Elements of a Privacy Policy in India

By Rahul Dwarkadas (Partner) and Rohini Jaiswal (Senior Associate).

1. Legal background

• Data Privacy and Protection regime in India is presently regulated by the Information Technology Act, 2000 (“IT Act 2000”) in conjunction with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“).

2. Privacy Policy

• In compliance with the IT Act 2000 and SPDI Rules, an organization is mandated to demonstrate its intent to receive, collect, stores process, transmit, protect and utilize personal data (“PI”) or sensitive personal data (“SPDI”) provided by its users during the course of its commercial activities via a privacy policy^[1]. The privacy policy must be easily accessible for such user via publication on the website.

3. Fundamental factors of a Privacy Policy

• A few fundamental factors and pre-conditions to be kept in mind while drafting a privacy policy are as follows:

1. Consent, Notice and Transparency

A privacy policy must be clear, unambiguous and must contain comprehensible statements of practices and policies adopted by the organization. The organization must obtain consent before collecting or using such information. Consent includes notions of ‘notice’ and ‘choice’. ‘Notice’ denotes the manner in which the privacy policy is presented to the users whereas a ‘Choice’ is expressly provided to opt-in and/or opt-out of the information sharing requirements.

1. Definition Clause

A privacy policy should have comprehensive and explicit definitions of the general terms (such as data, users, SPDI etc.) used in the policy.

• User Information

A privacy policy should illustrate the type of PI or SPDI being collected.

1. Purpose

A privacy policy must clearly identify, in unambiguous terms, the purpose of data collection. Further, it should have a data minimization clause to limit collection and processing to that which is relevant and reasonably necessary to accomplish legitimate commercial purposes. A change in the purpose triggers the requirements of notifying the users of such change.

1. Sharing and storage of user data

An organization must obtain permission from users prior to disclosure of the collected PI / SPDI to third parties and/or its affiliates, except where such disclosure is mandated under law. Further, it should have data retention clauses governing the period of retention and the manner of disposal once the purpose is served.

1. Data security

The privacy policy must inculcate reasonable security practices and procedures adopted by the organization, including electronic and physical safeguards to maintain security and confidentiality of data through authorized access, browser encryption etc.

• Notification of change

Additionally, an announcement via email or website popups is required to reflect periodic reviews and updates in the policy.

• Contact information

The privacy policy should contain email, postal and telephonic coordinates of organization to address queries or exercise of user’s data protection rights.

1. Dispute Resolution

The SPDI Rules require appointment of a Grievance Officer[2] for users to report complaints or unsatisfactory reparation of the same by organization.

4. Conclusion

With the growing digital transformations in the manner conducting businesses, organizations must be prudent while drafting, designing and reviewing their privacy policy and should have a policy tailored to its business requirements and is in compliance with the law.

[1] Section 43 A, IT Act 2000.

[2] Section 5(9), SPDI Rules.