India took a massive step with its own data protection act last year when the Srikrishna Committee shared its assessment and suggestions on data privacy and management. It is a great sign for the country as it solidifies the support that is envisioned for customers – especially keeping India's digital economy in mind. This act will keep a set of privacy laws, policies and procedures in place to ensure that there is minimum encroachment in to any person's privacy. This will include the storage, extraction or breakdown of data.
The first question that pops here is the line that is drawn on personal data – it is classified as any data that can be used to related or identify the person either from the government or from a private entity. Many people do raise questions on our fundamental rights to privacy – but take a check, that is not patently granted by the Constitution of India.
Looking at Section 43A of the Indian information technology act 2000, an organization that is in possession, dealing or handling sensitive information or personal data and is negligent in the implementation or maintenance with the pre-required security will be liable to pay for damages. Do note that there is no upper limit to the to the compensation that can be claimed in such an event – the damages can be put out to any extent.
What qualifies as personal information?
It is important to note that passwords, financial information that may contain the bank or credit card account details, health conditions, sexual orientation, history of medical records and biometric information all fall under personal information or sensitive data. If there is a breach of this data, action can be taken against the firm and they would be liable to pay damages to the person affected.
It is also vital to note that according to section 72A of the Indian information technology act, 2000, disclosure of this kind of sensitive information without consent or if is against a contractual agreement can lead to imprisonment of upto 3 years or a fine of 5 lakhs or both.
Of course, there are conditions at which these rules are relaxed. As per section 69 of the act, there is a general rule of maintenance of privacy and secrecy of the information and an exception on release of the data is necessary. These are,
- The Sovereignty or Integrity of India,
- The Defence of the country.
- Security of a state.
- Request from a foreign state
- Public order or
- Preventing incitement to the commission of any offence that may relate to the above or as an investigation.
In such an event, the government can deem to access or monitor the data or have it decrypted or stored in a computer resource. This data has to be divulged in interest of security and the government may require disclosure of such information. This can include national security, breach of law or fraud.
Can the Government interfere with data?
Now, under section 69 of the IT act, an authorized Government officer can be specially authorized by the Government – to intercept, monitor, decrypt, or cause to be intercepted or monitored, information that is transmitted or received or stored. The scope of section 69 of the IT act allows this for the purpose of investigation of cyber-crimes too. This allows the Government to block access to sites that it may deem dangerous too.
What is the penalty for damage to computer or computer systems under the IT Act?
As per IT Act Section 43, there would be a penalty without an upper limit for
- Accessing or securing access to a computer or computer network.
- Downloading or accessing data that may include information or data that is held in a removable storage medium.
- Damage or cause of damage to a computer or a network.
- Introduction of contaminant or virus into a computer or a network.
- Causing disruption to a computer or network.
- Denies or causes of denial to a person who is authorized access to a computer or a network.
- Tampering or manipulating a computer or system would mean liability to pay damages by compensation to the affected.
- Destroying or deleting information in a computer resource.
- Concealing or altering data or source code used for a computer resource with the intention of causing damage.
As per section 65 of the IT act, the above actions shall be punishable with imprisonment of up to 3 years or with fine of up to Rs 2 Lakh or both.
Also, section 66 of the IT act states that if a person by any means of fraud referred to in section 43, can be punishable with imprisonment for a term of up to 3 years or a fine of Rs 5 Lakh or both.
The data protection act is without doubt one of the most required points in our digitally enabled country today. With more access to computers and networks, it is a must to be implemented today.