Processing Obligations, Security Standards & Special Category Consent Framework

Written By BareMinLaw

Rule 5: Processing of personal data for provision or issue of subsidy, benefit, service, certificate, license or permit by State and its instrumentalities

5(1).

  • Processing of personal data of a Data Principal must be carried out in accordance with this rule.

  • Such processing must strictly follow the standards laid down in the Second Schedule.

  • Compliance with the Second Schedule is mandatory while undertaking the processing.

5(2).

  • Rule 5 and the II Schedule refers to any subsidy, benefit, service, certificate, licence, or permit.

  • It covers all such subsidies , benefits , services , certificates , licences , or permits that is provided or issued.

  • (a).

    1. Any subsidy, benefit, service, certificate, licence, or permit mentioned here refers to those given under a law.

    2. It includes anything provided or issued by the State or its instrumentalities.

    3. The issuance that is provided must be done while exercising their legal powers or performing their official functions in accordance to the law.

    4. The power or function must come from a law that is currently in force.

  • (b).

    1. Any subsidy, benefit, service, certificate, licence, or permit mentioned under a policy refers to those given based on a government policy.

    2. It includes anything provided or issued under a policy or instruction.

    3. Such policy or instruction must be issued by the Central Government or a State Government.

    4. The policy must be issued in exercise of the government’s executive power.

  • (c).

    1. “Using public funds” means providing or issuing a subsidy, benefit, service, certificate, licence, or permit through government money.

    2. It covers cases where expenditure is made from public funds.

    3. It also covers cases where any receipts from such provision or issuance are credited to public funds.

    4. (i).

    5. In the case of the Central Government or a State Government, this includes money drawn from or credited to any of the following:

      1. The Consolidated Fund of India.

      2. The Consolidated Fund of a State.

      3. The Public Account of India.

      4. The Public Account of a State.

    6. (ii).

      1. The above provision also applies to any local authority within the territory of India.

      2. It also applies to any other authority within India.

      3. It includes authorities that are under the control of the Government of India.

      4. It also includes authorities under the control of any State Government.

      5. It covers the fund or funds belonging to such authority.

Rule 6: Reasonable Security Safeguards

6(1).

  • A Data Fiduciary must protect all personal data that it holds or controls.

  • This data includes the data that is processed by itself or by a Data Processor working on its behalf.

  • To prevent personal data breaches, the Data Fiduciary must take reasonable security safeguards.

  • At a minimum, these safeguards must include the following:

  • (a).

    1. Personal data must be protected using appropriate security measures.

    2. Suitable data security techniques should be used.

    3. These techniques may include:

    4. Encryption

      1. A method of converting data into a coded form.

      2. The data becomes unreadable to anyone without the correct key.

      3. It protects data from unauthorized access.

      4. Only authorised persons can decrypt and read the data.

      Obfuscation

      1. A technique used to make data unclear or difficult to understand.

      2. The original data is altered in a way that hides its meaning.

      3. It does not necessarily require a key to reverse it (depending on the method used).

      4. It is mainly used to reduce the risk of misuse of sensitive information.

      Masking of Data

      1. A method of hiding parts of sensitive data.

      2. Only a portion of the data is visible, while the rest is concealed.

      3. It is commonly used to protect personal or financial information.

      4. The original data remains stored securely in the background.

      Virtual Tokens

      1. A system where sensitive data is replaced with a randomly generated value (token).

      2. The token has no meaningful value on its own.

      3. The original data is stored separately in a secure system.

      4. The token can be mapped back to the original data when required through a secure process.

  • (b).

    1. Access to computer systems used by the Data Fiduciary must be properly controlled.

    2. Access to computer systems used by its Data Processor must also be properly controlled.

    3. This includes control over all related digital resources.

    4. Such access controls should be applied wherever applicable.

  • (c).

    1. There must be clear visibility over who accesses personal data.

    2. Access should be tracked using logs.

    3. Systems should be monitored regularly.

    4. Periodic reviews of access activity should be conducted.

      1. These measures help detect unauthorized access.

      2. Unauthorized access should be properly investigated.

      3. Corrective steps should be taken to fix the issue.

      4. Preventive measures should be implemented to stop it from happening again.

  • (d).

    1. Reasonable steps must be taken to ensure continuity of processing of personal data.

      1. This applies if the confidentiality of personal data is affected.

      2. It also applies if the integrity of personal data is affected.

      3. It further applies if the availability of personal data is affected.

    2. Such situations may arise when data is destroyed.

      1. They may also arise when access to data is lost.

      2. Measures should be put in place to address such risks.

      3. This includes maintaining proper data backups.

  • (e).

    1. Logs and relevant personal data must be retained for a period of one year.

      1. The purpose of retention is to help detect unauthorized access.

      2. It also helps in investigating incidents.

      3. Retention supports fixing identified issues.

      4. It ensures continuity of processing where required.

      5. A different retention period may apply if required under any other law.

  • (f).

    1. When a Data Fiduciary engages a Data Processor to process personal data, the relationship must be governed by a contract.

      1. The contract should clearly set out the responsibilities of the Data Processor.

      2. It must include appropriate clauses requiring the Data Processor to implement reasonable security safeguards.

      3. These safeguards should protect personal data during processing.

    2. In this way, the Data Fiduciary ensures that personal data remains secure even when processed by another entity.

  • (g).

    1. The Data Fiduciary must put in place suitable technical and organizational measures.

    2. The objective is to ensure that all these security safeguards are effectively followed.

6(2).

  • In this rule, the term “computer resource” is not being given a new meaning.

  • It has the same meaning as the one already defined in the Information Technology Act, 2000.

  • So, whenever “computer resource” is used here, it should be understood exactly as it is understood under the IT Act, 2000.

Rule 7: Intimation of personal data breach

7(1).

  • As soon as the Data Fiduciary becomes aware of a personal data breach, it must inform every affected Data Principal.

  • This intimation must be based on the best knowledge available to the Data Fiduciary and must be given without delay.

  • The information must be shared in a concise, clear and plain manner.

  • The Data Principal must be informed through her user account or through any communication method registered with the Data Fiduciary.

  • The intimation must include the following details:

    1. (a). A description of the personal data breach, explaining its nature, how extensive it is, and when it occurred.

    2. (b). The consequences that are relevant to the Data Principal and are likely to arise because of the breach.

    3. (c). The measures that the Data Fiduciary has already taken or is taking to reduce or mitigate the risk caused by the breach.

    4. (d). The safety measures that the Data Principal herself can take to protect her interests after the breach.

    5. (e). The business contact details of a person who can respond on behalf of the Data Fiduciary to any questions raised by the Data Principal.

7(2).

  • When the Data Fiduciary becomes aware of a personal data breach, it must inform the Board about the breach.

  • (a).

    1. The intimation must begin without delay and must include a description of the breach.

    2. The description should explain the type of breach and state how widespread the breach is.

    3. It should mention when and where the breach occurred.

    4. It must describe the likely impact of the breach.

  • (b).

    1. After this initial intimation, the Data Fiduciary must, within seventy-two hours of becoming aware of the breach, provide further details to the Board.

    2. If more time is required, the Data Fiduciary may seek a longer period by making a written request to the Board.

    3. The information to be shared within this time must include:

    1. (i). Updated and more detailed information about the breach.

    2. (ii). The broad facts explaining the events, circumstances, and reasons that led to the breach.

    3. (iii). The measures that have been implemented or are proposed to reduce or mitigate the risk arising from the breach.

    4. (iv). Any findings, if available, about the person responsible for causing the breach.

    5. (v). The remedial steps taken to prevent a similar breach from happening again.

    6. (vi). A report confirming that intimations have been given to the affected Data Principals.

Rule 8: Time period for specified purpose to be deemed as no longer being served

8(1).

  • When a Data Fiduciary belongs to a class specified in the III Schedule and processes personal data for the purposes mentioned there , certain obligations arise.

  • If the Data Principal does not approach the Data Fiduciary for the specified purpose and does not exercise her rights regarding that processing, then:

    1. In such a case, the Data Fiduciary must erase the personal data after the time period mentioned in the Third Schedule.

    2. However, if any law currently in force requires the data to be retained, it may be kept for that legal purpose.

    3. Thus, in the absence of legal necessity or continued engagement by the Data Principal, the personal data must ultimately be erased.

8(2).

  • Before personal data is erased under this rule, the Data Fiduciary must inform the Data Principal in advance.

    1. This intimation must be given at least forty-eight hours before the time period for erasure is completed.

    2. The Data Fiduciary must clearly inform her that the personal data will be erased once the time period ends.

  • Erasure will not take place if, before the completion of that period, the Data Principal does any of the following:

    1. Logs into her user account.

    2. Initiates contact with the Data Fiduciary for carrying out the specified purpose.

    3. Exercises any of her rights in relation to the processing of her personal data.

8(3).

  • This requirement applies in addition to what is stated in 8(1) and 8(2).

  • For any processing of personal data done by the Data Fiduciary, whether directly or through a Data Processor, certain records must be retained.

  • The Data Fiduciary must keep:

    1. The personal data.

    2. The related traffic data.

    3. Other processing logs.

    for a minimum period of one year from the date the processing took place.

  • This retention is required only for the purposes specified in the Seventh Schedule.

  • After the one-year period is completed, the Data Fiduciary must ensure that the personal data and logs are erased.

    1. However, erasure is not required if continued retention is necessary to comply with any other law currently in force.

    2. It also is not necessary if retention is specifically notified by the Government.

Illustrations:

Case 1:

  • Suppose, X buys an e-book from platform Y, so Y processes X’s personal data to complete the purchase and delivery.

  • Once the e-book is delivered, the specified purpose of processing is fulfilled.

  • Even after this, Y is required to retain X’s order details, related personal data, and processing logs such as payment, confirmation, and delivery records.

  • This data must be kept for at least one year from the date of the transaction.

  • This obligation applies even if X deletes her account during that period.

Case 2:

  • Suppose, X, a company, uses a cloud service provider C to host customer records.

  • In this arrangement, X is the Data Fiduciary and C acts as the Data Processor on behalf of X.

  • X remains responsible for compliance with data retention obligations under the law.

  • X must ensure that C also retains the customer data and the associated processing logs.

  • This data and logs must be kept for at least one year before being erased.

  • Retention may be longer only if another applicable law requires the data to be kept for a longer period.

Rule 9: Contact information of person to answer questions about processing

  • Every Data Fiduciary must make certain contact details easily visible.

  • These details must be prominently published on the Data Fiduciary’s website or mobile application.

    1. A Data Fiduciary may receive a communication from a Data Principal seeking to exercise her rights under the Act.

    2. When responding to such communication, the Data Fiduciary must include the relevant contact details in the reply.

Appointment of a Data Protection Officer

  • If a Data Protection Officer is required to be appointed, the contact details must be of that officer.

  • If no Data Protection Officer is required, the contact details must be of an authorised person.

  • The authorised person must be capable of answering questions on behalf of the Data Fiduciary.

  • The objective is to ensure that the Data Principal knows whom to contact regarding the processing of her personal data.

Rule 10: Verifiable consent for processing of personal data of child

10(1).

  • A Data Fiduciary must put in place appropriate technical and organisational measures.

  • These measures must ensure that verifiable consent of the parent is obtained before processing any personal data of a child.

  • The Data Fiduciary must also exercise due diligence.

  • Due diligence is required to confirm that the person identifying herself as the parent is an adult.

  • The parent must also be identifiable if required for compliance with any law in force in India.

  • Verification may be done by reference to:

    1. (a). Reliable details of the individual’s identity and age that are already available with the Data Fiduciary; or

    2. (b). Details of identity and age that are voluntarily provided:

      1. (i) Directly by the individual.

      2. (ii) Through a virtual token mapped to such details, issued by an authorised entity.

10(2).

  • In this rule , the expressions:

  • (a). Adult means an individual who has completed eighteen years of age.

  • (b). Authorised entity means:

    1. (i).

      1. An entity that is formally entrusted with a specific function.

      2. The entrustment may be by law , Central Government and a State Government.

      3. The function entrusted is the issuance of details relating to identity and age.

      4. It may also include issuing a virtual token mapped to such identity and age details.

    2. (ii).

      1. It includes a person appointed by the entity mentioned in clause (i).

      2. It also includes a person permitted by that entity to carry out the issuance.

      3. The appointment or permission must relate to issuing details of identity and age or a virtual token.

      4. It further includes details of identity and age that are made available by a Digital Locker Service Provider.

      5. It also includes a token that is made available and verified by a Digital Locker Service Provider.

  • (c).

    • A Digital Locker service provider is an intermediary.

    • It may be a body corporate or an agency of the appropriate Government.

    • It must be notified by the Central Government.

    • Such notification is made in accordance with the rules framed under the Information Technology Act, 2000.

Illustrations:

  • Suppose C is a child, P is the parent and DF is a Data Fiduciary.

  • A user account of C is proposed to be created on the online platform operated by DF.

  • For creating this user account, DF seeks to process the personal data of C.

  • Case 1:

    1. C informs DF that she is a child and states that P is her parent.

    2. DF enables P to identify herself through its website, app, or any other appropriate means.

    3. P identifies herself as the parent of C.

    4. P also informs DF that she is already a registered user on DF’s platform.

    5. P further informs DF that she has previously provided her identity and age details to DF.

    6. Before processing C’s personal data to create C’s user account, DF checks its records.

    7. DF confirms that it holds reliable identity and age details of P.

    8. DF also confirms that P is an identifiable adult.

  • Case 2:

    1. C informs DF that she is a child and declares P as her parent.

    2. DF enables P to identify herself through its website, app, or other appropriate means.

    3. P identifies herself as the parent of C.

    4. P informs DF that she is not a registered user on DF’s platform.

    5. Before processing C’s personal data to create C’s user account, DF must verify P’s status.

    6. DF does this by referring to identity and age details issued by an entity that is legally entrusted by law or the Government to maintain such details.

