white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
specific purposes and under special c<strong>on</strong>diti<strong>on</strong>s. 513 Such types of <strong>data</strong> are termed ―sensitive‖,<br />
and may <strong>in</strong>clude religious beliefs, physical or mental health, sexual orientati<strong>on</strong>, biometric and<br />
genetic <strong>data</strong>, racial or ethnic orig<strong>in</strong> and health <strong>in</strong>formati<strong>on</strong>.<br />
6.2 Issues<br />
(i)<br />
Def<strong>in</strong>iti<strong>on</strong> of ―sensitive <strong>data</strong>‖ as per the Sensitive Pers<strong>on</strong>al Data Rules<br />
The SPDI Rules, framed under Secti<strong>on</strong> 43A of the IT Act place certa<strong>in</strong> obligati<strong>on</strong>s <strong>on</strong><br />
<strong>in</strong>dividuals hold<strong>in</strong>g <strong>data</strong> <strong>in</strong> electr<strong>on</strong>ic form. The SPDI Rules seek to <strong>in</strong>troduce <strong>in</strong>ternati<strong>on</strong>ally<br />
accepted privacy pr<strong>in</strong>ciples, such as collecti<strong>on</strong> limitati<strong>on</strong>, purpose specificati<strong>on</strong>, use limitati<strong>on</strong><br />
and c<strong>on</strong>sent <strong>in</strong> the handl<strong>in</strong>g of ―sensitive pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>‖. 514 However, it may not be<br />
possible to rely entirely <strong>on</strong> this def<strong>in</strong>iti<strong>on</strong> from the perspective of possibility of abuse and<br />
misuse. 515 Informati<strong>on</strong> relat<strong>in</strong>g to caste and religious beliefs of an <strong>in</strong>dividual would also need<br />
to be exam<strong>in</strong>ed, as they are especially relevant to the Indian c<strong>on</strong>text. There are other issues<br />
relat<strong>in</strong>g to the scope of the SPDI Rules as they <strong>on</strong>ly applied to ―body corporates‖ and not to<br />
other private and government entities, which may process sensitive pers<strong>on</strong>al <strong>data</strong>.<br />
(ii)<br />
Need to further exam<strong>in</strong>e the rati<strong>on</strong>ale beh<strong>in</strong>d certa<strong>in</strong> categories of pers<strong>on</strong>al <strong>data</strong><br />
As discussed, certa<strong>in</strong> types of <strong>in</strong>formati<strong>on</strong> have been identified as sensitive because there is a<br />
greater likelihood of harm caused to the <strong>in</strong>dividual if there is unauthorised collecti<strong>on</strong>, use and<br />
disclosure of this <strong>in</strong>formati<strong>on</strong>. In order to understand the rati<strong>on</strong>ale beh<strong>in</strong>d identify<strong>in</strong>g certa<strong>in</strong><br />
categories of <strong>in</strong>formati<strong>on</strong> as sensitive, there may be a need to assess the harms, which are<br />
likely to arise. In understand<strong>in</strong>g harms, two categories are evident: <strong>in</strong>tr<strong>in</strong>sic harms- for<br />
<strong>in</strong>stance, the harms caused by the disclosure of health <strong>in</strong>formati<strong>on</strong> may be <strong>in</strong>tr<strong>in</strong>sic, as a user<br />
may not want her health <strong>in</strong>formati<strong>on</strong> to be widely shared. Other harms are <strong>in</strong>strumental- e.g.<br />
Shar<strong>in</strong>g medical records could lead to discrim<strong>in</strong>ati<strong>on</strong>, utilisati<strong>on</strong> of this <strong>in</strong>formati<strong>on</strong> by<br />
pharmaceutical companies to send unwanted market<strong>in</strong>g <strong>in</strong>formati<strong>on</strong> to these <strong>in</strong>dividuals etc.<br />
On the other hand, payment <strong>in</strong>strument details are sensitive not necessarily because any<br />
<strong>in</strong>tr<strong>in</strong>sic harm is caused by disclosure of say, a credit card number, but rather because damage<br />
513 Article 29 Data Protecti<strong>on</strong> Work<strong>in</strong>g Party, ‗Advice <str<strong>on</strong>g>paper</str<strong>on</strong>g> <strong>on</strong> special categories of <strong>data</strong> (―sensitive <strong>data</strong>‖)‘,<br />
European Commissi<strong>on</strong> (4 April 2011), available at: http://ec.europa.eu/justice/<strong>data</strong>-protecti<strong>on</strong>/article-<br />
29/documentati<strong>on</strong>/otherdocument/files/2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf,<br />
(last accessed<br />
29 October 2017).<br />
514 Rule 3, SPDI Rules def<strong>in</strong>es ‗sensitive pers<strong>on</strong>al <strong>data</strong> or <strong>in</strong>formati<strong>on</strong>‘ to <strong>in</strong>clude: password; f<strong>in</strong>ancial<br />
<strong>in</strong>formati<strong>on</strong> such as bank account or credit card or debit card or other payment <strong>in</strong>strument details; physical,<br />
physiological and mental health c<strong>on</strong>diti<strong>on</strong>; sexual orientati<strong>on</strong>; medical records and history; biometric<br />
<strong>in</strong>formati<strong>on</strong>; any detail relat<strong>in</strong>g to the above provided to the organisati<strong>on</strong> for provid<strong>in</strong>g service; and any of the<br />
<strong>in</strong>formati<strong>on</strong> received under the above by the organisati<strong>on</strong> for process<strong>in</strong>g, stored or processed under lawful<br />
c<strong>on</strong>tract or otherwise.<br />
515 Bhairav Acharya, ‗Comments <strong>on</strong> the Informati<strong>on</strong> Technology (Reas<strong>on</strong>able Security Practices and Procedures<br />
and Sensitive Pers<strong>on</strong>al Data or Informati<strong>on</strong>) Rules, 2011‘, The Center for Internet & Society (CIS) (31 March<br />
2013), available at: https://cis-<strong>in</strong>dia.org/<strong>in</strong>ternet-governance/blog/comments-<strong>on</strong>-the-it-reas<strong>on</strong>able-securitypractices-and-procedures-and-sensitive-pers<strong>on</strong>al-<strong>data</strong>-or-<strong>in</strong>formati<strong>on</strong>-rules-2011,<br />
(last accessed 29 October<br />
2017).<br />
112