India Unit 3B IT Act 2000 Appln and scope II Flashcards
Which are the sections in Indian IT Act 2000 relating to data protection?
43, 65, 66, 72
- Section 43. Penalty for damage to computer, computer system, etc.;
- Section 65. Tampering with computer source documents;
- Section 66. Hacking with Computer System;
- Section 72. Penalty for breach of confidentiality and privacy (consent of the concerned person is needed)
- Imprisonment up to two years (Section 72) three years (65, 66), or with fine which may extend up to two lakh rupees, or with both (1 Lakh Section 72)
What is the IT Rules 2011 also known as? What does it cover?
Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (IT Rules).
The IT Rules cover security procedures and also contain basic rules on privacy.
What is a body corporate?
Indian law does not contain the concepts of “data controller” and “data processor”. Instead, the IT Rules refer to the concept of a body corporate.
A body corporate is defined as “any company and includes firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”.
What are the rights of data subjects or provider of information?
1) Access to data - the body corporate or any person on its behalf must permit providers of information to review the information they may have provided.
2) Correction and deletion – providers of information must be allowed access to the data provided by them and ensure that any information found to be inaccurate or deficient is corrected or amended as feasible.
3) Objection to processing – the provider of information has the option to later withdraw consent which may have been given earlier to the body corporate; such withdrawal of consent must be stated in writing to the body corporate. On withdrawal of consent, the body corporate is prohibited from processing the personal information in question.
4) Complaint to the relevant data protection authority - all discrepancies or grievances reported to data controllers must be addressed in a timely manner. Corporate entities must designate Grievance Officers for this purpose, and the names and details of said officers must be published on the website of the body corporate. The Grievance Officer must redress respective grievances within a month from the date of receipt of said grievances.
5) Disclosure of data - Disclosure of sensitive personal information requires the provider’s prior permission, unless either:
– disclosure has already been agreed to in the contract between the data subject and the data controller; or
– disclosure is necessary for compliance with a legal obligation.
Before the collection of sensitive personal data or information from the person concerned, the body corporate must take reasonable steps to inform that person of the:
- Fact that the information is being collected
- Purpose for which it is collected
- Intended recipients of the information
- Name and address of the agency collecting or retaining the information
Before the collection of sensitive personal data or information, the provider of the sensitive personal data or information has:
- The option to refuse to provide it
- The right to withdraw consent through notice in writing. On withdrawal of consent, the collecting party has the option not to provide the goods or services for which the information was sought.
