The recent changes raise a couple of questions for UK businesses:
• How do they affect transfers of personal data to group companies or suppliers based in India?
• Will they impact the way in which Indian suppliers provide services?
This note provides a brief overview of the changes and a summary of their impact on UK businesses, by addressing the questions above.
Overview of the changes
Until 2008, there were no data privacy rules in India, and even following the implementation of the first set of rules in the IT (Amendment) Act 2008 the measures were limited in scope to civil penalties for failure to protect personal data and civil and criminal penalties for disclosure of information without consent in certain circumstances or in breach of contractual obligations.
To bolster these protections, the Indian Government introduced (with effect from 13 April 2011) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (under powers conferred under Section 87(2) read with Section 43A of the Information Technology Act 2000). The new rules regulate the collection, disclosure, transfer and storage of sensitive personal data, and widen the scope of the regulation in Section 43A of the 2000 Act.
As under European laws, the rules are based around a set of principles for protecting personal data. The most significant one of these is the absolute requirement to obtain consent from individuals (by letter, fax, email or online) before collecting their information.
Other key requirements include: informing individuals that personal information about them has been collected and the purpose of that collection; not retaining personal data for longer than is necessary; only using personal data for the purpose for which it was collected; giving individuals access