Sensitive Personal Data
In today's world where each corner of the world is accessible through internet, the corporate world has also managed to crawl up and match steps with the changing time. Internet has multiplied the chances of business entities to stretch their reach to more and more people, within and beyond the territory, they dwell in. No one wants to miss the chance of expanding itself beyond boundaries and to excel into its business by reaching an uncountable number of people. That’s the reason why every business entity has a website today, irrespective of its size and nature of the business. Undoubtedly, it befits the business of the entity upto some extent, but only selling products on the website is not enough these days.
The websites also take information of the client, either by a ‘Login’ option or by getting a ‘Form’ filled by the client with an intention to analyse and understand their client, their choices, their taste, their interest, their preferences, etc. The business entity may also use such information and analysis to advertise or to promote their new or existing products or services to the existing clients as well as to those who are their prospective clients to whom they reach by accessing the information shared, knowingly or unknowingly, by their clients or by persons accessing their websites.
Collecting such personal information from people and using it further for business advantage is a good and effective way of promoting and growing a business but only as far as the people sharing the information are aware of it. If the personal information so provided by the people is used by the business entity for its benefit or otherwise, without the knowledge of the people, if such information is shared, it would be a punishable offence.
- Date of Birth
- Marital Status
- Contact Information
- ID’s issue and expiry date
- Financial Records
- Credit information
- Medical history
- Location of Vacation/Travel
- Liking/ Preference/ Intention to buy/sell goods and/or services, etc.
Personal information could mean anything that can be used to identify an individual, not being limited to the abovementioned titles.
- Description of the information collected as well as cookies set;
- Description of how information collected from users or clients is used;
- Explaination as to how the information is protected;
- How third party ads may be delivered and what information may be collected;
- Information as to how to access the web account file;
- Procedure as to how to opt out of emails;
- If and how site may be used by minors and what information may be collected;
- Specific explaination that transmission of data over the internet may not be secure;
- Address, email address (or online form) as well as a real world address, where a user can write their query or grievances to.
- Clear and easily understandable statements of its practices and policies;
- Type of personal or sensitive personal data or information that is collected;
- Purpose of collection and usage of such information;
- Disclosure of information, if any, including sensitive personal data or information;
- Reasonable security practices and procedures adopted;
- The people whose data is collected shall be informed about:
- the fact that the information is being collected,
- the purpose for which the information is being collected,
- the intended recipients of the information,
- the name and address of the agency that is collecting the information,
- the agency that will retain the information.
A constitutional bench of the Supreme Court declared 'Privacy' as a fundamental right in 2017.
Privacy Law in India:
The Constitution of India gives Right to Privacy which is a fundamental right under Article 21 which also secures Right to Life and Personal Liberty of its citizens.
In 2011, the Legislation had passed new rules that apply to companies and consumers which required that any organisation that collects and/or processes Personal information must obtain a written consent from the data subjects before undertaking certain activities.
The Information Technology Act, 2000 was amended and some additions were made to make ‘Privacy’ of citizens more secured and ensure to penalize the person taking undue advantage of such information. The said additions deal with:
- implementation of reasonable security practices for sensitive personal data or information and provides for the compensation of the person affected by wrongful loss or wrongful gain. (Sec 43A)
- imprisonment for a period up to three years and/or a fine up to Rs. 500,000 for a person who causes wrongful loss or wrongful gain by disclosing personal information of another person while providing services under the terms of lawful contract. (Sec 72A)
Sensitive Information as per Information Technology Rules:
Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force cannot be considered as a sensitive personal data.
But the data, other than as stated above, which is considered as sensitive personal data as per Information Technology Rules, to which the rules of Information Technology Act apply are as follows:
- Bank account or credit card or debit card or other payment instrument details i.e. Financial information;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information.