What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
India does not have an overarching data protection or privacy law. While that may be changing soon, privacy requirements are currently contained in India’s Information Technology Act, 2000 (IT Act). The IT ACT includes specific privacy provisions and requirements for personal Information (PI) and sensitive personal data or information (SPDI). PI is defined as information relating to a natural person, which in combination with other information can identify that person. SPDI, includes information relating to passwords, financials (i.e. payment information, including credit cards, bank accounts, etc.), medical records, biometric data (such as fingerprints), etc. There are no rules specific to employers in the Information Technology Act.
There is no statute requiring specific security practices. That said, the Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”) include some very basic privacy rules relating to SPDI, such as notice, consent, collection, data transfers, etc.
Note that these rules only apply if the event that the employer, employee, and other concerned parties have not entered into a mutual agreement on reasonable security practices and procedures that will apply to SPDI or be excluded from applying to SPDI.
There may be revisions to India’s privacy laws in the near future. In July 2018, the Ministry of Electronic Information Technology released a draft Personal Data Protection Bill. The Bill, in it’s current form, has adopted much of the principles in the European Union’s General Data Protection Regulation. It’s not clear when the final draft of the Bill will be made available to the public or when it will be introduced to Parliament.
India has no central authority responsible for enforcement of data privacy law and regulations. The Indian Computer Emergency Response Team (CERT-In) handles cyber security incidents: