DATA PROTECTION & INFORMATION SECURITY IN INDIA

Sushmita Ravi & Vivek Verma

Data Protection under the Information Technology Act, 2000 (the “Act”)

As per Section 43 of the Act, if any person without taking permission from the owner or any other person who may be incharge of a computer, computer system or computer network (collectively “Computer”) accesses or secures access to such Computer; downloads, copies or extracts any data or information from such Computer, or helps any person in gaining access to such Computer, such person can be held liable to pay compensation up to Rs. 1 Crore to the person so affected. Furthermore, if any of these acts, as prescribed under Section 43 of the Act, is done with the dishonest or fraudulent intention, such person may have to face imprisonment for a term which may extend to three years or pay fine up to Rs. 5 lakh or both.

Section 43-A of the Act provides even greater penal consequences for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information by a body corporate. Compensation for the violation of Section 43 A, can even extent to the tune of Rs. 5 Crores.

Similarly, Section 72-A of the Act deals with personal information and provides punishment for disclosure of information in breach of lawful contract or without the information provider’s consent. It is to be noted that even data which is outsourced to India gets protection under these section. However, when data is sent outside the territories of India, one cannot seek protection under this Section. India has no jurisdiction in such cases and there is no obligation cast on the countries to which India sends sensitive personal information for processing, to have an equally stringent data protection mechanism. The punishment provided for such disclosure of information in breach of lawful contract is imprisonment up to three years or fine to the tune of maximum Rs. 5 lakhs or both.

As regards an intermediary dealing with such data and information, it can escape liability for any third party information, data, or communication link hosted by it only in the following situations- (a) when its function is limited to merely providing access to a communication system over which information made available by third parties is transmitted or temporarily stored; (b) it does not initiate the transmission, select the receiver of the transmission and select or modify the information contained in the transmission; (c) it observes due diligence while discharging its duties under the Act. However, the Act does not spare an intermediary if it is proved that the intermediary had conspired, abetted or aided in the commission of any the unlawful act.

Extra Territorial Applicability of the Act

It is to be noted that as per Section 75 of the Act, the provisions of this Act can apply to an offence or contravention even committed outside India by any person irrespective of their nationality, if the act or conduct constituting the offence or contravention involves Computer located in India. Furthermore, any compensation or penalty provided under this Act will be in addition to any punishment or compensation which may be prescribed under other applicable laws.[1]

Data Theft

Although the term “data theft” is not defined in the Act, we can infer the meaning of this term by importing definition of ‘data’ from the Act and ‘theft’ from the Indian Penal Code. As per the definition of ‘data’ provided under the Act, data includes information, knowledge, facts, concepts or instructions in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. On the other hand, the term ‘theft’ under Section 378 of IPC has been defined as- “Whoever, intending to take dishonestly any movable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.” In this regard, it is to be noted that the definition of “movable property” as prescribed under Section 22 of I.P.C. only includes corporeal property. The provision pertaining to theft in IPC does not cover ‘data’, owing to its intangibility, However, if ‘data’ is stored in a medium (CD, Floppy etc.) and such medium is stolen, it would be covered under the definition of ‘theft’, since the medium is a “movable property”.  On the other hand, if the data is transmitted electronically, i.e. in intangible form, it would not constitute ‘theft’ under the Indian Law.  Therefore, ‘data’, in its intangible form, cannot be stolen, under the Indian Criminal Law. However, any person who indulges in such crime, also called a data criminal, can be punished under section 409 of the Indian Penal Code, 1860 for ‘criminal breach of trust’. Section 409 states that- “Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or wilfully suffers any other person so to do, commits ‘criminal breach of trust’.”

Similarly, section 405 of I.P.C. refers to “property” and not “movable property”, hence, the word “property” is not restrictive.  Therefore, ‘data’ would be covered within the ambit of “property” in Section 405 of I.P.C. and thus any such act would attract a penalty of imprisonment up to 3 years, or fine, or both, under this section. This section penalizes Data Criminals from amongst the independent contractors (Call Centers etc.) to whom Data may be entrusted in the course of business for carrying out specific tasks /assignments.

Data Protection Under Copyright Act

Indian Copyright Act, 1957 provides for database protection under Section 2(o) which defines “Literary Work”. Therefore, any data which comes under the scope of Section 2(o) is protected under the Copyright Act. Some of the leading cases related to data protection under copyright laws pertains to holding copyright in ‘client list’. Examples are- Burlington Home Shopping Pvt. Ltd. vs. Rajnish Chibber [1995 PTC (15) 278] and Diljeet Titus, Advocate vs. Alfred A. Adebare and Ors.[130 (2006) DLT 330].

In Burlington case, the issue was whether a database consisting of compilation of mailing address of customers can be subject matter of a copyright so as to hold the defendant liable for infringement of the Plaintiff’s Copyright. The Court answered the question in affirmative and held that compilation of addresses developed by anyone by devoting time, money, labour and skill amounts to a literary work wherein the author has a Copyright. Accordingly, the Defendant was restricted from using the list of clients/customers included in the database exclusively owned by the Plaintiff.

Contractual Protection of Data and Confidential Information

Although most of the executive employment agreements necessarily provide for a customary confidentiality clause and non-disclosure clause, the enforceability of the such clauses depends upon the enforceability of the agreement as a whole. A standard confidentiality clause in an agreement creates an obligation on both the parties to maintain confidentiality of the information received in relation to the services. It also imposes an obligation on the receiving party to protect such proprietary and confidential information at least with the standard of care, with which the receiving party would have protected its own proprietary/confidential information. As regards use of such confidential information, a typical confidentiality clause would usually limit it by using the phrase “need-to-know basis”. For an easy reference, a standard confidentiality clause in an agreement may look like this-

“The receiving Party agrees and undertakes that, during the Term of this Agreement and for a period of twelve (12) months thereafter, it shall protect the Confidential Information of the disclosing Party, using the standard of care with which it treats its own Confidential Information but in no event less than reasonable standard of care. The receiving Party shall ensure that the Confidential Information of the disclosing Party is stored and handled in such a way as to prevent unauthorised access and disclosure.

The receiving Party shall only make use of the disclosing Party’s Confidential Information to the extent required to fulfill its obligations under this Agreement and shall only disclose such Confidential Information in furtherance of its obligations and on a strictly need-to-know basis.” 

Furthermore, such confidentiality clause may further provide that any confidential information or documents received in relation to the services contemplated under the agreement will be duly returned by the receiving party to the disclosing party or permanently disposed off by the receiving party to the satisfaction of the disclosing party followed by a formal notice of such destruction or disposal. It is to be noted that most of the time the agreement will explicitly exclude certain categories of information from the purview of “confidential information”. For instance, information which is already in the public domain or becomes so through no fault of the receiving party, information which may be independently developed by the receiving party or be approved for release by prior written authorization by the disclosing party, or information which may be  required to be disclosed under any applicable law or Court’s order, etc.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) is widely acknowledged as the norm for healthcare services and Indian companies are well versed with the Act and other regulatory bodies. The Act covers Health Plans, Health Care Providers and Health Care Clearing houses.

Outsourcing healthcare services to India is extremely popular today. However, there are several concerns being voiced about data security and adhering to standard quality norms, especially regarding Protected Health Information (PHI). As of today, India has no specific privacy laws governing transfer and protection of such data and information.

For organizations that deal with the electronic management of healthcare information it is not only vital to protect the electronic maintenance and transmission of this data, but also protect any paper versions or oral discussions pertaining to this information.

Outsourcing healthcare services like medical billing, medical transcription services and coding to O2I involves the transfer and maintenance of important information. It is an obvious concern for companies outsourcing healthcare work to be ensured that vendors are complying with international standards. For this purpose, most of the body corporates formulates policies and procedures to ensure compliances with Health Insurance Portability and Accounting Act (HIPAA) of 1996 and Physical & Environmental Security Manual. The key element which a body corporate must safeguard is patient’s Protected Health Information (PHI) and their medical records (name, DOB, SSN, MRN, voice files, transcribed reports, phone number, email address, address). Some of the safeguards generally implemented in this regard may be-

• Continuous information system review and login monitoring;
• Appointment of a Compliance Officer;
• Protection and safeguard of the facility and equipment from unauthorized physical access, tampering and theft;
• Monitoring the receipt and removal of hardware and electronic media containing protected information into and out of a facility and the movement of these items within the facility;
• Encrypting and decrypting of electronic information while transmission;
• Reporting and investigating security breaches;

Hence HIPAA for India encourages organizations to simultaneously go for enterprise level Privacy and Security up gradation that could meet not only HIPAA but also Data Protection Act and Information Technology Act, 2000.

Safe Harbour Principles

US-EU Safe Harbour is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data. Intended for organizations within the EU or US that store customer data, the Safe Harbour Principles are designed to prevent accidental information disclosure or loss. The principles relates to-

• Notice- Individuals must be informed that their data is being collected and about how it will be used.
• Choice- Individuals must have the ability to opt out of the collection and forward transfer of data to third parties.
• Onward Transfer- Transfers of to third parties may only occur to other organizations that follow adequate data protection principles
• Security- Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity- Data must be relevant and reliable for the purpose it was collected.
• Access- Individuals must be access the information held about them, and correct or delete it if it is inaccurate.
• Enforcement- There must be effective means of enforcing these rules.

There is no exclusive treaty between Europe and India in this regard. However US based BPOs in India have entered into contracts to ensure compliance with the safe Harbour Principles.

Author: Sushmita Ravi & Vivek Verma

[1] Section 77 of the Information Technology Act, 2000.