white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
There is a need to put <strong>in</strong> place a notificati<strong>on</strong> time l<strong>in</strong>e that keeps <strong>in</strong> m<strong>in</strong>d all the abovementi<strong>on</strong>ed<br />
factors.<br />
(iv) Notificati<strong>on</strong> Requirements<br />
Once a pers<strong>on</strong>al <strong>data</strong> breach is established the organisati<strong>on</strong> must notify the competent<br />
authority. In US, the HIPAA demands notificati<strong>on</strong> of breach to the affected <strong>in</strong>dividuals, and <strong>in</strong><br />
certa<strong>in</strong> circumstances, to the media. A media notificati<strong>on</strong> is required <strong>on</strong>ly if a breach affects<br />
more than 500 residents of a state or jurisdicti<strong>on</strong>. Report<strong>in</strong>g to media might put significant<br />
burdens <strong>on</strong> small companies. This opti<strong>on</strong> should be carefully weighed. Depend<strong>in</strong>g up<strong>on</strong> the<br />
nature of the breach, magnitude of the breach and to whom the notificati<strong>on</strong> is addressed, the<br />
format of the notificati<strong>on</strong> has to be adapted.<br />
(v)<br />
Individual Notificati<strong>on</strong><br />
As a best practice, a pers<strong>on</strong>al <strong>data</strong> breach notificati<strong>on</strong> should menti<strong>on</strong>; the type of pers<strong>on</strong>al<br />
<strong>data</strong> breach, the estimated date of the breach (could be <strong>in</strong> the form of a range), general<br />
descripti<strong>on</strong> of the security <strong>in</strong>cident <strong>in</strong> language that is comprehensible for an <strong>in</strong>dividual with<br />
average technical and legal knowledge. The notificati<strong>on</strong> must also <strong>in</strong>form the <strong>in</strong>dividual of his<br />
or her rights with respect to the breach and the c<strong>on</strong>tact <strong>in</strong>formati<strong>on</strong> of the pers<strong>on</strong> or office <strong>in</strong><br />
charge of address<strong>in</strong>g related grievances. The notificati<strong>on</strong> could be d<strong>on</strong>e by way of postal mail<br />
or electr<strong>on</strong>ic mail, as l<strong>on</strong>g as the notificati<strong>on</strong> is communicated to the affected <strong>in</strong>dividual <strong>in</strong> the<br />
stipulated time.<br />
A standard format for notificati<strong>on</strong> could be drafted for adm<strong>in</strong>istrative ease. But the c<strong>on</strong>tent<br />
should reflect type of pers<strong>on</strong>al <strong>data</strong> breach, , the estimated date of the breach (could be <strong>in</strong> the<br />
form of a range), general descripti<strong>on</strong> of the security <strong>in</strong>cident, the estimated number of<br />
<strong>in</strong>dividuals affected by the breach, the steps be<strong>in</strong>g taken to m<strong>in</strong>imise the impact of the breach<br />
and future resoluti<strong>on</strong>.<br />
2.12 Provisi<strong>on</strong>al Views<br />
1. The law may require that <strong>in</strong>dividuals be notified of <strong>data</strong> breaches where there is a<br />
liklelihood that they will suffer privacy harms as a result of <strong>data</strong> breaches.<br />
2. The law may also require that the <strong>data</strong> protecti<strong>on</strong> authority or any authority be notified<br />
immediately <strong>on</strong> detenti<strong>on</strong> of <strong>data</strong> breaches.<br />
3. Fix<strong>in</strong>g too short a time period for <strong>in</strong>dividual notificati<strong>on</strong>s may be too <strong>on</strong>erous <strong>on</strong> smaller<br />
organisati<strong>on</strong>s and entities. This may prove to be counter productive as well as an<br />
organisati<strong>on</strong> may not have the necessary <strong>in</strong>formati<strong>on</strong> about the breach and its likely<br />
c<strong>on</strong>sequences.<br />
165