{"id":151,"date":"2018-08-23T14:02:32","date_gmt":"2018-08-23T08:32:32","guid":{"rendered":"http:\/\/www.sws-international.com\/?p=151"},"modified":"2018-08-23T14:02:32","modified_gmt":"2018-08-23T08:32:32","slug":"overview-of-personal-data-protection-bill-india","status":"publish","type":"post","link":"https:\/\/swstech.sws-international.com\/?p=151","title":{"rendered":"Overview of Personal Data Protection Bill, India"},"content":{"rendered":"

Personal Data Protection Bill, India<\/h2>\n

The justice\u00a0B. N. Srikrishna committee\u00a0<\/strong>appointed by the Indian Government has submitted a draft\u00a0Personal Data Protection bill<\/strong><\/a>\u00a0to Parliament on 27-July-2018.<\/p>\n

This blog provides major highlights of the bill primarily from a view of users whose personal data is covered under Act, and Providers who are capturing user’s personal data for providing him some product \/ service.<\/p>\n

Entities involved<\/h2>\n

For keeping discussion simple, let’s understand the various entities that are addressed in the bill.<\/p>\n

Data Principal<\/strong>\u00a0refers to the person (I’m simply refer to him as\u00a0User\u00a0<\/strong><\/em>in my blogs for simplicity sake) whose personal data (referred as\u00a0Personal Information<\/strong>\u00a0or\u00a0PI<\/strong>) is the focus area of bill.<\/p>\n

Data Fiduciary\u00a0<\/strong>refers to the organization that is capturing User’s personal data for providing him some service or product. For simplicity sake, I’m going to refer Data Fiduciary as\u00a0Provider\u00a0<\/em><\/strong>or\u00a0<\/em><\/strong>Service\u00a0<\/em><\/strong>Provider\u00a0<\/em><\/strong>or\u00a0Organization<\/em><\/strong>. The PI is possibly also used for other purposes like offering him other relevant services \/ products (read marketing), or providing desired information to Government Authorities as required by law. The present bill covers both Private and Government entities.<\/p>\n

Service provider’s that have significant level of dealing with PI or sensitive PI need to appoint a\u00a0Data Protection Officer (DPO)<\/strong>, who plays a pivotal role of handling the privacy related matters, and has related authority within the organization.<\/p>\n

Data Protection Authority<\/strong>\u00a0is the regulating authority for users’ PI data, deliberating and regulating service providers, and helping user’s stay in control of their PI, while ensuring that sufficient freedom is provided to organizations for developing business use cases (and giving impetus to Digital Economy).\u00a0Adjudicating Officer\u00a0<\/strong>is the authority in-charge and interface to Service Provider’s and users.<\/p>\n

Data ownership: Paradigm shift<\/h2>\n

The proposed bill intends to bring a paradigm shift with respect to user’s data (PI<\/strong>). Organizations capturing user data no longer own data, but they are reflected as custodian of this data as per bill (hence the\u00a0Data Fiduciary\u00a0<\/strong>that reflects relationship of trust and trustee.<\/p>\n

User\u2019s right<\/h2>\n

Users have been provided several rights to ensure that they stay in control of their data. User can now:<\/p>\n

    \n
  1. Ask service provider whether it has captured his data and what are contents of data<\/li>\n
  2. Get their data corrected in case it is incorrect \/ incomplete. They can further get it marked as disputed in case Data Fiduciary doesn\u2019t accept their request for correction \/ updation<\/li>\n
  3. In select cases, they can request service provider to discard \/ delete their data.<\/li>\n
  4. Request service provider to provide data in portable form (for cases like Health Data, Financial Data etc). An appropriate fee may be charged by service provider in this case.<\/li>\n
  5. File complaints about service provider with Data Protection Authority (DPA)<\/li>\n<\/ol>\n

    Provider\u2019s obligations<\/h2>\n

    Notice<\/h3>\n

    Service provider needs to provide all relevant information in form of a\u00a0Notice\u00a0<\/strong>that is provided in simple and unambiguous language before collecting user\u2019s PI. This includes:<\/p>\n

      \n
    1. What type of data is being collected<\/li>\n
    2. Purpose of collecting data<\/li>\n
    3. The procedure for withdrawing consent (for continued usage of data) should be specified<\/li>\n
    4. The period for retention of data should be specified and in case not possible, the criteria for determining for such a period should be specified.<\/li>\n
    5. It should be specified whether the data is going to be shared outside India.<\/li>\n
    6. Complete detail of organization contact, and DPO (if applicable)<\/li>\n
    7. Procedure for grievance redressal should be specified.<\/li>\n
    8. In case applicable, rating of given by DPA should be shared<\/li>\n
    9. Service provider needs to ensure that personal data is complete, accurate, not misleading, and updated.<\/li>\n<\/ol>\n

      Data Quality<\/h3>\n

      Service provider will have responsibility to ensure that personal data captured is correct, complete and updated. In case gap is detected and updates are captured, they need to be intimated to third parties with whom data was shared earlier.<\/p>\n

      Data Retention<\/h3>\n

      Service provider can retain the PI data till it serves the purpose that was conveyed to user when it was being captured. It has to be discarded appropriately once the purpose is served.<\/p>\n

      Accountability<\/h3>\n

      Service providers are accountable for the PI data, and need to have an institutionalized mechanism for full life cycle of data, and having organizational structure, framework, policies and processes to handle data as laid out by Act.<\/p>\n

      Audits \/ Impact Assessments<\/h3>\n

      Service provider needs to get regular audit done for showcasing compliance with the Act requirements. For any major change in system, a formal PIA (Privacy Impact Assessment) needs to be done to ensure all possible measure are thought of and taken up in any new implementation\/ major modification in existing system. PIA for major prjoects have become norm across several nations to address Privacy concerns.<\/p>\n

      DPO<\/h3>\n

      Service provider’s need to appoint a DPO that helps service provider on matters related to fulfilling its obligation under Act. Organizations that deal with significant level of PI or sensitive PI data must appoint a DPO.<\/p>\n

      Breach, Offences and Penalties<\/h2>\n

      In case of any data breach or privacy incident, Service provider must notify authority with relevant information specified in the Act. In case of failure, DPA can penalize provider upto Rs 5 Crore or 2% of its total world wide turnover (whichever is higher)<\/p>\n

      In case of violation of norms, DPA can penalize the provider upto Rs 15 Crore or 4% of its world wide turnover (whichever is higher)<\/p>\n

      In case of deliberate act of obtaining, transferring or selling of personal data contrary to the Regulation Act, that impacts users, DPA can punish person \/ group of person with imprisonment of upto 5 years and\/or a fine upto Rs 3 Lakhs.<\/p>\n

      The offence under the act will be cognizable and non-bailable.<\/p>\n","protected":false},"excerpt":{"rendered":"

      Personal Data Protection Bill, India The justice\u00a0B. N. Srikrishna committee\u00a0appointed by the Indian Government has submitted a draft\u00a0Personal Data Protection […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-151","post","type-post","status-publish","format-standard","hentry","category-data-protection-regulations"],"_links":{"self":[{"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=\/wp\/v2\/posts\/151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=151"}],"version-history":[{"count":0,"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=\/wp\/v2\/posts\/151\/revisions"}],"wp:attachment":[{"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swstech.sws-international.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}