Sensitive Personal Information
The sensitive personal information bears a special significance. Although falls under the domain of personal information, but it comes with more responsibilities and safeguard requirements than what is required to protect a personal information of the person.
Personal Information can be defined as any information through which a person can be identified, it can be the details around the person's identity such as phone number, email address, IP address, geo-location data etc. However, sensitive personal information can include information such as -
1. Account Password;
2. Financial information such as banking information;
3. Health related information such as medical records, health certificate;
4. Any information relating to the above points.
The Information Technology (reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 known as the "SPDI rules" or "IT Rules 2011" defines sensitive information and also places a stronger responsibilities for processing of such information with additional safeguards.
Any company which collects the personal information including sensitive personal information must provide a detailed privacy policy on their website for the visitors and users to inform them on how the information collected is used, shared, processed and collected in a proper abidance of the applicable laws in India. A negligence in adherance to SPDI rules, may invite penal penalties for the companies including imprisonment. The Digital Personal Data Protection Act, 2023 imposes even stricter penalties upto INR 250 Crore for non-compliance.
The privacy policy must also include the consent of the users and how the consent can be withdrawn by the users by writing to the company. It must be stated clearly that the information is collected for the specified purposes stated in the privacy policy and shall be retained only for as long as it is required to be retained as per the provisions of the laws. Company must also have a Grievance Redressal mechanism in place that must show that any issue relating to data may be raised to the Grievance officer.
Apart from displaying a detailed privacy policy on the website, a proper consent mechanism must be developed for obtaining the explicit consent of the users while collecting the sensitive personal information. They must be clearly informed that the sensitive information has been collected as per their consent and only for the purpose specified and shall be retained only as long as is required for fulfilling the purpose of the act.
The data is sensitive aspect that needs to be protected at all cost. The implementation of DPDP Act in India will pave a way for stringent application. The rules will provide more better clarity.
Image source: Google
Comments
Post a Comment