This is page 2 of:
New Indian Privacy Rules Could Force The Hand Of Many U.S. Retailers
The new rules, like many European and Asian data privacy laws, require any entity that “collects, receives, possesses, stores, deals or handles” personal information to create and provide to the data subjects a privacy policy that clearly sets out its practices and policies on the use of that information and how the subjects’ privacy will be protected. The policy must identify any “sensitive personal data” collected or processed, explain the purposes for which the data is collected and used, and provide “reasonable” security practices and procedures.
The new regulations also effectively recommend the rather stringent ISO 27001 information security standard, as long as compliance with that standard (or an approved industry code of practice) is certified or audited annually.
But several things set the Indian law apart from most European laws, which may impact a retailer’s decision about whether to outsource data processing to an Indian company. These include:
Although Indian law does not technically require companies that collect, store or process personal data to comply with the ISO 27001 security standard, it is the only standard expressly mentioned as being acceptable. It is perhaps the most comprehensive standard for data security in the general commercial world, and it provides detailed procedures for all aspects of data security. Most data privacy laws simply say things like “provide reasonable security considering the size and complexity of the organization and the sensitivity of the information collected.” The new Indian rules seem to go much further.
Indian law now requires both companies that collect and companies that store or process certain personal information to obtain express written consent from the data subject—the customer—for such collection and processing. It is not clear whether a simple warning banner or click-through agreement will meet this standard.
The statute provides that collectors and processors “shall obtain consent in writing through letter or fax or E-mail from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.” Sensitive personal information is defined as including things like passwords, bank account and credit-card numbers, medical records, records of sexual orientation and biometric data.
Customers have the right to withdraw consent for both the use and the processing of their sensitive personal information at any time. As a consequence, both the data collector and all of its processors must have mechanisms in place to purge sensitive personal information from their systems, to track requests for removal of information and to validate that removal from not only all of their systems but their business associates’ systems.
With some limits, consumers also have to consent to any third-party access to their sensitive personal information.
If information is shared by the retailer or its agents (including sharing to the agents), customers must be given contact information about every party who has access to their information.
This is a huge deal.
-Marc
June 26th, 2011 at 6:14 pm
Really nice write up, however, don’t you think keeping in mind the EU Law on data protection, Indian law is meant to facilitate outsourcing business. EU directives on data protection does not allow an EU country to transfer daa to a country that does not follow adequate data protection measures. The new law it seems is bound to encourage clients from EU to outsource their work to India. Moreover, even US is introducing a new data protection law this year in July that too is supposed to enforce stringent data protection measures.