Compliance Handbook

DATA PROTECTION LAWS

A summary of the key obligations under the SPDI Rules of an entity, inter alia, for collecting, processing and transferring of SPDI, has been set out below:

(i) Reasonable Security Practices and Procedures: Section 43-A of the IT Act mandates following "reasonable security practices and procedures" in relation to SPDI. An entity is considered compliant if it implements security practices, standards, and a documented information security program with managerial, technical, operational, and physical controls proportionate to the information assets it seeks to protect. The IS/ISO/IEC 27001 standard relating to ‘Information Technology-Security Techniques-Information Security Management System–Requirements’ is one of the specified standards under the SPDI Rules. Additionally, an audit must be conducted at least annually or after significant upgrades to processes and resources.

(ii) Privacy policy: Under the SPDI Rules, an entity that collects, receives, possesses, stores, deals or handle SPDI of an information provider, is required to publish a privacy policy on its website that addresses its handling of SPDI. Such privacy policy must contain clear and easily accessible statements of the entity’s practices and policies. Further, the entity is also required to state in its privacy policy, the type of SPDI being collected, purpose of collection and usage of such information, information in relation to disclosure of SPDI and the reasonable security practices and procedures it has taken under the SPDI Rules.

(iii) Consent and collection: Under the SPDI Rules, for collection of SPDI, an entity is required to obtain consent in writing through letter or any mode of electronic communication from the provider of SPDI. Further, the entity is not permitted to collect SPDI unless the information is collected for a lawful purpose connected with a function or activity of the entity; and the collection of SPDI is considered necessary for that purpose. The entity is also mandated to take steps, as are reasonable in the circumstances to ensure that the information provider has knowledge about the collection of information, the purpose of collection of such information, the intended recipients and the name and address of the agency collecting and retaining the information.

(iv) Rights of the information provider: The entity is required to allow the information provider the right to review or amend any SPDI and ensure that the same is corrected or amended as feasible if they are found to be inaccurate or deficient. The entity is also required to give the information provider an option to retract consent at any point of time, in writing, in relation to the information that has been so provided.

(v) Purpose limitation and retention: Under the SPDI Rules, an entity is not permitted to use SPDI for any reasons other than those for which it has been collected and is not allowed to retain SPDI for a period longer than is required for the purposes for which the SPDI may lawfully be used or is otherwise required under any other law for the time being in force.

(vi) Disclosure of SPDI: The SPDI Rules specify that apart from disclosure of SPDI sought by governmental agencies or where it is required for compliance with a legal obligation, the entity is required to obtain consent from the information provider, prior to disclosure of such information to a third party, unless such disclosure has been agreed to in an agreement between the parties.

(vii) Transfer of SPDI: As per the SPDI Rules, an entity may transfer SPDI to any other entity, in India or overseas, that ensures the same level of data protection that is adhered to by the transferring entity, as provided for under the SPDI Rules. The transfer may be allowed only if: (i) it is necessary for the performance of the lawful contract between the transferring entity and the information provider; or (ii) where such information provider has consented to the data transfer.

(viii) Grievance Officer: Under the SPDI Rules, the entity is required to designate a grievance officer for redressal of grievances in relation to SPDI and publish the name and contact details of such officer on its website.