[To be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i) of dated the , 2011]

Similar documents
MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

AUSTRALIAN CAPITAL TERRITORY. Mediation Act No. 61 of An Act relating to mediation and the registration of mediators

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, ACT NO. 25 OF 2002 [ASSENTED TO 31 JULY 2002] [DATE OF COMMENCEMENT: 30 AUGUST 2002]

A BILL. i n t i t u l e d. An Act to amend the Industrial Designs Act ENACTED by the Parliament of Malaysia as follows:

Privacy in relation to VET Student Loans

Telecommunications Information Privacy Code 2003

THE AFRICAN DEVELOPMENT FUND ACT, 1982 ACT NO. 1 OF 1982

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

CHAPTER 308B ELECTRONIC TRANSACTIONS

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Draft Rules under Companies Act, Ministry of Corporate Affairs NOTIFICATION New Delhi, the 2013

The Government of the United States of America and the Government of the Swiss Confederation, hereinafter referred to as "the Contracting Parties";

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

DATA SHARING AND PROCESSING

Policy Framework for the Regional Biometric Data Exchange Solution

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

Legislative Brief The Information Technology (Amendment) Bill, 2006

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

CHAPTER I. PRELIMINARY. 1. (1) This Act may be called the Tamil Nadu Business Facilitation Act, 2018.

AIA Australia Limited

THE KARNATAKA OWNERSHIP FLATS (REGULATION OF THE PROMOTION OF CONSTRUCTION, SALE, MANAGEMENT AND TRANSFER) ACT, 1972

THE GAZETTE OF INDIA EXTRAORDINARY PART III SECTION 4 PUBLISHED BY AUTHORITY NEW DELHI, JUNE 1, 2018

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

THE PERSONAL DATA (PROTECTION) BILL, 2013

202.5-b. Electronic Filing in Supreme Court; Consensual Program.

The Central Sales Tax (R & T) Rules, 1957

THE BUREAU OF INDIAN STANDARDS ACT, 1986

Annex 1: Standard Contractual Clauses (processors)

AnyComms Plus. End User Licence Agreement. Agreement for the provision of data exchange software licence for end users

7682/16 EL/FC/ra DGG 3B

1. This is the Country Addendum (Vietnam) to the UOB Business Internet Banking Service Agreement (the Agreement ).

THE PREVENTION OF SPORTING FRAUD BILL, 2013 A

Hong Kong General Chamber of Commerce Roundtable Luncheon 13 April 2016 Collection and Use of Biometric Data

THE NEGOTIABLE INSTRUMENTS (AMENDMENT AND MISCELLANEOUS PROVISIONS) BILL, 2002

PERSONAL INFORMATION PROTECTION ACT

APPAREL EXPORT PROMOTION COUNCIL RULES FOR E VOTING FOR RESOLUTION OTHER THAN ELECTION OF EXECUTIVE COMMITTEE MEMBERS AT GENERAL MEETING

Arbitration Rules. Administered. Effective July 1, 2013 CPR PROCEDURES & CLAUSES. International Institute for Conflict Prevention & Resolution

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...


DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

An Act further to amend the Securities Contracts (Regulation) Act, 1956 and the Depositories Act, 1996.

Strengthening Privacy Protection through Co-Regulation

CPR PROCEDURES & CLAUSES. Non-Administered. Arbitration Rules. Effective March 1, tel fax

TERMS OF USE. 1. Background

THE PROTECTION OF WOMEN FROM DOMESTIC VIOLENCE ACT, 2005 ARRANGEMENT OF SECTIONS

NON-DISCLOSURE AGREEMENT

DATA MATCHING AGREEMENTS ACT 1 B I L L

Ministry of Law, Justice and Parliamentary Affairs, Bangladesh.

