Full text of the proposed bill can be accessed here.
Transparency and accountability measures
Privacy by Design
The Data fiduciary is obligated to implement policies and measures to ensure that:
- Practices and systems are designed to anticipate, identify and avoid harm to the data principal;
- Data protection obligations are embedded in organizational and business practices;
- Technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
- Legitimate interest of business is achieved without compromising privacy interest;
- Privacy is protected during entire processing of the personal data;
- Processing of personal data is carried out in a transparent manner; and
- During processing the interest of the data principal is considered (See Section 29).
The Data fiduciary is obligated to maintain transparency regarding processing of personal data and shall make the following information available:
- categories of personal data generally collected and the manner of collection;
- Purpose for processing personal data;
- Any exceptional purposes of processing specific category of personal data that create a risk of significant harm;
- Process for exercising rights of data principal, mentioned above;
- existence of a right to file complaints to the Authority;
- Information regarding cross-border transfers of personal data carried out by the data fiduciary; and
- Any other information as specified (See Section 30).
Based on factors like nature, scope and purpose of processing personal data undertaken, and the risks associated with such processing, the data fiduciary and the data processor shall implement appropriate security safeguards including:
- methods such as de-identification and encryption;
- steps necessary to protect the integrity of personal data; and
- steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
The Data fiduciary and data processor are obligated to review their security safeguards at the specified time (See Section 31).
Breach of Personal Data
In case of any breach of personal data, which is likely to cause harm to any data principal, the data fiduciary is obligated to notify the Authority about the same, within the time specified by the Authority. The said notification will include the information specified by the Bill.
After receiving the notification about the breach from the data fiduciary, the Authority may instruct the data fiduciary to report the personal data breach to the data principal and may direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website (See Section 32).
Data Protection Impact Assessment
When processing involves new technology, large scale profiling, use of sensitive data or any other processing which involves risk to data principal, then data fiduciary is obligated to undertake data protection impact assessment, in the specified manner.
The Bill lists the minimum contents of data protection impact assessment. According to the Bill, this assessment shall contain the description and purpose of proposed processing operation, an assessment of potential harms to the data principals, and measures for mitigating the risk of such harms. Once the data protection impact assessment is done, the data officer of the data fiduciary has to submit assessment report to the Authority and based on the report, the Authority may direct the data fiduciary accordingly (See Section 33).
According to the Bill, a data fiduciary is obligated to undertake an annual audit of all its data policies and processing conduct. Data auditors shall be registered by the Authority, and must possess expertise in information technology, computer systems, data protection/privacy, and possess other qualifications that the Authority may specify (See Section 35).
Data Protection Officer
The Data fiduciary is obligated to appoint a data protection officer for specified functions, including advising the data fiduciary regarding its obligations, monitoring personal data processing, ensuring compliance of data fiduciary with the instructions of the Authority, assisting data principals in case of any grievance, etc. Data fiduciaries not located within India but covered under the Bill, are required to appoint a data protection officer based in India (See Section 36).
Processing by entities other than data fiduciaries
The data fiduciary can only engage, appoint, use or involve a data processor to process personal data on its behalf through a valid contract, and such data processor cannot further engage or involve another data processor without authorization by the data fiduciary. The data processor and the data fiduciary’s employees are required to follow the data fiduciary’s instructions and treat all personal data as confidential (See Section 37).
Significant Data Fiduciaries
Based on factors including the volume and sensitivity of the data processed, the Authority is required to notify certain data fiduciaries or classes thereof as significant data fiduciaries. Such data fiduciaries are required to register themselves with the Authority (See Section 38).
The Bill requires every data fiduciary to establish proper procedures and effective mechanisms to address the grievances of data principals efficiently and expeditiously within 30 days (See Section 39).
This post is authored by Arjun Kansal and Ashwini Arun, Associates, BananaIP Counsels.