Earlier today we’ve posted to Quora in order to answer a question regarding “privacy policies for a startup website in India”. Since we haven’t written about this topic on this blog before, I thought we could also cross-post and reiterate on privacy policies and India here.
Where do I find rules regarding privacy policies in India?
- Information Technology Act, 2000
- Information Technology Rules, 2011 adopted by India’s IT Ministry
- India’s Ministry of Communications ‘Press Note’ Technology, with clarifications
The required contents for that privacy policy
From these aforementioned Rules you can get the main structure of what is wanted:
Corporate bodies (or any person, on behalf of such a body) that collect, receive, possess, store, deal or handle information, shall provide a privacy policy that discloses its practices regarding the handling and disclosure of personal information including sensitive personal information and ensure that the policy is available for viewing, including on the website of the corporate body (or the person acting on its behalf).
Specifically, the corporate body must ensure that the person to whom the information relates is notified of the following at the time of collection of sensitive personal information or other personal information (read the details in Rule 4 here):
Privacy policy contents under the Information Technology Rules, 2011:
- clear and easily accessible statements of its practices and policies
- type of personal or sensitive personal data or information collected under rule 3)
- purpose of collection and usage of such information
- disclosure of information including sensitive personal data or information as provided in rule 6)
- reasonable security practices and procedures as provided under rule 8.
Also, make sure the people who are concerned (the people whose data is collected) know about
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information, and
- the name and address of the agency that is collecting the information and the agency that will retain the information
What to watch out for?
Watch out for sensitive personal data as defined in Rule 3, Rule 3: Sensitive personal data or information, since there are some special rules about its disclosure and collection: Rule 6: Disclosure of information – Information Technology Act & Rule 5: Collection of information – Information Technology Act.
Additional caveats:
When researching this topic, make sure to take another look at the definitions of sensitive data:
- password;
- financial information eg bank account/credit or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- bio-metric information;
- any detail relating to the above clauses as provided to a corporate entity for providing service; and
- any of the information received under the above clauses for storing or processing under lawful contract or otherwise.
p class=”qtext_para”>If you have any more experiences in India, feel free to let us know.