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

THE PUBLIC INTEREST DISCLOSURE (PROTECTION OF INFORMERS ) BILL 2002

Legal Supplement Part C to the Trinidad and Tobago Gazette, Vol. 52, No. 3, 10th January, No. 6 of Trinidad and Tobago SENATE BILL

Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5

FEDERAL INVESTIGATION AGENCY ACT, 1974 (VIII OF 1975)

NATIONAL IDENTITY MANAGEMENT COMMISSION ACT

Data processing agreement

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION ) ) ) ) ) ) ) ) ) ) )

COMMODITIES TRANSACTION TAX

Terms and Conditions of Outward Interbank Giro System and Automated Payment System Plus

PRIVACY POLICY STATEMENT ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF THE CUSTOMERS WITHIN THE MEANING OF ARTICLE 13 AND FF. OF REGULATION (EU)

1. Delete the words and registration. 3. Delete the word person and substitute therefor the word individual.

Electronic Transactions Act, Act, Act 772 ARRANGEMENT OF SECTIONS. Object and scope of the Act

GOVERNMENT NOTICE DEPARTMENT OF TRADE AND INDUSTRY

(2) (Company Number ) whose correspondence address is at

Working in Partnership

1/10/12. Introduction. Who are you?? Person Identification. Identification Problems. How are people identified?

YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT CLICK ON THE BUY NOW->>

to the Government Gazette of Mauritius No. 14 of 14 February 2009

Freedom Of Access To Information Act For The Republika Srpska 18/5/2001

THE DISCLOSURE OF LOBBYING ACTIVITIES BILL, 2013

THE FREEDOM OF INFORMATION ACT, Arrangement of Sections PART I PRELIMINARY

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

THE AMENDED ELECTORAL LAWS: AN OPPORTUNITY FOR FREE AND FAIR ELECTIONS

THE INTERNATIONAL CRIMINAL COURT BILL, MEMORANDUM.

REPUBLIC OF BULGARIA NATIONAL ASSEMBLY MEASURES AGAINST MONEY LAUNDERING ACT. Promulgated State Gazette No. 48/

THE ENVIRONMENT (PROTECTION) RULES, 1986

The Protection from Domestic Violence Bill, 2002

The Securities Laws (Amendment) Ordinance, 2004

TECU CREDIT UNION CO-OPERATIVE SOCIETY LIMITED

The Tamil Nadu Registration of Marriages Act, 2009

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

Health Information Privacy Code 1994

The Rental Exchange. Contribution Agreement for Rental Exchange Database. A world of insight

NATIONAL IDENTITY MANAGEMENT COMMISSION ACT

FORM OF CLASS LICENSE FOR VALUE ADDED SERVICES INTENDED TO BE GRANTED BY THE TELECOMMUNICATIONS REGULATORY AUTHORITY

Notification PART I CHAPTER I PRELIMINARY

THE NATIONAL INVESTIGATION AGENCY ACT, NO. 34 OF 2008 [31st December, 2008.]

THE NATIONAL INVESTIGATION AGENCY BILL, 2008

I. REGULATION OF INVESTIGATORY POWERS BILL

1 PROPOSED DRAFT BILL

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16


First Session Tenth Parliament Republic of Trinidad and Tobago REPUBLIC OF TRINIDAD AND TOBAGO. Act No. 11 of 2010

SUPPLIER DATA PROCESSING AGREEMENT

THE PERSONAL DATA PROTECTION BILL, 2006

4/2/14. Who are you?? Introduction. Person Identification. How are people identified? People are identified by three basic means:

Transcription:

[To be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i) of dated the ----------, 2011] Government of India MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the ------------, 2011 G.S.R.. (E). In exercise of the powers conferred by clause (ob) of subsection (2) of section 87, read with section 43A of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely: 1. Short title and commencement. (1) These rules may be called the Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011. (2) They shall come into force on the date of their publication in the Official Gazette. 2. Definitions. In these rules, unless the context otherwise requires,-- (a) Act means the Information Technology Act, 2000 (21 of 2000); (b) Biometrics means the technologies that measure and analyse human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements and DNA for authentication purposes; (c) Body corporate means body corporate as defined in clause (i) of Explanation of section 43A of the Act; (d) Call data record means a data record that contains information related to a telephone call, such as the origination and destination addresses of the call, the time the call started and ended, the duration of the call, the time of day the call was made and any toll charges that were added through the network or charges for operator services, among other details of the call; (e) Data means data as defined in clause (o) of sub-section (1) of section 2 of the Act; File :revised%20rule%2043a%20-%205jan2011[1].doclast printed 2/7/2011 6:04:00 PM Page 1 of 5

