Scribd
Upload
28 views2 pages

PC03 IT (RSPP & SPDI Rule 2011 by Rajeev AAO

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules 2011 outline the handling of sensitive personal data and the responsibilities of body corporates in India. It mandates obtaining consent before data collection, maintaining privacy policies, and ensuring reasonable security practices. Additionally, it establishes protocols for data disclosure, grievance redressal, and information transfer while ensuring compliance with legal standards.

Uploaded by

vishalgaut09
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views2 pages

PC03 IT (RSPP & SPDI Rule 2011 by Rajeev AAO

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules 2011 outline the handling of sensitive personal data and the responsibilities of body corporates in India. It mandates obtaining consent before data collection, maintaining privacy policies, and ensuring reasonable security practices. Additionally, it establishes protocols for data disclosure, grievance redressal, and information transfer while ensuring compliance with legal standards.

Uploaded by

vishalgaut09
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Information Technology (Reasonable Security Practices and

Procedures and Sensitive Personal Data and Information) Rules


2011

Under the section 87 and section 43A of the Information Technology Act, 2000
Comes into effect on 11th April 2011.

3. Sensitive Personal data or information: It consists password, Financial


information like debit card, credit card etc., physical, physiological and mental
health condition, Sexual orientation, Medical records, Biometric Information. etc.
If any information available in public domain or under RTI Act, not considered
as SPDI.
4. Body corporate to provide policy for privacy and disclosure of
information: A Body corporate (defined in section 43A of IT ACT 2000) or
company who collects, receives, possess, stores, deals or handle information of
provider shall have private policy. The policy should be available on website
with public which clearly mention types of personal data, purpose for collection
and its uses, disclosure of information including SPDI and RSPP.
5. Collection of Information:

• Consent should be taken in writing through letter or Fax or email before


collection.
• If SPDI then collected for lawful purpose with the functions and activities
of the Body corporates. They shall not retain that information for longer
than is required for the purposes for which the information may lawfully
be used.
• If Body corporate collects information directly to person, The person
should aware of following
1. The fact that the information is being collected.
2. Purpose
3. Intended recipient
4. Agency who is collecting and who is retaining the information.
• Prior to collection of info including SPDI, option for deny to be available.
Provider can also anytime seek for withdrawal of consent in written but in
this case service may be stopped by body corporate.
• For any discrepancies and grievances of provider of the information, A
Grievance Officer should be designated (name and contact details should
be on Website) and redressal within a month from the date of receipt of
grievance.
6. Disclosure of Information:

• Requires prior permission from Provider


• Concerned Government agencies can obtain information including SPDI
from Body corporate without prior permission under law and clearly
stating purpose of seeking such information.
7. Transfer of Information:

• May transfer Information including SPDI to any other body corporate if


necessary for performance of lawful contract between body corporate and
provider in India or Abroad but to ensure same level of data protection.
8.Reasonable Security Practices and Procedures**:

• The body corporates should have documented their RSPP and complied it.
Documented RSPP consists of managerial, technical, operational and
physical security control measures.
• It should be certified or audited on a regular basis by entities through
independent auditor duly approved by central government. (a year or as
and when upgradation of its process and computer resources.)

You might also like