Section 43A: Compensation for failure to protect Data


Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

Explanation: For the purposes of this section

(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities

(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

 

[et_social_follow icon_style="flip" icon_shape="circle" icons_location="top" col_number="auto" counts="true" counts_num="200" outer_color="light" network_names="true"]

Comments

  1. Rule 3: Sensitive personal data or information

    Sensitive personal data or information of a person means such personal information which consists of information relating to;—

    (i) password;
    (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
    (iii) physical, physiological and mental health condition;
    (iv) sexual orientation;
    (v) medical records and history;
    (vi) bio-metric information;
    (vii) any detail relating to the above clauses as provided to body corporate for providing service; and
    (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

    Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

  2. Ministry of Communications & Information Technology (Dated: 24-August-2011)

    Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 @ http://www.deity.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf.

    The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).

    These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6.

    Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.

    Relevant Rules:

    Rule 4: http://www.itlaw.in/rule-4-body-corporate-to-provide-policy-for-privacy-and-disclosure-of-information/

    Rule 5: http://www.itlaw.in/rule-5-collection-of-information/

    Rule 6: http://www.itlaw.in/rule-6-disclosure-of-information/

Trackbacks

  1. […] is likely to bring about other changes in the laws applicable to Whatsapp as well. For example, Section 43A of the Information Technology Act, 2000, which awards compensation for failure to protec…, applies only to body corporates present in India. The new Draft Personal Data Protection Bill, […]

  2. […] is likely to bring about other changes in the laws applicable to Whatsapp as well. For example, Section 43A of the Information Technology Act, 2000, which awards compensation for failure to protec…, applies only to body corporates present in India. The new Draft Personal Data Protection Bill, […]

Speak Your Mind

*

*


You can browse with left or right arrows within the Chapter OR

Browse other chapters: Preamble
Chapter 1: Preliminary (section 1-2)
Chapter 2: Digital Signature and Electronic Signature (section 3-3A)
Chapter 3: Electronic Governance (section 4-10A)
Chapter 4: Attribution Acknowledgment and Dispatch of Electronic Records (section 11-13)
Chapter 5: Secure Electronic Records And Secure Electronic Signatures (section 14-16)
Chapter 6: Regulation of Certifying Authorities (section 17-34)
Chapter 7: Electronic Signature Certificates (section 35-39)
Chapter 8: Duties Of Subscribers (section 40-42)
Chapter 9: Penalties Compensation And Adjudication (section 43-47)
Chapter 10: The Cyber Appellate Tribunal (section 48-64)
Chapter 11: Offences (section 65-78)
Chapter 12: Intermediaries Not To Be Liable In Certain Cases (section 79)
Chapter 12A: Examiner Of Electronic Evidence (section 79A)
Chapter 13: Miscellaneous (section 80-90)



IT Act Chapters | IT Rules | Judgements | Grievance Officer | Domain Disputes | Legal Pages | Social