Nasscom and Data Security Council of India (DSCI) today welcomed the clarification issued by the Ministry of Communications & Information Technology (MCIT), on the notified Rules u/s 43A of the IT (Amendment) Act, 2008. These rules related to implementation of reasonable security practices by body corporate for sensitive personal information.
Som Mittal, president, Nasscom, said, “Data security and privacy is a key enabler for the growth of the global sourcing sector and Government of India under Cert-in has been proactive in creating the necessary legislative framework, rules and guidelines. However, the rules issued recently had created possible interpretation issues for outsourcing companies and we thank the government for their support in issuing the necessary clarifications”.
As per the clarificatory note, the following issues have been explained:
- Rules u/s 43A is applicable to ‘body corporate’ within India. Body corporate (Customers for IT-BPO industry) located outside India will continue to be governed by the data protection legislations in their respective countries and the service providers in India, in turn, are governed by the contracts signed between them and the outsourcing organizations. However, the service providers in India must follow ‘reasonable security practices’ for protecting sensitive personal information processed by them.
- Service providers are exempted from Rules 5 & 6, i.e., requirements on consent, choice, access and correction, retention, discrepancies and grievances, and disclosure as these are the legal obligations of the body corporate which have direct relationship with the end consumer, unlike service providers who are acting on behalf of such organizations
- ‘Providers of information’ are natural persons (individuals) who provide their sensitive personal information to body corporate (customer) and not the outsourcing organizations in the context of outsourcing as was being interpreted by some of the law firms and attorneys.
- Consent under Rule 5(1) includes consent given by any mode of electronic communication and is not restricted to consent provided through letter or fax or email.
- Summarizing the changes, Som Mittal said, “The IT-BPO industry in India has been rapidly transforming itself and is working closely with its customers and regulators to evolve robust security practices. DSCI has built a framework for data security and privacy practices for the industry. We look forward to working closely with the government in building India’s leadership in the global sourcing sector enabled by a robust data security and privacy regime.”