关于知识产权 知识产权培训 树立尊重知识产权的风尚 知识产权外联 部门知识产权 知识产权和热点议题 特定领域知识产权 专利和技术信息 商标信息 工业品外观设计信息 地理标志信息 植物品种信息(UPOV) 知识产权法律、条约和判决 知识产权资源 知识产权报告 专利保护 商标保护 工业品外观设计保护 地理标志保护 植物品种保护(UPOV) 知识产权争议解决 知识产权局业务解决方案 知识产权服务缴费 谈判与决策 发展合作 创新支持 公私伙伴关系 人工智能工具和服务 组织简介 与产权组织合作 问责制 专利 商标 工业品外观设计 地理标志 版权 商业秘密 WIPO学院 讲习班和研讨会 知识产权执法 WIPO ALERT 宣传 世界知识产权日 WIPO杂志 案例研究和成功故事 知识产权新闻 产权组织奖 企业 高校 土著人民 司法机构 遗传资源、传统知识和传统文化表现形式 经济学 金融 无形资产 性别平等 全球卫生 气候变化 竞争政策 可持续发展目标 前沿技术 移动应用 体育 旅游 PATENTSCOPE 专利分析 国际专利分类 ARDI - 研究促进创新 ASPI - 专业化专利信息 全球品牌数据库 马德里监视器 Article 6ter Express数据库 尼斯分类 维也纳分类 全球外观设计数据库 国际外观设计公报 Hague Express数据库 洛迦诺分类 Lisbon Express数据库 全球品牌数据库地理标志信息 PLUTO植物品种数据库 GENIE数据库 产权组织管理的条约 WIPO Lex - 知识产权法律、条约和判决 产权组织标准 知识产权统计 WIPO Pearl(术语) 产权组织出版物 国家知识产权概况 产权组织知识中心 产权组织技术趋势 全球创新指数 世界知识产权报告 PCT - 国际专利体系 ePCT 布达佩斯 - 国际微生物保藏体系 马德里 - 国际商标体系 eMadrid 第六条之三(徽章、旗帜、国徽) 海牙 - 国际外观设计体系 eHague 里斯本 - 国际地理标志体系 eLisbon UPOV PRISMA UPOV e-PVP Administration UPOV e-PVP DUS Exchange 调解 仲裁 专家裁决 域名争议 检索和审查集中式接入(CASE) 数字查询服务(DAS) WIPO Pay 产权组织往来账户 产权组织各大会 常设委员会 会议日历 WIPO Webcast 产权组织正式文件 发展议程 技术援助 知识产权培训机构 COVID-19支持 国家知识产权战略 政策和立法咨询 合作枢纽 技术与创新支持中心(TISC) 技术转移 发明人援助计划(IAP) WIPO GREEN 产权组织的PAT-INFORMED 无障碍图书联合会 产权组织服务创作者 WIPO Translate 语音转文字 分类助手 成员国 观察员 总干事 部门活动 驻外办事处 职位空缺 采购 成果和预算 财务报告 监督
Arabic English Spanish French Russian Chinese
法律 条约 判决 按管辖区浏览

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, 印度

返回
WIPO Lex中的最新版本
详情 详情 版本年份 2011 日期 生效: 2011年4月11日 议定: 2011年4月11日 文本类型 其他文本 主题 版权与相关权利(邻接权), 知识产权及相关法律的执行

可用资料

主要文本 相关文本
主要文本 主要文本 英语 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011        
 
下载PDF open_in_new
 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

[ II- खÖड 3(i)] ğ :

MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology)

NOTIFICATION New Delhi, the 11th April, 2011

G.S.R. 313(E).—In exercise of the powers conferred by clause (ob) of sub- section (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely.-- 1. Short title and commencement — (1) These rules may be called the

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

(2) They shall come into force on the date of their publication in the Official Gazette.

2. Definitions — (1) In these rules, unless the context otherwise requires,-- (a) "Act" means the Information Technology Act, 2000 (21 of 2000); (b) "Biometrics" means the technologies that measure and analyse human body

characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes;

(c) "Body corporate" means the body corporate as defined in clause (i) of explanation to section 43A of the Act;

(d) "Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(f) "Information" means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(g) "Intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

THE GAZETTE OF INDIA : EXTRAORDINARY [ PART II-SEC. 3(i)] (h) "Password" means a secret word or phrase or code or passphrase or secret key,

or encryption or decryption keys that one uses to gain admittance or access to information;

(i) "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.

3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;—

(i) password; (ii) financial information such as Bank account or credit card or debit card or

other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for

providing service; and (viii) any of the information received under above clauses by body corporate for

processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules. 4. Body corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for—

(i) Clear and easily accessible statements of its practices and policies; (ii) type of personal or sensitive personal data or information collected under rule 3;

[ II- खÖड 3(i)] ğ :

(iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information as

provided in rule 6; (v) reasonable security practices and procedures as provided under rule 8.

5. Collection of information.— (1) Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.

(2) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —

(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and

(b) the collection of the sensitive personal data or information is considered necessary for that purpose.

(3) While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —

(a) the fact that the information is being collected; (b) the purpose for which the information is being collected; (c) the intended recipients of the information; and (d) the name and address of —

(i) the agency that is collecting the information; and (ii) the agency that will retain the information.

(4) Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force..

(5) The information collected shall be used for the purpose for which it has been collected.

(6) Body corporate or any person on its behalf permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible: Provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by

1330 GI/11-2A

THE GAZETTE OF INDIA : EXTRAORDINARY [ PART II-SEC. 3(i)]

the provider of information to such boy corporate or any other person acting on behalf of such body corporate.

(7) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought.

(8) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.

(9) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ' from the date of receipt of grievance.

6. Disclosure of information.— (1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

(2) Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.

1330 GI/11-2B

THE GAZETTE OF INDIA : EXTRAORDINARY [ PART II-SEC. 3(i)]

Printed by the Manager, Government of India Press, Ring Road. Mayapuri. New Delhi-110064 and Published by the Controller of Publications, Delhi-1 I0054

(3) The body corporate or any person on its behalf shall not publish the sensitive personal data or information.

(4) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

7. Transfer of information.-A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

8. Reasonable Security Practices and Procedures.— (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. (2) The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1). (3) Any industry association or an entity formed by such an association, whose members are self- regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation. (4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

[F. No. 11(3)/2011-CLFE] N. RAVI SHANKER, Jt. Secy.


立法 关联 (2 文本) 关联 (2 文本)
无可用数据。

WIPO Lex编号 IN098