CAN THERE BE ANY SECRETS?: AN ANALYSIS OF SENSITIVE INFORMATION PROTECTION LAWS.

by S.Vaijayanthee

ABSTRACT

Right to Privacy is a fundamental right under the ambit of Right to life and personal liberty guaranteed by Article 21 of the Indian Constitution. The recognition of the particular right had a certain degree of urgency to it. This was due to the advancement of technology and the subsequent cyber crimes and illegal acts that followed it. Sensitive Information consists of data that  is private in nature and is personal to an individual or an organisation. With the technological advancements, infringing and intervening into others’ digital spaces and gaining access to sensitive information has become easier. Therefore, data is always at a risk of misuse by both the organisation collecting the data and a third party with the intention to misuse such data. This calls for laws to protect the citizens from such acts that grossly violate their right to privacy. This Article will discuss about sensitive information in detail and the laws that govern the protection of such information.

INTRODUCTION

Privacy, in the present day, is an oft-quoted concept that has been recognised as one of the basic human rights. After much deliberation and debate on the status of right to privacy in Part III of the Indian Constitution, it was finally declared to be a fundamental right under Article 21 that provides for the right of life and personal liberty. The infringement of this right has been a subject matter of various petitions. The apex court has time and again re-emphasized the significance of non-absolute right but inalienable right. It was held that “a citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing, education among other matters.”[1] The recognition of the particular right had a certain degree of urgency to it. This was due to the advancement of technology and the subsequent cyber crimes and illegal acts that followed it.

The world has witnessed a paradigm shift to a digital era where human transactions from all domains(private to commercial) were digitized. Students started to apply for educational institutions online, Online financial transactions became prevalent through online shopping, paying of bills, fees etc., doctor appointments were made online and such. This led the people utilising such online facilities to disclose their personal information regarding their educational background, financial details and medical history to the institutions. The organisations, to make their job easier and efficient, have gone digital and store information and data in electronic form.

With the technological advancements, infringing and intervening into others’ digital spaces  have become easier. Therefore, data is always at a risk of misuse by both the organisation collecting the data and a third party with the intention to misuse such data. This calls for laws to protect the citizens from such acts that grossly violate their right to privacy.

SENSITIVE INFORMATION

Sensitive Information consists of data that  is private in nature and is personal to an individual or an organisation.It may include information regarding financial details, family details, browsing details, locations, history, behaviour, photos etc. It must be guarded and well-protected from unauthorised access and unwarranted disclosure by anyone to maintain the security of individuals and organisations. Therefore, it is necessary that the prior permission of the individual or organisation is obtained before accessing such data.

Sensitive information may be classified three-fold. Personal Information, Business Information and Classified Information.

Personal Information is identifiable data and can be traced or linked to a specific person. Usually, personal identifiable data is distributed to various educational, health and financial institutions. This type of data is at a risk of identity theft.

Business Information, as the name suggests, refers to any data that concerns business activities and institutions. Exposing or unauthorised usage of such information would put the organisation in jeopardy. Business information may include personal information of stakeholders, trade secrets, intellectual property etc.

Classified Information is one that is intentionally kept confidential at a Government level. Certain degree of sensitivity is attached to such information and unwarranted disclosure could potentially endanger the government’s objectives and its international standing.

Therefore, the protection of sensitive and private information is very important for the smooth functioning of the Government ,organisations and upholding of the rights guaranteed to the people.

PRINCIPLES REGARDING DATA  PROTECTION

Data Protection is a set of privacy laws, policies and procedures that seek to minimise the intrusion into an individual’s privacy caused by collection, storage and dissemination of personal data.

General Data Protection Regulation(GDPR) defines ‘personal data’ as “any information relating to an identified or identifiable natural person(data subject)”. An identifiable natural person can be directly or indirectly identified in particular by reference to any identifier such as name, location data, identification number, or those factors specific to physical, genetic, mental, cultural, economic or social identity of that person.[2]

The regulations have laid down certain principles relating to processing of data in Chapter 2. For the purposes of the GDPR, ‘processing ’is defined as any operation performed on personal data.

