One would know by now that if you desire to keep some information personal then you should not submit any such information on social media platforms such as Linkedin, Facebook, Twitter, Instagram, Whatsapp, and Telegram, etc. Personal data could be utilized for various causes which could be either good or bad. More important than this is a close reality of utilization of personal data for AI and Blockchain and its use in the field of financial services, insurance services, and securities markets, etc. Therefore, to protect the general public from improper usage of its data, the Government of India has introduced the Personal Data Protection Bill, 2018 (the ‘Bill’).
The person to whom data relates is a ‘Data Principle.’ The person who determines the purpose and means of processing of personal data (‘Data Fiduciary’) and the person who perform job work for him (‘Data Processor’) are under certain obligations. The Bill casts an obligation upon the registered Data fiduciary and Data Processor to ensure that:
- To take prompt and appropriate action in response to a data security breach;
- To undertake data protection impact assessment;
- Conduct a data audit; and
- Appoint a data protection officer by the terms of the Bill.
- Comply with the obligations relating to fair and reasonable processing, processing only for the clear, specific and lawful purpose, issuance of the notice, data quality, storage limitations, and accountability;
- To process the personal data with fair, specific, precise and capable of being withdrawn consent;
- To process the sensitive personal data with the explicit consent
- To comply with the conditions for cross-border transfer of personal data;
- To comply with the regulation concerning de-identification and encryption, the integrity of personal data and to prevent misuse, unauthorized access, modification, disclosure or destruction of personal data.
- Comply with the requests of Data Principal.
The Bill is introduced with many teeth as it makes procurement of data in violation of the provisions of its provisions as an offence. It further restrains disclosure of data, transfer of data to another person or sell or offer to sell that result in ‘significant harm’ to the Data Principle as a penal offence. It restrains re-identification of a de-identified data.
In the case of companies, a person in charge of and the conduct of the business of the company becomes liable for offences under the provisions of the Bill. Further, if the offence is committed with the consent, connivance or neglect of a director, manager, secretary or another officer of the company, they shall also be punished accordingly.
Therefore, any person who is dealing with personal and sensitive data at this moment should take the following steps immediately:
- Ensure that it is ready to issue a consent notice to the Data Principal and the consent is free, informed, specific, clear and capable of being withdrawn;
- Ensure that the data is used for the specified purpose;
- Ensure that the data processed is complete, accurate, not misleading and updated;
- Ensure that the purpose to process the data is aligned with the provisions of the Bill;
- Ensure that the Data Principal could freely exercise certain rights such as Right to Confirmation and Access, Right to Correction, Right to Data Portability, and Right to be forgotten.
- Ensure that the privacy should be maintained by design to anticipate, identify and avoid harm to the Data Principal;
- Ensure transparency regarding its general practices related to personal processing data and that such information is easily accessible;
- Ensure that it uses security safeguards such as de-identification and encryption integrity of personal data and prevent misuse, unauthorized access to, modification, disclosure or destruction of personal data.
- Review its Data Privacy and Confidentiality Policy.