Sensitive personal data or information
This is the soul of IT Rule, 2011. This is information that allows identifying a living person, directly or indirectly from the available data. According to Rule 3 these data includes-
- Financial information
- Physical and mental health condition;
- Sexual orientation;
- Biometric Data
Any information which is freely available or can be accessible in public domain or grow under Right to Information Act, 2005 will be not considered as Sensitive personal data or information.
According to the Rule 4 of the Information Technology Rule, 2011 privacy statements must provide the following–
- Statement of policy should be in easy and clear format.
- Type of data such as personal, sensitive personal or information collected by any organisation should be mentioned clearly.
- Statement should be clear with the purpose of the data and also with its usage.
- Discloser of the collected information.
- Adopted reasonable security practices and procedures should be clear in the policy statement.
- Consent– According to Rule 6 of the IT Rule, 2011, for the discloser of any personal data, sensitive data or information prior permission form the provider is compulsory. It is also important that the provider had provided such information or data under the lawful contract, which is with free consent. It is also mandatory that such discloser will be for the time being in forced as per the privacy policies.
- Information transfer– as per provider in Rule 7 of the IT Rule, 2011, transfer of data or information on the behalf of any provided to the third party will only be allowed in case, if it permitted by the provider and is necessary for the performance of lawful contract. After the allowance, depending upon the terms the transfer of can be made within India or in any other country.
- Reasonable Security– Rule 8 of the IT Rule, 2011 states that collector of the personal data or information shall be complied with reasonable security practices and procedure. They shall have detailed documentation regarding security program and policies, according to the nature of business. And all the information regarding the security policies should be mentioned in the policy statement during the time of contract between the parties.
 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011