1.4. It is also suggested that, browsing data which is also gathered and aggregated by websites and search engines may be expressly included. This browsing data which includes, IP Addresses, geographical data, search logs etc. though such data may not individually constitute “sensitive personal data”, however, when it is aggregated it reveals a detailed profile of a person. This can be data which already falls within the existing classes, such as a “mental health condition” or may even fall outside, such as the person’s political affiliation or sexual orientation. The proviso to Rule 3 which has a carve-out in favor of releasing sensitive personal information under the Right to Information Act, 2005 is recommended to be maintained.
2. PRIVACY POLICY
2.1. Rule 4 contains the requirement of a privacy policy. The Rule states that the privacy policy, must be “available for view of such providers of information”. Here is it important for the rules to provide for the privacy policy to be prominently displayed and/or be easily accessible. In most cases websites require subscription and the viewer to go through a sign-up process. In such instances, websites usually do not display the terms of the access as well as their privacy policy as done in a routine sign-up process. Hence, here the viewer has not consented to the collection of personal data and should be notified of the privacy policy by a clear link on the homepage of the website. In the absence of such a clear notice to the viewer, the information gathering will be without consent.
2.2. It is also recommended that the rules to provide for the privacy policy to be drafted in clear and comprehensible language. This is important since, most viewers may not understand complicated legalese defeating the very purpose of a privacy policy.
2.3. Rule 4 also provides for the contents of the privacy policy. It states that the policy should provide for, “(i) type of personal or sensitive information collected under sub-rule (ii) of rule 3”. If one looks at sub-rule (ii) all it provides for is, “(ii) user details provided at the time of registration or therafter”. Hence by necessary implication, the privacy policy which is made available will not contain the notice and treatment of the information gathering of other classes of “sensitive personal information” as contained under Rule 3. Similarly requirements which are contained under Rule 5, such as, “(6) body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, whenever necessary”, are presently not required to be reflected in the privacy policy. This certainly requires revision. In this respect it is suggested that the Rule may be redrafted to state that the privacy policy should contain and provide for information on all requirements imposed under the rules for the gathering, collection, processing etc. of sensitive personal data.
3. COLLECTION OF INFORMATION
3.1. Rule 5 makes consent to be the very basis of the collection of the information. The privacy policy is the notice of the terms, through which an information provider can grant this consent. This goes back to the point, as to how the privacy policy has to be, (a) prominently displayed; and (b) complete.
3.2. A comment is made in respect of Rule 4.4 on the point of data retention. Sub-rule 4.4 in its present form states that, “body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used”. In this regard it is suggested that a specific retention period may be inserted which may be between 30 to 60 days. Often websites and online service providers hold archival data which contains such personal data to improve their service as well as to analyze their services. Here it may be reasonable to allow a body corporate to hold sensitive personal data for a period not exceeding 30/60 days from the date of the complete performance of the purpose for which the data was gathered, collected etc.. Such a change may also aid national security requirements which may require the retrieval of such archived data. The rule should also provide that at the end of such a period, the body corporate should destroy the data or delete it in a manner making its retrieval impossible.
3.3. With regard to Sub-Rule (6) it will also be useful for the body corporate which gathers, collects the sensitive personal information to provide the contact details of a person alongwith an email address with whom a user can constant to review the information. This person may be the designated privacy officer to comply with the provisions of the rules.
4. DISCLOSURE OF INFORMATION
4.1. The main focus of the regulations is preventing the unauthorized release of sensitive personal data as provided under Rule 6. Rule 6(1) provides that the disclosure of the information will require the prior permission of the user which has provided such information. However, with regard to the disclosure of such information from one private party to another, privacy policies generally reserve such rights in favor of the body corporate which gathers such information. The rules with regard to the disclosure of such information are broadly worded and since most users do not pay much attention to the contents of such rules, they ostensibly grant consent without knowing the full extent of such consent. Here is it advisable even when the disclosure of sensitive personal data is made by the body corporate to a private third party, as it is authorized to do so under its privacy policy a notification may be sent to the user whose information is so disclosed.
4.2. Rule 6(1) also contains a proviso which states that, “provided that the information shall be provided to government agencies for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences. The government agency shall send a written request to the body corporate processing the sensitive information stating clearly the purpose of seeking such information. The government agency shall also state that the information thus obtained will not be published or shared with any other person.”. Further Rule 6(2) provides that, “without prejudice to sub-rule (1) of Rule 6, any information shall be disclosed to any third party by an order under law for the time being in force.”.
4.3. It is pertinent to point out that regulations already exist with regard to the interception and monitoring of Information under the Information Technology Act, 2000. The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (hereinafter “Interception Rules, 2009”) provide for a comprehensive and constitutionally sound framework for the disclosure of information. Provisions of the Interception Rules, 2009 are formed under the constitutional safeguards as enunciated under Peoples Union for Civil Liberties v. Union of India, [(1997) 1 S.C.C. 301 hereinafter PUCL case], popularly referred to as the telephone tapping case. In the PUCL case the Hon’ble Supreme Court made clear procedural guidelines for telephone tapping following which Rule 419A of the Telegraph Rules were made. The Interception Rules, 2009 borrow heavily from Rule 419A of the Telegraph Rules and it is suggested that the proviso be suitably amended to incorporate the safeguards as contained under the Interception Rules, 2009.
4.4. In the absence of such an amendment, the proviso to Rule 6(1) and Rule 6(2) are liable to be held ultra vires the PUCL holding in case of constitutional challenge. Rule 6(1) at present is overbroad in as much it provides information to be disclosed for, “the purpose of verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. This categorization is broader than the categories which are found in PUCL, the Telegraph Rules and more pertinently the Interception Rules, 2009. The Interception Rules, 2009 making reference to Section 69 provide for the interception or monitoring or decryption of information only in cases of, “necessary or expedient to do in the interest of the sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence”.
4.5. Secondly the Interception Regulations, 2009 contemplate disclosure of information only on the basis of an order from a high level functionary (Rule 3 of the Interception Regulations, 2009) which is quite different from the general wording of, Rule 6(1) which presently reads as, “be provided to government agencies”. There also a whole set of safeguards such as, a review committee, a written order etc. which are found under the Interception Regulations, 2009 and are missing under the proposed rules. These differences are material since flowing from Supreme Court dicta even though privacy is not an absolute right, the circumstances of its disclosure should be narrowly defined as per an established procedure to prevent unauthorized disclosure. The absence of procedural safeguards when interfering with privacy rights may cause body corporates to overenthusiastically share data with government agencies to ward of prosecution. There are real dangers of such orders being unauthorized, as demonstrated by the ongoing Ratan Tata privacy litigation in the Hon’ble Supreme Court of India. Hence it is essential for procedural safeguards to be present to maintain constitutional levels of privacy and prevent unauthorized disclosure.
4.6. A point of differentiation/objection which may be made to above proposals, that the Interception Regulations, 2009 applies in cases of real time interception which is based on monitoring from the date of the order whereas the present disclosure will apply in case of archived information. This difference only increases the need for safeguards as, (a) the archive will reveal more amount of information which has been collected over a period of time; (b) the nature of the information is not real time chatter which needs to be sifted through but catalogued “sensitive personal data”.
Reasonable Security Practices and Procedures and Sensitive Personal Information (Draft) Rules, 2011
[ipaper id=49453757]
Comments in PDF
[ipaper id=49727763]
Related articles