(f) Information means information as defined in clause (v) of sub-section (1) of section 2 of the Act; (g) Intermediary means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act; (h) Password means a secret word or phrase or code that one uses to gain admittance or access to information. 3. Sensitive personal data or information. Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of : (i) password; (ii) user details as provided at the time of registration or thereafter; (iii) information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users; (iv) Physiological and mental health condition; (v) Medical records and history; (vi) Biometric information; (vii) Information received by body corporate for processing, stored or processed under lawful contract or otherwise; (viii) Call data records; Provided that, any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for purposes of these rules. 4. Body Corporate to provide policy for privacy and disclosure of information. (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle shall provide a privacy policy for handling of or dealing in user information including sensitive personal information and ensure that the same are available for view by such providers of File :revised%20rule%2043a%20-%205jan2011[1].doclast printed 2/7/2011 6:04:00 PM Page 2 of 5

information who has provided such information under lawful contract. Such policy shall provide for: (i) Type of personal or sensitive information collected under sub-rule (ii) of rule 3; (ii) Purpose, means and modes of usage of such information; (iii) Disclosure of information as provided in rule 6. 5. Collection of information. (1) Body corporate or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information. (2) Body corporate or any person on its behalf shall not collect sensitive personal information unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. (3) While collecting information directly from the individual concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of : (a) the fact that the information is being collected; and (b) the purpose for which the information is being collected; and (c) the intended recipients of the information; and (d) the name and address of : (i) the agency that is collecting the information; and (ii) the agency that will hold the information. (4) Body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used. File :revised%20rule%2043a%20-%205jan2011[1].doclast printed 2/7/2011 6:04:00 PM Page 3 of 5

(5) The information collected shall be used for the purpose for which it has been collected. (6) Body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary. (7) Body corporate or any person on its behalf shall provide an option to the provider of the information to opt-in or opt-out. (8) Body corporate or any person on its behalf shall keep the information secure. (9) Body corporate shall address any discrepancies and grievances of their users with respect to processing of information in a time bound manner. 6. Disclosure of information. (1) Disclosure of information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise: Provided that the information shall be provided to government agencies for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences. The government agency shall send a written request to the body corporate possessing the sensitive information stating clearly the purpose of seeking such information. The government agency shall also state that the information thus obtained will not be published or shared with any other person. (2) Without prejudice to sub-rule (1) of Rule 6, any Information shall be disclosed to any third party by an order under the law for the time being in force. (3) The body corporate or any person on its behalf shall not publish the. File :revised%20rule%2043a%20-%205jan2011[1].doclast printed 2/7/2011 6:04:00 PM Page 4 of 5

(4) The third party receiving the information from body corporate as per subrule (1) shall not disclose it further. 7. Reasonable Security Practices and Procedures. (1) Any person, including a body corporate shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards which shall require a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected. In the event of an information security breach, any such person, including the body corporate shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. (2) The International Standard IS/ISO/IEC 27001 on Information Technology Security Techniques Information Security Management System Requirements has been adopted by the country. The security practices prescribed by this standard are enshrined in the principle outlined in sub-rule (1). (3) Industry associations or industry cluster who are following other than IS/ISO/IEC 27001 codes of best practices for data protection and fulfil the requirement of subrule (1), shall get their codes of best practices approved by the government, which shall be duly notified. (4) The body corporate who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures. File :revised%20rule%2043a%20-%205jan2011[1].doclast printed 2/7/2011 6:04:00 PM Page 5 of 5

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback