India issues extensive Privacy Rules with potentially significant impact on Outsourcing Services
On April 11, 2011, India’s Central Government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). Although positioned as an effort to provide clarification to terms left undefined in the Information Technology Act, 2000, the Privacy Rules put in place a significant new data privacy regime covering collection, use, disclosure or transfer of personal information in India. The Privacy Rules also impose new security standards and security obligations on a company’s data-related operations in India, and require the implementation of a privacy policy. Information qualifying as “sensitive personal data or information” (e.g., passwords, financial information, and medical records) is subject to tighter regulation, requiring, among other things, the written consent of the data subject before such information can be collected.
Alston & Bird has issued a client advisory with more guidance and thoughts on these rules and will be providing comments to NASSCOM, India’s leading outsourcing trade association, in connection with its interaction with the government to clarify the Privacy Rules.