question_answer

There are certain provisions in the IT Act, 2000 that provides for payment of compensation (Civil) and punishment (Criminal) in case of misuse or wrongful disclosure of personal data.

Section 43A imposes liability upon a body corporate by the way of compensation to the person so affected where the body corporate handling any sensitive personal data or information is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to that person.

Section 72 prescribes punishment for a person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations, has secured access to any electronic record, book, register, correspondence information, document or other material without the consent of the person concerned and discloses such material to any other person.

Section 72A prescribes punishment for a person including an intermediary who has secured access to any material containing personal information about another person under the terms of lawful contract and has intentionally and knowingly disclosed the same in breach of lawful contract without the consent of the person concerned.

The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that deals with protection of "“Sensitive personal data or information of a person"”. These rules prescribe reasonable procedures and practices which are required to be followed by a body corporate handling personal information to ensure security of such data. The rules have stated the personal information consists of information relating to Passwords;

Financial information;

Physical, physiological and mental health condition;

Sexual orientation;

Medical records and history;

Biometric information.

Section 69 of the IT Act is an exception to the general rule of privacy since it prescribes the grounds on which any information including personal information in any computer resource can be intercepted, monitored or decrypted by the Government. It also empowers the Government to disclose such information m public interest.

Another exception where personal information of a person can be shared is by the order of the court or the consent of the person providing such information. In this case, the body corporate asking for such information should also disclose its privacy policy. However, owing to the huge percentage of the illiterate population in the nation, people are not aware that they have to give their '‘consent'’ for the corporate to use personal information and therefore, it has reduced to a mere formality. Moreover, not much importance is attached to the privacy policy which are put up on the websites of the body corporates without following any guidelines.

In order to rectify this situation, Rule 5 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 was made which requires that the consent of the person providing information should be obtained in writing through letter, fax or e-mail and an option should be given to the discloser of the information to withdraw his consent later.

Despite the existence of laws, rules and regulations dealing with data protection and privacy, there are many instances of data breach. A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. It is also called data spill, data leak or data theft. This might be caused due to physical breach, external hacking, insider threats or social engineering. An incident of data breach is a major concern since it breaks the element of trust that the provider of information has placed upon the body corporate.

According to IT Act, 2000 wrongful disclosure of personal data results in what kind of case?

A) Civil

B) Criminal

C) Both (a) and (b)

D) Neither (a) nor (b)