Earlier today we’ve posted to Quora in order to answer a question regarding “privacy policies for a startup website in India”. Since we haven’t written about this topic on this blog before, I thought we could also cross-post and reiterate on privacy policies and India here.
Where do I find rules regarding privacy policies in India?
- Information Technology Act, 2000
- Information Technology Rules, 2011 adopted by India’s IT Ministry
- India’s Ministry of Communications ‘Press Note’ Technology, with clarifications
From these aforementioned Rules you can get the main structure of what is wanted:
Specifically, the corporate body must ensure that the person to whom the information relates is notified of the following at the time of collection of sensitive personal information or other personal information (read the details in Rule 4 here):
- clear and easily accessible statements of its practices and policies
- type of personal or sensitive personal data or information collected under rule 3)
- purpose of collection and usage of such information
- disclosure of information including sensitive personal data or information as provided in rule 6)
- reasonable security practices and procedures as provided under rule 8.
Also, make sure the people who are concerned (the people whose data is collected) know about
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information, and
- the name and address of the agency that is collecting the information and the agency that will retain the information
What to watch out for?
Watch out for sensitive personal data as defined in Rule 3, Rule 3: Sensitive personal data or information, since there are some special rules about its disclosure and collection: Rule 6: Disclosure of information – Information Technology Act & Rule 5: Collection of information – Information Technology Act.
When researching this topic, make sure to take another look at the definitions of sensitive data:
- financial information eg bank account/credit or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- bio-metric information;
- any detail relating to the above clauses as provided to a corporate entity for providing service; and
- any of the information received under the above clauses for storing or processing under lawful contract or otherwise.
If you have any more experiences in India, feel free to let us know.