The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter called "SPDI Rules") provides for the regulation of the usage of sensitive personal data or information. The Rules also provide for reasonable security practices and procedures to be followed for data protection.

These Rules have been notified in the exercise of the power conferred on the Central Governments under section 87 read with section 43A of the Information Technology Act, 2000 (hereinafter called "IT Act").

Important definitions:

1. Rule 2 (e) of the SPDI Rules define data as defined in clause (o) of sub-section (1) of section 2 of the Act.
   
   Section 2 of the IT Act defines data as "means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer"
    
2. Rule 2 (d) of the SPDI Rules defines "cyber incidents" as "any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization"
    
3. Rule 2 (g) of the SPDI Rules define intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act.

The IT Act defines Intermediary as "with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places, and cyber cafes."

Rule 2 (i) of the SPDI Rules defines personal information as "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."

Sensitive Personal Data or Information: Rule 3 specifies that the following types of data or information shall be considered personal and sensitive data or information:

• Passwords
• Bank Account details
• Credit/debit card details
• Present and past health records
• Sexual orientation
• Biometric data
• Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Privacy Policy: The Rules provide that the body corporate or any other person on its behalf who collects, receives, possesses, stores, deals or handles information shall provide a privacy policy to the information providers and provide such privacy policy to the information providers under a lawful contract.

It should be clear what type of information will be collected, the purpose for which it is collected, details should be provided regarding the disclosure of sensitive personal data to third parties, and required precautions must be taken by the organization to protect data (Rule 4).

Collection and Disclosure of the user information:
The data is to be collected by the body corporate only after taking the consent of the individual and the body corporate shall not collect sensitive personal data unless it is used for lawful purposes or if such collection of SPDI is necessary, and there can be instances where the information provider should be given an opportunity to provide alternative information instead of SPDI (Rule 5).

It is mandatory for the body corporate to take reasonable steps to protect the information. Further, the body corporate is not allowed to publish any sensitive personal data or information and cannot share the SPDI with a third party unless prior permission is provided by the information provider. But there are certain exceptions to this.

Two exceptions are:

• When there is a contract between the body corporate and the information provider to disclose such information for any legal obligation.
• Information providers should be allowed to amend or review the SPDI at any point in time for the information which is provided.

Further, such SPDI can be disclosed to Government agencies for investigation, prevention, verification of identities, etc., and can be disclosed under an order of law for the time being in force (Rule 6).

Transfer of SPDI
The SDPI can be transferred by the body corporate, but before transferring the information the body corporate should check that the other side is having the same or equal quality of data protection which is adhered by the body corporate according to the rules stated. Further, the Rules also state that such information can only be transferred in accordance with the contract and after obtaining the prior consent of the information provider for such transfer (Rule 7).

Grievance Officer
The Rules mandate that the body corporate to appoint a grievance officer who shall address the complaint and the contact details of the grievance officer must be available on the website of the body corporate.

Reasonable Security Practices and Procedures
The Rules require the body corporate or any person on its behalf to implement such reasonable security practices and to have a comprehensively documented information security program.

The corporate has to implement security control measures whenever there is an information security breach. The reasonable security practices can either be the International Standard IS/ISO/IEC 27001 on "Information Technology-Security Techniques - Information Security Management System - Requirements" or any other security practice code followed by a self-regulating entity provided such code has been duly approved and notified by the Central Government (Rule 8).