The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011 (hereinafter called "SPDI
Rules") provides for the regulation of the usage of sensitive personal data or
information. The Rules also provide for reasonable security practices and
procedures to be followed for data protection.
These Rules have been notified in the exercise of the power conferred on the
Central Governments under section 87 read with section 43A of the Information
Technology Act, 2000 (hereinafter called "IT Act").
- Rule 2 (e) of the SPDI Rules define data as defined in clause (o) of
sub-section (1) of section 2 of the Act.
Section 2 of the IT Act defines data as "means a representation of information,
knowledge, facts, concepts or instructions which are being prepared or have been
prepared in a formalized manner, and is intended to be processed, is being
processed or has been processed in a computer system or computer network, and
may be in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory of the
- Rule 2 (d) of the SPDI Rules defines "cyber incidents" as "any real or
suspected adverse event in relation to cyber security that violates an
explicitly or implicitly applicable security policy resulting in unauthorized
access, denial of service or disruption, unauthorized use of a computer resource
for processing or storage of information or changes to data, information without
- Rule 2 (g) of the SPDI Rules define intermediary as defined in clause (w) of
sub-section (1) of section 2 of the Act.
The IT Act defines Intermediary as "with respect to any particular electronic
records, means any person who on behalf of another person receives, stores or
transmits that record or provides any service with respect to that record and
includes telecom service providers, network service providers, internet service
providers, web-hosting service providers, search engines, online payment sites,
online-auction sites, online-market places, and cyber cafes."
Rule 2 (i) of the SPDI Rules defines personal information as "any information
that relates to a natural person, which, either directly or indirectly, in
combination with other information available or likely to be available with a
body corporate, is capable of identifying such person."
Sensitive Personal Data or Information:
Rule 3 specifies that the following
types of data or information shall be considered personal and sensitive data or
- Bank Account details
- Credit/debit card details
- Present and past health records
- Sexual orientation
- Biometric data
- Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
The Rules provide that the body corporate or any other person on
its behalf who collects, receives, possesses, stores, deals or handles
It should be clear what type of information will be collected, the
purpose for which it is collected, details should be provided regarding the
disclosure of sensitive personal data to third parties, and required precautions
must be taken by the organization to protect data (Rule 4).
Collection and Disclosure of the user information:
The data is to be collected by the body corporate only after taking the consent
of the individual and the body corporate shall not collect sensitive personal
data unless it is used for lawful purposes or if such collection of SPDI is
necessary, and there can be instances where the information provider should be
given an opportunity to provide alternative information instead of SPDI (Rule
It is mandatory for the body corporate to take reasonable steps to protect the
information. Further, the body corporate is not allowed to publish any sensitive
personal data or information and cannot share the SPDI with a third party unless
prior permission is provided by the information provider. But there are certain
exceptions to this.
Two exceptions are:
- When there is a contract between the body corporate and the information
provider to disclose such information for any legal obligation.
- Information providers should be allowed to amend or review the SPDI at
any point in time for the information which is provided.
Further, such SPDI can be disclosed to Government agencies for investigation,
prevention, verification of identities, etc., and can be disclosed under an
order of law for the time being in force (Rule 6).
Transfer of SPDI
The SDPI can be transferred by the body corporate, but before transferring the
information the body corporate should check that the other side is having the
same or equal quality of data protection which is adhered by the body corporate
according to the rules stated. Further, the Rules also state that such
information can only be transferred in accordance with the contract and after
obtaining the prior consent of the information provider for such transfer (Rule
The Rules mandate that the body corporate to appoint a grievance officer who
shall address the complaint and the contact details of the grievance officer
must be available on the website of the body corporate.
Reasonable Security Practices and Procedures
The Rules require the body corporate or any person on its behalf to implement
such reasonable security practices and to have a comprehensively documented
information security program.
The corporate has to implement security control measures whenever there is an
information security breach. The reasonable security practices can either be the
International Standard IS/ISO/IEC 27001 on "Information Technology-Security
Techniques - Information Security Management System - Requirements" or any other
security practice code followed by a self-regulating entity provided such code
has been duly approved and notified by the Central Government (Rule 8).