September 30, 2011

Indian Privacy Law: Sensitive Personal Information

Posted September 30, 2011 by Bierce & Kenerson, P.C. · Print This Post Print This Post

In May 2011, the Indian Ministry of Communications and Information Technology issued a press release clarifying the rules framed under Section 43A of the Information Technology Act, 2000. This clarification is important for companies that handle sensitive personal information in India. For more, click here.

Section 43A of the Information Technology Act, 2000, deals with disclosures by Indian governmental bodies (a “body corporate”) of sensitive personal information to other Indian governmental bodies. Under rules adopted under such law, each Indian “body corporate” must adopt and provide a policy for privacy and disclosure of information. The “clarification” notes that “Any such disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission of the provider of the information.” Inter-agency disclosures must be for lawful purposes to pursue statutory mandates of the requesting agency (e.g., detection and prosecution of cybercrime) and the receiving agency must give an undertaking that the information obtained will not be published or shared with any other person.

This clarification sets forth a “best practice” in Indian governmental protection of sensitive personal information. The subject is relevant to outsourcing lawyers because such information that is transmitted from non-Indian sources to Indian ITO and BPO service providers becomes subject to the jurisdiction of the Indian government. In exercising such jurisdiction, the Indian government theoretically has access to information of foreign individuals.

Outsourcing agreements normally address issues of force majeure and cooperation in resolving governmental investigations. The “clarification” discussed above gives some comfort to those engaged in processing where sensitive personal data is accessible in India by Indian service providers. But the clarification also raises the visibility of the issue of cross-border data protection.

No comments: