Post image for Reasonable security for sensitive personal information

Reasonable security for sensitive personal information

by amarinder on July 28, 2011

Parag Deodhar is Chief Risk Officer and Vice President – Process Excellence & Program Management, Bharti AXA General Insurance Company Limited.

In the information security (info-sec) realm, we generally get to hear the prefixes ‘total’, ‘comprehensive’, ‘best in class’, etc.  I had never heard the prefix ‘reasonable’ (in context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

‘Privacy’ is another term, which was very rarely used in the Indian context. True to the Indian fondness for ‘imported’ stuff, we were well-versed with laws like HIPAA, EU data protection, PCI-DSS. But we continue to lack indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke – the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011.

This, in my view has changed the rules of the game.

But what does it mean for Indian organizations?

Sensitive personal information

To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective/current customers, partners, and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company), or a contest on the website. As per the rules, password also constitutes sensitive personal information. So, if you require a customer or partner to create an account on your website with user id and password, you are required to comply with these rules, though you may not be taking any other personal information like financial details, debit/credit card/bank account numbers or health information, etc.

Privacy policy

All organizations in India, collecting, storing or transfering sensitive personal information will need to put in place a privacy policy and make it available publicly i.e. on the company website.

Information collection and retention

The Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or email. This could turn out to be a very challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled/information is collected online e.g. online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear whether ticking the ‘I Accept’ box on terms and conditions on the website will be good enough. If organizations choose to take this consent over email, will this electronic record held valid only if digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as agency, which will retain the information. This means, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the website.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be taken off from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their record, if required by law for a particular period. Seems to be a contradiction and will need some clarification.

Data transfer

If organizations want to transfer the sensitive personal information to any other organization, e.g. outsourced data processing unit, call center, data center, then they need to ensure that such third parties should also have same levels of security as maintained by the organization. It will be imperative for organizations to mandate the level of security and also ensure that the standards are met by the partners through regular audits.

Data destruction

Organizations should not store data for a period longer than is required for providing the product/services unless required by law. Organizations will need to implement secure data deletion processes for all data including backups store on tapes, offsite locations, DR sites, not to forget the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites also. 

Reasonable security

Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they need to get their measures approved by the Central Government.

Organizations will also be required to get security measures audited anually by an independent auditor approved by the Central Government. In the event of an information security breach, organizations must demonstrate that they had implemented reasonable security processes.



Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. However, in my opinion these rules should be practical and ‘reasonable’ to implement. In their current form, some of these rules pose multiple challenges in implementation in true spirit. Again, what constitutes ‘reasonable’ security will remain matter of interpretation and I suspect would be an area of major debates in the coming days.

Related Posts:

Previous post:

Next post: