It is commonly said, “Data is the new oil.” If we want to get to the beginning of this statement, we have to go back to the era when mineral oil was the most profitable product and almost every nation made its candidacy.
The data has replaced oil as the most valuable product in the 21st century but as an increase in technology cause increase in data hacking cases So, it is very important to know that HOW TO PROTECT OUR PRIVATE DATA?.
This is evident from the fact that five of the most valuable companies in the world, namely Amazon, Google, Apple, Microsoft and Facebook, belong to the data sector.
If we look closely at the two products, we understand that the data and the oil are very similar. Since the crude oil found in the world is unusable in its raw form and must be refined and filtered using various processes to produce oil, diesel, kerosene, gasoline and the like, the crude information must also be processed and analysed for change.
In various types of useful data, i.e. health information, geographical location information, financial information, navigation information, professional and work-related information and the like.
The data can be broadly classified into public data and personal data. Public data is what is accessible to the general public, such as court records, birth records, mortality rates, company basic data.
On the other hand, private data is personal to an individual/organization and cannot be freely distributed by anyone without the prior consent of the subject.
It contains financial details, family details, browser details, preferences, psychological characteristics, places and travel history, behaviour, abilities, photos, attitude etc. It can also be a combination of these characteristics or even inferences from refined data.
Today, India has no specific legislation that has been enacted primarily for data protection. India’s regulatory mechanism for data protection and privacy is the Information Technology Act, 2000 (“the IT Act”) and the corresponding rules for information technology (Practices and Procedures of Information Technology). Reasonable security and personal data or sensitive information), 2011 (and IT rules) “).
In addition, personal information is also protected by Article 21 of the Indian Constitution, which guarantees every citizen the right to privacy as a fundamental right1. The Supreme Court has ruled in several cases that information about a person and the right of access to information by the person are also covered in the right to privacy.
Relevant sections of the IT Act to protect our private data
Section 43A of the IT Act creates a liability for a legal person (including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities) who possesses any personal data or sensitive information in a computer source, processing or manage what it owns, controls or works to pay damages to the affected person if an unfair loss or unfair gain has been caused to any person due to negligence in the implementation and maintenance of reasonable security practices and procedures at the information of the person concerned.
Section 72 A of the IT Act states that any person (including an intermediary) who, while providing services under the terms of a legal contract, has gained access to any material containing personal information about another person, to cause or know that he may cause unlawful loss or unlawful gain, without the consent of the person concerned, or in breach of a lawful contract, such material shall be punishable by any other person with imprisonment for a term of three years, or with a fine of five lakh rupees, or with both.
IT rules grant the right to individuals regarding their sensitive personal information and make it mandatory for any corporate body to publish an online privacy policy. It also gives people the right to access and correct their information and is mandatory for a corporate to obtain permission before disclosing sensitive personal information, except in the case of law enforcement, which gives individuals the ability to proposes to withdraw the permit.
Limitations of the present provisions to protect our private data
No, IT legislation was enacted as the primary purpose to protect our private data.
The scope and application of IT law regarding data protection are very strict.
IT law does not allow you to specify a specific government agency for data protection in India.
IT law does not provide sanctions for data breaches, except in Section 72A.
IT rules apply only to a limited amount of sensitive personal data
IT rules apply only to electronically generated and transmitted data
IT rules do not apply to governments/states and only to businesses if the contract has not yet been signed. In other words, you can easily avoid it by signing the contract.
Therefore, a committee led by Retd. The Ministry of Justice BN Srikrishna was established to propose a draft data protection clause. The Government of India has released the 2019 Personal Data Protection Project (“Account”) based on the recommendations of the parliamentary committee. If both homes pass this bill, it will be the first Indian law on the protection of personal data.
This article describes three types of personal information and analyzes the provisions of the law that currently protects them, including the changes brought about by the bill.
Health Information:
Health information includes a variety of information such as patient age, contact information, pathology reports, digital health information, and medical history. It has great value in the healthcare and pharmaceutical industries.
Many of us use fitness apps/devices such as Fitbits. Some of us may have searched for health information online, applied for a free diagnostic check, or sought health insurance. Whenever you do any of these, share sensitive health information with a variety of stakeholders.
IT rules protect only limited information such as physical, physiological and mental health. Sexual orientation; many of the patient’s records and medical history, and thus health records, are disclosed.
Compliance with IT rules is also limited to collecting or transferring personal information or obtaining permission before publishing a confidentiality policy.
Due to the broad nature of the provisions, there are some gaps in the current legal framework. In addition, its applications are limited to sensitive personal data that is electronically generated and transmitted. The contract may also violate the terms.
Organizations that store or process health information do not need to report data violations to users. We also do not know if health information is at risk or even used for these individuals. Without his consent.
The law proposes to close this loophole by forcing notification of security breaches. In addition, all security breaches are fined and can even lead to imprisonment for up to 5 years.
DISHA-
The first act which deals with the “how to protect our private data”
In addition, the Government of India will implement the Digital Security Information Security Act (DISHA). This will be the first specific health information law in India. This has three purposes.
1-Introduce digital healthcare systems at the central and state levels
2-Provides privacy and security measures for digital health information
3-Regulate the storage and exchange of electronic health information.
DISHA Highlights:
Manage all types of clinical facilities, including diagnostic centres and individual clinics.
Establish a national e-health agency at the NeHA central level and an e-state Health Authority (SeHA) at the state level. These two ensure compliance with DISHA rules at all levels.
Establish judicial authorities in centres and states to investigate security breach complaints.
Clarify that effective digital health information is always available to individuals.
Define the purpose for which an individual or group can collect, store, transmit, or use digital health information.
Imposing stricter rules on confidentiality and confidentiality, data owners should be immediately notified of privacy or confidentiality breaches of digital health information.
Geographic location data:
Location data is not included in the sensitive personal data definitions defined in IT rules. Therefore, any business unit may disclose such information to other parties without liability under IT law or rules.
Various apps like Facebook, Google, Life360-Family Locator, MPS, Famicef, Spyzy keep track of our location along the way. In the absence of specific conditions that prevent the distribution of location information, these programs allow us to easily exchange our location information with third parties.
To address this, the bill proposed a broad definition of personal information that covers geolocation. The bill also proposes to further apply to include the processing of personal data by Indian state/government companies and foreign companies that handle the personal data of Indian individuals.
Right to be forgotten
The right to be forgotten is the right to obtain personal information, “how-to protect our private data” from the public domain, such as Internet search engines. This concept currently applies only to the European Union and Argentina. This is to prevent individuals from being constantly stigmatized as a result of certain actions taken in the past that are not currently relevant.
This theory dates back to 2014 when Spanish citizen Mario Costa Gonzalez sued Google in the European Court of Justice (EC). Mario wanted to quote a 1998 newspaper article that had something negative about him from search engines and asked Google to remove it because it was no longer relevant. The ECJ agreed with this and asked Google to remove “insufficient, irrelevant, or no longer relevant” newspaper articles from search results.
The right to be forgotten is set out in Article 17 and is set out in Articles 65 and 66 of the General Data Protection Regulation (“AVG”). “Stakeholders have the right to delete their personal data from administrators without delay, and administrators are obliged to delete personal data without delay.”
AVG Therefore, individuals have the right to delete their personal data only in the following special circumstances:
The original information collected no longer requires the personal data of the organization that collected or processed it.
The processing organization relied on the person’s consent as a legal Tiff certificate for processing the data, and the person withdrew his consent.
The organization relies on the organization’s legitimate interests as a tip to process someone’s data, but because that person is currently opposed to the process, the organization has significant legal interests to continue. Is not … There is no process.
Organizations process personal data directly for marketing purposes and process individual objects into it. The organization has illegally processed someone’s personal data. Organizations must delete personal data to comply with legal decisions or obligations. The association has processed the child’s personal data to serve the information association.
However, in exceptional cases, the right to be forgotten is obscured by the right of the organization to process someone’s data, such as when exercising the right to represent data or freedom of information or to comply with legal decisions or obligations. You might. Or it is needed for public health purposes and is in the public interest.
The situation in India, how to protect our private data?
Currently, there is no right to forget under Indian law. However, in the case of Putta Swami, the Supreme Court (above) has the right to forgetting, the right to privacy, and is an integral part of Article 21 of the Constitution.
The bill proposes to include the right to be forgotten in the law. Individuals can then limit, delete, delete, or delete misleading, embarrassing, and irrelevant information.
The bill requires stakeholders to use such data or information if it is not necessary to disclose the data, if the permission to use the data is revoked, or if the provisions of the law are used if the data are inconsistent. The data trustee has the right to block.
Comment