The sensitive personal data or information of a person covers passwords, financial information such as bank accounts or credit card details, his or her physiological and mental health condition, medical records and history, their sexual orientation, and biometric information, says the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which came into force in April this year.
Though the rules provide for keeping this information confidential from third parties except with the individual's prior consent, they explicitly state that all sensitive personal details “shall be shared, without obtaining prior consent from the provider of information, with government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.”
Criticising the government for giving itself the “master key” to access the sensitive personal information of individuals, including their medical records, Delhi-based PRS Legislative Research, which works with MPs to provide research support on legislative and policy issues, has noted that “there are no checks on this power [with the government] except that the request for information be made in writing, and stating clearly the reason for seeking the information.”
Pointing out that “information requests [made by government agencies] usually have certain inbuilt checks,” PRS Legislative Research said that for example, search warrants in criminal cases were issued by a court. Similarly, tapping of telephones or interception of electronic communication can only be authorised by the Union or State Home Secretary after following a prescribed process.
The new bill for the Unique Identification Number (UID) also permits such use only by the order of a court or for national security (by an order of an authorised officer of at least Joint Secretary rank in the Central Government).
However, the new rules under the amended IT Act have no such checks and balances — a government agency just needs to send a request in writing to the company possessing the sensitive personal data or information stating clearly the purpose of seeking such information.
The rules also state that a company can transfer sensitive personal data or information to any company or individual in India or abroad that “ensures the same level of data protection” that is adhered to by that company as per the new rules.