Data is of two types:
a. personal and
b. non-personal data.
Personal means those characteristics, traits or attributes of identity that can be used to identify an individual. Non-personal data includes aggregated data through which an individual cannot be identified. Data protection means to protect or to minimise intrusion into the privacy of an individual through different policies and procedures. Concerns related to data collection
• The nature of data that is protected: The enactment that deals with protection of data is the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011. Rule 3 deals with what is primarily required to be protected is ‘personal information’ and ‘sensitive personal data or information’, means the information related to:
(i) password;
(ii) financial information like checking account or mastercard or open-end credit or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) biometric information;
(vii) any information relating to the above clauses given to the body corporate for providing service; and
(viii) any information relating to the above clauses given to the body corporate for processing, stored or processed under lawful contract or otherwise.The information that is freely available or accessible in public domain is not regarded as sensitive personal data.
Who can collect the personal data?
Rules 5 of the IT Rules prescribes that the body corporate or any person on its behalf has to obtain a consent in writing through a letter or fax or email from the provider of sensitive data, regarding the purpose of usage of that sensitive data,before collection of that sensitive data. It further provides that, no corporate or any person on its behalf shall collect sensitive personal data or information unless a) the information is collected for a lawful purpose connected with a function or activity of the body corporate; and
b) the gathering of the private data or information is taken into account necessary for that purpose. Further, it also provides that, while collecting the information, the person sharing the information is required to be made aware of
(i) the very fact that the knowledge is being collected;
(ii) the aim that the knowledge is being collected;
(iii) the intended recipients of the information; and
(iv) the name and address of: (a) the agency that is collecting the information; and (b) the agency that will retain the information.
Duration for which the personal data can be stored: Rule 5 provides that, any sensitive data or information cannot be retained longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any law for the nonce effective . These information can be used only for the purpose it is collected. Further prior to the collection of information it is required to provide an option to the provider of the information to not to provide the data or information that are to be collected. The provider of information has the option to withdraw its consent given earlier, at any time.
What is extent to which the personal data can be shared with third parties?
: Rule 6 provides that, the sensitive data can be shared by the third party only after obtaining permission from the information provider or the information provider and the body corporate had agreed to a disclosure contract, where such disclosure is required for the compliance of legal obligation. However, no such consent from the information provider is required where that information is shared with Government agencies, which is mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.
The obligations of the employers in relation to the personal data collected of its employees: The employers collects sensitive personal information of its employees such as health records, financial information etc. Rule 8 provides that, if such personal information is stored on a computer resource, then he is required to have in place a comprehensive documented information security programme and information security policies that contain managerial, operational, technical and physical security control measures that are commensurate with the information assets being protected. Further, Rule 4 provides that a body corporate, which collects, receives, possess, stores, information of its employees, is required to have in place a privacy policy for handling of or dealing with such personal information. The body corporate is further required to make the privacy policy available for the employees for their review and publish the same on its website of body corporate and shall provide for:
i. clear and simply accessible statements of its practices and policies;
ii. sort of personal or sensitive personal data or information collected under rule 3;
iii. purpose of collection and usage of such information;
iv. disclosure of data including sensitive personal data or information
v. reasonable security practices and procedures.
Aishwarya Says:
I have always been against Glorifying Over Work and therefore, in the year 2021, I have decided to launch this campaign “Balancing Life”and talk about this wrong practice, that we have been following since last few years. I will be talking to and interviewing around 1 lakh people in the coming 2021 and publish their interview regarding their opinion on glamourising Over Work.
If you are interested in participating in the same, do let me know.
Do follow me on Facebook, Twitter Youtube and Instagram.
The copyright of this Article belongs exclusively to Ms. Aishwarya Sandeep. Reproduction of the same, without permission will amount to Copyright Infringement. Appropriate Legal Action under the Indian Laws will be taken.
If you would also like to contribute to my website, then do share your articles or poems at adv.aishwaryasandeep@gmail.com
We also have a Facebook Group Restarter Moms for Mothers or Women who would like to rejoin their careers post a career break or women who are enterpreneurs.
You may also like to read: