Focus: Amendments to the Indian Information Technology Act
9 June 2009
In brief: The Indian Government is in the process of finalising regulations to clarify the operation of various new provisions under the recent Information Technology (Amendment) Act 2008. Partner Michael Pattison (view CV) and Senior Associate Ken Shiu report on the legislation, and on the implications for Australian corporations.
- Introduction
- Background
- Relevance to Australian corporations
- NASSCOM and DSCI recommendations
- What next?
How does it affect you?
- The recent Information Technology (Amendment) Act
2008
will:
- require Indian service providers who handle 'sensitive personal data' on their computer systems to maintain 'reasonable security practices and procedures'; and
- provide some legislative backing for data protection obligations under Indian law.
- Australian corporations who have (or are contemplating) commercial outsourcing arrangements with Indian service providers will still need to implement rigorous provisions in their agreements to protect personal data.
Introduction
The Information Technology (Amendment) Act 2008 (the Amendment Act) introduces new provisions into India's existing Information Technology Act 2000 (the IT Act) to deal with issues such as data protection, cybercrime, ISP liability and electronic signature authentication. The Indian Ministry of Communications and Information Technology (MIT) recently issued draft rules in relation to the Amendment Act for public comment, and has also sought the input of the Indian IT industry body, NASSCOM, and its related industry self-regulatory organisation, the Data Security Council of India (DSCI), on how the new statutory concepts of 'reasonable security practices and procedures', 'personal information' and 'sensitive information' should be defined and applied. Finalisation of these regulations is the last step of notification required for commencement of the Amendment Act.
Background
Last year we reported on the Amendment Act in its draft form. The Bill was passed by the Indian Parliament on 23 December 2008 and subsequently assented to by the President on 5 February 2009. Despite the relatively low-key passage of the Bill through the Parliament, much of the Indian media coverage focused primarily on the cybercrime (interception powers) aspects of the Amendment Act.
Relevance to Australian corporations
Australian corporations with commercial outsourcing arrangements with offshore Indian service providers will be most interested in the data protection aspects of the new legislation. Among other new requirements, under section 43A of the Amendment Act, a body corporate that possesses or handles 'sensitive personal data' on computer systems that it owns or controls is liable for negligence where its failure to implement and maintain 'reasonable security practices' causes 'wrongful loss or wrongful gain' to a person. The definitions both of 'sensitive personal data' and of 'reasonable security practices' make reference to practices and information that may be prescribed by the government in consultation with industry professional bodies.
NASSCOM and DSCI recommendations
The reference to prescribed government practices in the Amendment Act has required the MIT to seek industry consultation on the appropriate frames of reference for these definitions.
On April 2009, NASSCOM and the DSCI prepared their recommendations for the draft rules after consultation with their members. In relation to the s43A definitions, NASSCOM and the DSCI advise that:
- 'reasonable security practices' be, in effect, a self-declared written and implemented policy by which an organisation will state the security standard it adopts (which may be a combination of ISO 27001 and OECD Security principles). An organisation will need to document procedures setting out its selected security controls and how they are implemented. In the event of any security breach, an organisation will need to demonstrate that it conforms with its own policy procedures and that the security controls were commensurate with the assets being protected;
- 'personal information' be information relating to a person who can be identified directly or indirectly by reference to an identification number or by one or more specific factors in relation to that person's physical, economic, cultural, physiological or mental details. This is consistent with the definition of 'personal data' in Article 2a of the EU Privacy Directive 95/46; and
- 'sensitive personal information' be defined to include data pertaining to health or sex information, but excluding data references to racial or ethnic origin, political or religious beliefs, which, by contrast, are included in the corresponding definition in the EU Privacy Directive.
Existing Australian privacy laws permit the transfer of personal information to a recipient outside Australia, provided that the transferring organisation reasonably believes that the overseas receipient is subject to a law, scheme or contract that is substantially similar to Australian privacy law. As a consequence, Australian corporations are generally advised to make sure their offshoring contracts stipulate data privacy compliance provisions that are consistent with, and not less than, those that apply under Australian law.
The new Indian regulations may simply require self-regulation by service providers, which may involve less onerous security standards. Accordingly, it is recommended that Australian corporations engaged in offshoring arrangements review and continue to ensure that their contracts expressly set out rigorous data privacy and data security practices and standards.
What next?
We will continue to monitor this discussion and the finalisation of the rules that will apply on the commencement of the Amendment Act.
Published 9 June 2009
For further information, please contact:
- Michael PattisonPartner,
Melbourne
Ph: +61 3 9613 8839
Michael.Pattison@aar.com.au - Ian McGillPartner,
Sydney
Ph: +61 2 9230 4893
Ian.McGill@aar.com.au - Peter JamesPartner,
Brisbane
Ph: +61 7 3334 3360
Peter.James@aar.com.au