    7. DF can also do this by using a virtual token mapped to P’s identity and age.

    8. Through this verification, DF checks that P is an identifiable adult.

    9. P may voluntarily provide her identity and age details using the services of a Digital Locker service provider.

  • Case 3:

    1. P seeks to open a user account for C.

    2. P identifies herself as the parent of C.

    3. P informs DF that she is already a registered user on DF’s platform.

    4. P also informs DF that she has previously provided her identity and age details to DF.

    5. Before processing C’s personal data to create the user account, DF checks its records.

    6. DF confirms that it holds reliable identity and age details of P.

    7. DF also confirms that P is an identifiable adult.

  • Case 4:

    1. P seeks to open a user account for C.

    2. P identifies herself as the parent of C.

    3. P informs DF that she is not a registered user on DF’s platform.

    4. Before processing C’s personal data to create the user account, DF carries out verification.

    5. DF refers to identity and age details issued by an entity entrusted by law or by the Government with maintaining such details.

    6. DF can also do this by using a virtual token linked to identity and age.

    7. Through this reference, DF checks that P is an identifiable adult.

    8. P may voluntarily provide her identity and age details by using the services of a Digital Locker service provider.

Rule 11: Verifiable consent for processing of personal data of person with disability who has lawful guardian

11(1).

  • A Data Fiduciary may obtain verifiable consent from an individual identifying herself as the lawful guardian of a person with disability.

    1. While doing so, the Data Fiduciary must exercise due diligence.

    2. Due diligence is required to verify the status of such guardian.

    3. The Data Fiduciary must confirm that the guardian has been formally appointed.

  • The appointment must be made by a court of law or by a designated authority or by a local level committee.

  • The appointment must be in accordance with the law applicable to guardianship.

11(2).

  • In this rule , the expression:

  • (a). Designated Authority

    1. Designated authority refers to an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016.

    2. The authority must be designated in accordance with that Act.

    3. Its role is to support persons with disabilities.

    4. The support is provided to enable them to exercise their legal capacity.

  • (b). Law applicable to Guardianship

  • (i).

    1. It relates to an individual who has a long-term physical, mental, intellectual, or sensory impairment.

    2. The impairment, when interacting with various barriers, hinders her full and effective participation in society on an equal basis with others.

    3. Even after being provided with adequate and appropriate support, the individual is unable to take legally binding decisions.

    4. In such a case, the applicable provisions are those contained in the Rights of Persons with Disabilities Act, 2016.

    5. The rules made under that Act also apply.

  • (ii).

    1. It relates to a person suffering from any condition such as autism, cerebral palsy, or mental retardation.

    2. It also covers a person suffering from a combination of these conditions.

    3. It further includes a person with severe multiple disabilities.

    4. In such cases, the applicable legal provisions are those contained in the:

      1. National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999.

      2. The rules made under that Act also apply.

  • (c). Local Level Committee

    1. Local level committee refers to a committee constituted under:

      1. Section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999.

      2. The committee must be formed in accordance with that Act.

      3. It derives its authority from the provisions of the 1999 Act.

  • (d). Person with Disability

  • (i).

    1. It refers to an individual with a long-term physical, mental, intellectual, or sensory impairment.

    2. The impairment, when interacting with various barriers, limits her full participation in society.

    3. The participation affected is participation on an equal basis with others.

    4. The individual may be provided with adequate and appropriate support.

    5. Despite such support, she is unable to take legally binding decisions.

  • (ii).

    1. It refers to an individual suffering from a condition relating to autism, cerebral palsy, or mental retardation.

    2. It also includes an individual suffering from a combination of any two or more of these conditions.

    3. It further includes an individual with severe multiple disabilities.

    4. The individual may be provided with adequate and appropriate support.

    5. Despite such support, the individual is unable to take legally binding decisions.

Rule 12: Exemptions from certain obligations applicable to processing of personal data of child

12(1).

  • Section 9(1) & 9(3) of the Act generally apply to processing of a child’s personal data.

  • However, these provisions will not apply to certain Data Fiduciaries.

  • The exemption applies to the class of Data Fiduciaries specified in Part A of the Fourth Schedule.

  • The exemption is not absolute.

  • It is subject to the conditions specified in Part A of the Fourth Schedule.

12(2).

  • Section 9(1) & 9(3) of the Act generally apply to processing of a child’s personal data.

  • These provisions will not apply where the processing is carried out for specific purposes.

  • The relevant purposes are those specified in Part B of the Fourth Schedule.

  • The exemption operates only for those listed purposes.

  • It is subject to the conditions specified in Part B of the Fourth Schedule.

BareMinLaw https://bareminlaw.com
Previous

Notice Obligations and Consent Manager Framework
Next

Obligations of a Significant Data Fiduciary