Privacy in The Digital Age – Legal Scenario (With specific reference to India) презентация

to India)

the global laws
Mom’s gyan

by which we’re being tracked…!

in a computer system can be shared with third parties
Private data is known as –
Personally Identifiable Information (PII)
Personal data
Sensitive Personal Data/Information

its own or with other information to identify, contact, or locate a person, or to identify an individual in context

data - Data relating to a living individual which helps in his identification and includes any expression of opinion him
Sensitive personal data - Personal data consisting of information as to –
the racial or ethnic origin of the data subject,
his political opinions,
his religious/spiritual beliefs
His professional associations,
his physical or mental health or condition,
his sexual life,
the commission or alleged commission by him of any offence, or
any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

India

SPDI
Password

Health
condition

Sexual orientation

Health records

Bio-metrics

Financial info

Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Expression
Art. 21 – Right to Life and Personal Liberty
IT Act, 2000 (Amd. 2008)
Data privacy
Personal privacy
Powers of Government
Liability of Intermediary

industry
Privacy – Individual’s concern
Increasing Government control/interference

legal recognition to e-commerce
To facilitate e-governance
To provide remedy to cyber crimes
To provide legal recognition to digital evidence
Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India

of compensation
Amount – Unlimited
What needs to be proved – Amount of damages suffered
Adjudication –
For claims upto Rs. 5 Crores – Adjudicating Officer (IT Secretary of State)
For claims above Rs. 5 Crores – Civil courts

a computer
Accesses or secures access to a computer

Downloads, copies or extracts data

Introduces computer contaminant or virus

Damages computer

Disrupts computer or network

Causes denial of access

Provides assistance to facilitate illegal access

Charges the services availed of by a person on the account of another person

Destroys, deletes, alters , diminishes value or utility or affects injuriously

Steals, conceals, destroys or alters computer source code

Bank
Saurabh Jain vs. Idea Cellular

Fraudulent transfer of money from petitioners account
Duplicate SIM cards made without document verification
Court is of opinion that bank/cellular company has failed to establish a due diligence and in providing adequate checks and safeguards to prevent unauthorised access
Bank has not adhered to the RBI circular of July 2010 for 'guidelines on information security, electronic banking and cyber frauds
Idea has issued a SIM based on a fake license and police FIR

possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person
Liability – Damages by the way of Compensation – Unlimited damages

directors and
Managers

If it is proved that

they had knowledge of the contravention or they have not used due diligence or that it was caused due to their negligence

and Procedures?

data or information) Rules, 2011
Enforceable from 11th April, 11
To be read with Sec. 43A

(Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

and sensitive personal data or information) Rules, 2011

regular basis
Needs to be done by the Government Certified Auditor who will be known as “Govt. Certified IT Auditor”
Not appointed yet

through letter/fax/email from the provider of the SPDI regarding purpose of usage before collection of such information
Need to specify –
Fact that SPDI is being collected
What type of SPDI is collected?
How long SPDI will be held?

Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

agency collecting the information and agency retaining the information
Body Corporate not to retain information longer than required
Option should be given to withdraw the information provided
SPDI shall be used only for the purpose for which it has been collected
Shall appoint “Grievance Officer” to address any discrepancies and grievances about information in a timely manner – Max. time – One month

should be available to view/inspect @ any time
Shall provide for –
Type of SPDI collected
Purpose of collection and usage
Clear and easily accessible statements of IT Sec. practices and policies
Statement that the reasonable security practices and procedures as provided under rule 8 have been complied

Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

to third party OR
Disclosure clause needs to be specified in the original contract OR
Must be necessary by law

Third party receiving SPDI shall not disclose it further

Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

for performance of lawful contract
Disclosure clause should be a part of Privacy and Disclosure Policy
Transferee to ensure same level of data protection is adhered while and after transfer
Details of transferee should be given to provider

Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

lawful contract -
Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract
IMP – Follow contract
Punishment - Imprisonment upto 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)

personal privacy
Popularly known as Voyeurism
Covers acts like hiding cameras in changing rooms, hotel rooms, etc.
Punishment –imprisonment upto 3 years or fine upto Rs. 2 lakh or both
Section 67C – Preservation and retention of information by intermediaries
Section 69 – Power to issue directions for interception or monitoring or decryption of any information through any computer resources.
Section 69A – Power to issue directions for blocking public access to any information through any computer resource
Section 69B – Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security
Section 79 – Intermediary not liable in certain circumstances

Personal Information
It requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
This plan must include –
Denoting at least one employee to manage the safeguards,
Constructing a thorough risk analysis on each department handling the nonpublic information,
Develop, monitor and test a program to secure the information, and
Change the safeguards as needed with the changes in how information is collected, stored and used

economic and national security interests of the United States
Emphasized on “risk-based policy for cost-effective security”
Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security
Not mandatory
No penalty for non-compliance

data within the EU
Protection of individual’s personal data and its free movement
Coming soon - European Data Protection Regulation
Not mandatory
No penalty for non-compliance

Children's Online Privacy Protection Act of 1998 (COPPA)
Driver's Privacy Protection Act of 1994
Telephone Consumer Protection Act of 1991 (TCPA)
Video Privacy Protection Act of 1988
Electronic Communications Privacy Act of 1986 (ECPA)
Privacy Protection Act of 1980 (PPA)
Right to Financial Privacy Act of 1978 (RFPA)
Family Education Rights and Privacy Act of 1974
Privacy Act of 1974

disclose
Always ask –
WHY they want it ?
HOW will they use it ?
WHO will it will be shared with ?
Will YOU get access to it ?
Know your rights
Question if you are in doubt

(have, use, access, store, obtain, etc.) personal information ?
Am I collecting only the what is REALLY needed and not more ?
Have I differentiated between Sensitive Personal Information and other information?
Do I protect information even during Transit/Process ?
How are you making sure all employees know their responsibilities and rights ?
How will you extend the data privacy protection to your third-parties, vendors ?
What will you do if there is a privacy breach ?
Do you in-house competences to conduct basic investigations ?