Database Protection in India

Public data and personal data can be commonly categorized. Public data, such as records of the Court, birth records, death records, company basic information, is open to the public at large. Private details, on the other hand, are confidential information to an individual and cannot be openly disseminated by others without the prior authorization of the individual. It includes financial information, family details, browsing details, interests, psychological attributes, travel history and places, behaviour, talents, photos, skills and so on.

Database Protection in India

Introduction

Public data and personal data can be commonly categorized. Public data, such as records of the Court, birth records, death records, company basic information, is open to the public at large. Private details, on the other hand, are confidential information to an individual and cannot be openly disseminated by others without the prior authorization of the individual. It includes financial information, family details, browsing details, interests, psychological attributes, travel history and places, behavior, talents, photos, skills, and so on.

Rules regarding Data Protection in India

  • India does not currently have a particular law that was specifically implemented for data security. The IT Act 2000 and its corresponding IT rules (Reasonable Security Policies and Procedures and Confidential Personal Data or Information, 2011 ('the IT Rules') are Indian Data Protection and Privacy Regulatory Frameworks.


 

  • In addition, in accordance with Article 21 of the Indian Constitution, which guarantees the right to privacy as a fundamental right to every individual, personal data are protected1. In a variety of cases, the Supreme Court has concluded that information about an individual and his right to access this information is also protected by the rule on privacy.


 

  • The Indian Constitution clearly does not grant basic privacy rights. However in compliance with Article 19(1)a) and the rights to privacy and personal freedom under Article 21 of the Indian Constitution, the courts have read the rights to the other basic rights, i.e. the freedom of speech and expression. However, under the Constitution of India, these constitutional rights are subject to appropriate restrictions imposed by the State pursuant to Article 19(2) of the Constitution. The case of Justice S Puttaswamy (Retd.) & Anr was recently highlighted. The Hon'ble Supreme Court Constitutional Bench held the Right to Privacy as a fundamental right subject to such fair restrictions.


 

  • India does not currently have any clear data security or privacy regulations. However, the Data Protection Act of 2000 and the (Indian) Contract Act 1872 are the applicable laws in India. A codified data security law is scheduled to be enforced in India soon.


 

  • In the case of unauthorized divulgation and misuse, as well as breach of contractual terms in respect of personal data, the (Indian) Information Technology Act of 2000 deals with the issues of compensation (Civil) and penalty (Criminal).


 

  • In accordance with Section 43A of the (Indian) Information Technology Act 2000, a corporation that maintains or handles confidential personal data or information or that fails to enforce and to maintain fair security practices leading to an unlawful loss or benefit of any person may be held liable, then for any damages to the person concerned. In this case, the corporate body may be held liable. It should be pointed out that the compensation which can be sought in the circumstances by the party concerned is not subject to the upper limit.


 

  • The Government has notified Codes of Procedure for Information Technology and Confidential Personal Information (2011). Rules for Fair Security Practices, 2011. The Rules only concern the protection of sensitive personal data or information of a person" including personal information consisting of:-

  • password

  • Financial details, including bank account or credit card, debit card, or other information on payment instruments

  • State of emotional, physical, and physiological health

  • Sexual guidance

  • medical and historical records

  • Data on biometrics


 

The rules provide for the fair safety standards and procedures to be followed when handling personal sensitive data or information by companies, corporations, or individuals gathering, obtaining, possessing, storing, dealing, or processing information on behalf of corporations. The corporate body can be held liable to pay damages to the individuals affected by the infringement, the corporate body, or any other individual acting on behalf of the corporate body.

Various kinds of upcoming Data Protection sectors in the news

Health Data

Health information contains a set of information such as the age of the patient, contact information, illness records. In the medical and pharmaceutical industry, it has tremendous importance.

Most of us, including Fibits and the like use fitness apps/gadgets. Some of us can scan online or sign up for a free diagnostic check-up, or claim health insurance. We share our personal details about our health with a variety of organizations every time we do any of them. The IT Regulations only cover a small number of details such as physical, physiological, and mental health, sexual orientation, medical records, and history. The IT rules also restrict conformity to consent before private data is obtained, distributed, and/or released before the privacy policy is published.

Geo-location Information

Location information is not protected by the IT Rules definition of sensitive personal data; thus a company is allowed without any obligation under IT law or IT rules to transmit this information to others.

Several apps such as Facebook, Google, Life360 - Family Locator, mSpy, FamiSafe, Spyzie are monitoring wherever we live. These applications can easily exchange our localization information with third parties without any specific clause prohibiting the disclosure of location information.

Right to forget

To Forget is a right of a person to delete his/her private information, such as Internet search engines, from public domains. This term is actually implemented only in Argentina and the European Union. This aims at preventing people from continually being stigmatized as a result of a previous behavior that is no longer important in the past.

Conclusion

In India, no individually defined data protection convention similar to the GDPR or the Data Protection Directive shall be concluded. India has, however, accepted or is a party to international declarations and conventions such as the UNDHR and the International Covenant on Civil and Political Rights, recognizing the right to privacy.

In India, the rights of databases are recognized by various legislation and can only be strengthened and consolidated legislation to secure the database to keep the evolving digital environment up to date.

Know more about how to prevent data leak by employees, see the video below-

 

 

 


 

BY-

Ankita Rathi