Short Q and A: IT Act

Here are some short Q and A on IT Act and SPDI rules.

Image Credit: previewtech.net

Q. Which Act governs the rules for and laws for data protection in India?

Ans. The general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection.

Q. Why right to privacy is not an absolute right?

Ans. The right to privacy is fundamental right of a citizen of India but it is subjected to some restrictions and has expressly recognised protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits as certain legitimate aims of the State – as held in case of Puttaswami by Supreme Court.

Q. What is mean by SPDI Rules?

Ans. SPDI rules means The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011.

Q. Under which section of which Act SPDI rules were issued?

Ans. Under Section 43A of Information Technology Act, 2000 (for short IT Act) SPDI rules were issued.

Q. What is Section 43A of IT Act?

Ans. Section 43A, relates to Compensation for Failure to Protect Data and enables the enactment of reasonable security practices and procedures for the protection of sensitive personal data.

Q. Which OECD guidelines were incorporated in SPDI rules?

Ans. The OECD guidelines incorporated in SPDI rules are collection limitation, purpose specification, use limitation and individual participation.

Q. To whom the SPDI rules are applicable?

Ans. The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit.

Q. Which tribunal was to hear appeals under IT Act?

Ans. Cyber Appellate Tribunal (CyAT). But it has given it’s last order in 2011. There is absence of effective machinery for enforcement of law related to digital sector.

Thanks for reading. Please comment the subject on which you want notes. Please follow and share this blog for more law notes.

SPDI rules

The Puttaswamy judgment is a landmark legal development in the discourse on privacy, especially informational privacy; prior legislative attempts have been made to secure informational privacy in various sectors in India. These includes the general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection.


Image Credit: ccgdelhi.org

The SPDI Rules have been issued under Section 43A of the IT Act. Section 43A, relates to Compensation for Failure to Protect Data and enables the enactment of reasonable security practices and procedures for the protection of sensitive personal data. The SPDI Rules incorporate, the OECD Guidelines such as collection limitation, purpose specification, use limitation and individual participation.

The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules):

Key features of SPDI rules are:

1) It mandates certain requirements for the collection of information,

2) It is insisted that data collection be done only for a lawful purpose connected with the function of the organisation.

3) every organisation is required to have a detailed privacy policy.

4) instructions for the period of time information can be retained,

5) it gives individuals the right to correct their information.

6) Disclosure is not permitted without consent of the provider of the individual, or unless such disclosure is contractually permitted or necessary for legal compliance.

7) the consent of the provider is not required for sharing the personal information collected by any organisation with Government  

8) personal information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences.

9) The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit

10) the rules are restricted to sensitive personal data which includes attributes like sexual orientation, medical records and history, biometric information etc. and not to the larger category of personal data.

Thanks for reading till the end. Please follow and share this blog for more such law notes.