The Indian Government has come up with a new Act Digital Personal Data Protection Act, drawing the boundaries of Data privacy in India. This law has garnered public attraction with the relevance in today’s scenario of new age Internet companies collecting personal data of customers without proper government guidelines.
This law states how data should be collected, analysed and stored by companies collecting the data of Indians. This law governs both companies in India or abroad who collect the data of Indian citizens.
What is Personal data, according to the law?
The law does not exactly state the type of data, but here are is the list of data types which are considered to be personal data.
– Name
– Address
– Phone Number, Email
– Location data
– Online identifiers (IP address, cookies)
– Biometric data (fingerprints, facial recognition data)
– Financial information (bank account details, credit card numbers)
– Health information
– Date of birth
– Photographs and video
Guidelines for Companies
The chapter 2 of the Act, defines the following obligations to be met by Companies collecting personal data.
>Purpose Limitation
Data Fiduciaries must process personal data only for specified, clear, and lawful purposes. Any additional purpose requires further consent.
>Data Minimization
Data Fiduciaries should ensure the collection of only necessary data for the intended purpose, avoiding excessive data accumulation.
>Accuracy and Storage Limitation
Fiduciaries must ensure the data’s accuracy and keep it updated. Personal data should not be retained beyond the purpose’s fulfillment unless required by law.
>Security Safeguards
Security measures must prevent unauthorized access and breaches, applying technical safeguards and notifying authorities and individuals of breaches. Erase data when consent is withdrawn or purposes are fulfilled.
>Record-Keeping
Companies are accountable for secure data processing, maintaining records of operations and breaches, ensuring data accuracy, and publishing contact information for data queries.
>Grievance Redressal
Establish prompt grievance mechanisms, address issues within a set timeframe, and require internal redressal before involving the Board. Nominate representatives for rights if incapacitated or deceased.
>Children’s Data Protection
Special measures are required for processing children’s data, including obtaining parental consent and avoiding tracking or behavioral monitoring of children.
>Significant Data Fiduciaries
Certain Fiduciaries may be classified as Significant Data Fiduciaries based on the volume and sensitivity of data processed, requiring additional compliance measures like appointing a Data Protection Officer and conducting periodic data protection impact assessments .
Rights and Duties of Individual Users
The rights and duties to be exercised by users according to the Act are as follows, according to chapter 3 of the Act.
>Right to Access Information
Data owners have the right to access a summary of their personal data being processed and information with companies their data has been shared.
>Right to Correction and Erasal
Principals can request correction, completion, updating, and erasure of their personal data. Fiduciaries must comply unless retention is necessary for legal compliance.
>Grievance Redressal
Principals have the right to readily available grievance redressal procedures provided by Fiduciaries. Unresolved grievances can be taken to the Data Protection Board.
>Nomination of Representatives
Principals can nominate individuals to exercise their data protection rights in case of death or incapacity.
>Duties of Data Principal
Principals must comply with applicable laws, avoid impersonation, and ensure accurate information provision while exercising their rights.
>Responsibility for Misuse
Principals must not use their rights to harass or cause harm to others and must ensure they do not suppress material information or impersonate others while providing personal data .
