India
| OVERVIEW |
Until recently, India had limited development of privacy laws and regulations. In April 2011, the Government of India issued the Information Technology (Reasonable Securitiy Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were issued under the Information Technology Act 2000. The Privacy Rules are primarily focused on the protection of “sensitive personal data or information” which is defined to mean personal information that contains information relating to passwords; financial information; physical, physiological and mental health condition; sexual orientation; medical history and records; and biometric information. Sensitive information can be collected and processed only for a lawful purpos and only after obtaining consent. Because the Privacy Rules immediately drew significant criticism from around the globe, the Indian Goverrnment has stated that it will clarify the rules. |
| ENACTED | Privacy Rules were released April 2011. |
| GENERAL PRIVACY LAWS |
The Constitution of 1950 does not specifically recognize the right to privacy. In 1964, however, the Supreme Court of India noted that there is a right of privacy implicit in the Constitution, which provides: “No person shall be deprived of his life or personal liberty except according to procedure established by law.” Indian law recognizes a general right of privacy. This has been made more clear with the release of the Privacy Rules. In Kharak Singh v. State of Uttar Pradesh, the Supreme Court of India held that the right to privacy was an “essential ingredient of personal liberty” which is “a right to be free from restrictions or encroachments”. In Gobind v. State of Madhya Pradesh, the Indian Supreme Court recognized a right to privacy derived from the constitutional rights to free speech, to personal liberty, and to move freely within the country. |
| PERSONAL DATA PROTECTION LAWS AND REGULATIONS | In 2000, the Indian Information Technology Act went into effect. This law makes punishable cyber crimes like hacking, damage to computer source code, and breaches of confidentiality and privacy. This law is unlikely to be applied to workplace monitoring, as it has no direct application to such monitoring. Instead, the Act is intended to provide a comprehensive regulatory environment for electronic commerce. The Privacy Rules do not specifically address workplace monitoring. |
| TYPE OF DATA PROTECTED | Sensitive personal data. |
| WORKPLACE PRIVACY LAWS |
India has no legislation or regulations concerning monitoring in the workplace. Due to growing concerns about employee theft of data and/or misuse of information, there has been an effort to curb employee fraud. In the BPO sector, a central employee database has been created by the National Association of Software and Service Companies (NASSCOM). This registry endeavors to house updated information on employees working in the IT and BPO sector. The media has reported that this employees in the IT and BPO industries will be required to join this registry. |
| TRANSBORDER TRANSFERS | The Privacy Rules prescribe restrictions on the transfer of data. Any such transfer must be undertaken only with the consent of the data subject and only if necessary for the performance of a contract. At all times, sensitive personal data or information must be transferred only to another corporate entity that ensures the same level of data protection as that provided under the Privacy Rules. |
| FINES AND SANCTIONS | If a company has agreed to practices and procedures for the protection of data and then violates those, the violator is liable for damages to those affected by the violation. |
| OTHER PRIVACY LAWS AND REGULATIONS | N/A |
