Saturday 23 May 2020

SPDI rules

The Puttaswamy judgment is a landmark legal development in the discourse on privacy, especially informational privacy; prior legislative attempts have been made to secure informational privacy in various sectors in India. These includes the general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection.


Image Credit: ccgdelhi.org

The SPDI Rules have been issued under Section 43A of the IT Act. Section 43A, relates to Compensation for Failure to Protect Data and enables the enactment of reasonable security practices and procedures for the protection of sensitive personal data. The SPDI Rules incorporate, the OECD Guidelines such as collection limitation, purpose specification, use limitation and individual participation.

The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules):


Key features of SPDI rules are:
1) It mandates certain requirements for the collection of information,
2) It is insisted that data collection be done only for a lawful purpose connected with the function of the organisation.
3) every organisation is required to have a detailed privacy policy.
4) instructions for the period of time information can be retained,
5) it gives individuals the right to correct their information.
6) Disclosure is not permitted without consent of the provider of the individual, or unless such disclosure is contractually permitted or necessary for legal compliance.
7) the consent of the provider is not required for sharing the personal information collected by any organisation with Government  
8) personal information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences.
9) The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit
10) the rules are restricted to sensitive personal data which includes attributes like sexual orientation, medical records and history, biometric information etc. and not to the larger category of personal data.

Thanks for reading till the end. Please follow and share this blog for more such law notes.

No comments:

Post a Comment