Abhay Bhargav (India) - Indian Government Rules for Data Protection - A Law Waiting to be Embraced

The Information Technology Act of 2000 is India's principal law relating to information technology usage and information security in the country. Till recently the Information Technology Act was mostly vague and ineffective with reference to its treatment of information security. One of the key missing ingredients in the law was the protection of sensitive personal information, a description of reasonable security measures for protection of sensitive information, and penalties for companies neglecting to secure sensitive personal information.

On 11th April 2011, the government of India released a new set of rules as part of the Indian IT Act. These rules are specifically meant to address the reasonable security practices that are to be adopted by anybody corporate, business entity.

The Act defines sensitive personal information or SPI as personally identifiable information like a person's name in conjunction with other information like password, financial information like bank account information, credit card information, medical information and history and biometric information among others.

One of the most important sections of these rules are the rules relating to collection of sensitive information. The rules specify that whenever sensitive personal information is collected from a person by a corporate body, the person is duly informed of the reason for collection of information, the intended recipients of the information and the names of the agencies collecting and retaining the said information. The rules also mandate the need to not store information longer than necessary or lawfully required. The rule also requires that the corporate body should also provide the option to the person of not providing the sensitive personal information.

One of the most controversial aspects of these rules is related to the disclosure of information. The last clause of this section was highly opposed; forcing the government to withdraw it. The last clause stated that a third party receiving sensitive information from a corporate body shall not disclose it further.

The rules relating to collection and disclosure of sensitive personal information attracted severe reactions from the BPO industry and other service providers; including hosting providers, as they are constantly receiving sensitive personal information of individuals and business from their clients who are the actual owners of the data, disclosing it to their service providers. However, on the 24th of August, the government issued a clarification stating that the companies providing services to other companies relating to storage, processing and handling of sensitive personal information, are not subject to the rules of collection and disclosure of information. In fact, these rules would continue to apply to companies that directly collected the information from the individual.

The section of the act that has been least debated - but in my opinion the most significant - relates to the issue of data protection and ‘reasonable security measures'. The rules mention that the entity should take reasonable measures to ensure that the sensitive personal information stored, processed and transmitted by them is secure against internal and external threats. The rules have specified adopting a documented information security program encompassing technical security (networks, applications, endpoints, servers, etc), managerial and physical security measures. The rules go on to specify that in the event of a breach, the entity must be able to demonstrate the effective working and documentation of these security controls. The rules have also indicated that the ISO-27001 is a standard that can be used to meet the requirements of the rules.

In my experience, this is the most critical rule that should have most companies shaking in their boots, quite simply because the security implementation that is present in most companies, large or small is quite poor and wanting for a great deal of monitoring, management and in some cases, a start. These rules apply to any corporate body (any entity) storing, processing or transmitting an individual's sensitive personal information. This could very well apply to any organization, because they have employees and/or customers where they would be storing, processing and transmitting sensitive personal information. In case of an information security breach, they would be liable under a court/government order to demonstrate effectiveness of security measures and documentation. ISO-27001 is not a panacea against these rules.

ISO-27001 is an information security framework. It is a framework of information security requirements against which the organization maps its controls. It is a self-directed compliance by the organization which is derived from the organization's understanding of its risks. Most organizations don't perform an effective risk assessments. Which means sensitive personal information of Individuals in many cases doesn't appear as a critical information asset that has to be protected. So, by that margin, even an entity that is ISO-27001 certified may not be able to avail of a ‘safe harbour' clause just by being ISO certified.

In my opinion these rules are a step in the right direction, albeit inadequate and in sections, unclear. However, organizations have to wake up to the fact that the impetus being given to protection of sensitive information is not only a matter of prudence and best practice, but also a legal requirement, with the coming of these rules.

Abhay Bhargav is the CTO of Information Security Company, we45 Solutions India Pvt. Ltd. He can be reached at His company website


« Kathryn Cave (Global) - IT Skills Part 3 - Generation Y


Mark Warburton (Global) - Copyleft: A Direct Challenge to the Sanctity of Copyright? Part 2 »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?