Processing of personal data must be done lawfully, fairly and in a transparent manner. The purpose specified must be explicit and legitimate. The processing should be limited to the purpose so specified and no further processing is to be undertaken for reasons not in consonance with those stated. Data minimisation is prescribed and any inaccurate data must be erased . The process should strictly adhere and ensure the security of personal data and the Controller is to be held accountable for the whole process.[3]

Prior consent plays a pivotal role in determining the lawfulness of processing. Processing of personal data is necessary in certain circumstances. These circumstances include:

  1. For the performance of a contract,
  2. For the compliance with the legal obligations that the Controller is subject to,
  3. To protect vital interests of the data subject or any other natural person,
  4. For the performance of task carried out in public interest or in exercise of official authority vested in the Controller,
  5. For the legitimate interests pursued by the Controller or by a third party subject to fundamental rights and freedoms of data subject which require protection of personal data, especially when the data subject is a child.[4]

INDIAN LEGAL SYSTEM AND SENSITIVE INFORMATION PROTECTION

The Indian legal system does not have any specific legislation with regards to data protection nor is it a signatory to any International Conventions regarding the same. However, there exists various interpretations of the fundamental rights by the judiciary, and provisions in various other laws that provide for data protection and penalise those who pose a threat of misuse and misappropriate such data.

RIGHT TO PRIVACY UNDER ARTICLE 21

Article 21 of the Constitution provides for the right to life and personal liberty. It was held that the term ‘personal liberty’ is to be interpreted in the widest amplitude possible.[5] Thus through various judgments, many rights were brought under the umbrella of right to life and personal liberty. Right to privacy was one such right that was declared to be a fundamental right under Article 21.Various judgments have discussed various aspects of right to privacy and those with respect to interruption, disclosure and publishing of personal information that may be sensitive in nature. 

In the landmark Auto Shanker Case[6], it was held that any matter regarding an individual’s personal life cannot be published without his consent irrespective of the truth behind it and whether it is laudatory or critical.

Justice K.S.Puttuswamy v. Union of India[7] marked a major milestone in the Indian Legal system and brought into notice the significance of data protection laws and an authority to govern it. The Supreme Court observed that the rapid growth in technology has given rise to certain concerns and has emphasised that the Constitution must be flexible to accommodate the future generations so that they can adapt its content bearing in mind the basic and element features.

Informational privacy was recognised as a facet under right to privacy and it was also stated that Union Government should prioritize the matter of data protection as the threat is not only posed by State actors but also non State actors, calling for specific laws to regulate and govern the same.

However, it is pertinent to note that the right to privacy is not absolute rather it is subject to certain limitations such as prevention of crime, protection of others’ rights and freedoms, health and morals.[8]Surveillance of people of bad characters and habitual offenders does not amount to invasion of privacy as it is for the prevention of crime and as long as it is intra vires the legislative framework.[9] Telephone Tapping by the State was considered a gross violation of right to privacy under right to life and personal liberty unless it for the public emergency or interest of public safety.[10]

INDIAN PENAL CODE,1860

Data being an intangible property and thus not an movable property, Data theft cannot amount to an offence under Section 378 of the IPC. However, misappropriation and misuse of data entrusted to a person is an offence of ‘criminal breach of trust’ under Section 405. The language used in the provision is ‘property’ that is inclusive of all types.  Section 405 provides for the offence of misappropriating, converting, dishonest using and disposing of property or dominion over property entrusted to anyone. Section 409 of IPC punishes a person in the capacity of a public servant, or a banker, merchant, factor, factor, attorney or agent committing ‘criminal breach of trust’. Therefore, any organisation that is entrusted with personal data and sensitive information by its stakeholders is penalised under IPC if it commits ‘criminal breach of trust’.

INDIAN COPYRIGHT ACT,1957

Database protection is provided under “Literally Work” by the Indian Copyright Act,1957[11] and therefore protected under the Act. When the issue arose whether database including a set of mailing addresses of customers can be considered as copyright, the court affirmed the same and held that compilation of addresses developed by persons contributing time , money, skill and labour amounts to a literary work and the author has a copyright. [12]

INFORMATION TECHNOLOGY ACT,2000

Information Technology Act,2000 was enacted to regulate all transactions and activities that take place in the electronic platform. The Act provides for protection of data and sensitive information saved in electronic form.

Any person who accesses or secures access to a Computer without the prior permission of the owner or any other person incharge, downloads, copies or extracts any data or information from the system or aids a person in gaining such access, is liable to pay compensation up to Rs.1 Crore and in case such act is committed with a dishonest or fraudulent intention, such person is punishable with an imprisonment or fine. [13] According to Section 43-A of the Act, negligence in adhering to reasonable security practices and procedures with respect to sensitive personal data will attract greater penal consequences. Section 72-A provides for punishment for the breach of lawful contract and disclosure of information without the provider’s consent.

However, Section 69 of the Act provides an exception where the Central or the State Government may issue directions to intercept, monitor or decrypt an information, if satisfied that it is expedient and necessary to do so in the interest of sovereignty or integrity of the nation, security of the State, defence of India, friendly relation with foreign states, public order or preventing incitement to commission of any cognizable offence relating to the above stated or for investigation or any offence. The Act through the Amendment Act,2008 further penalises identity theft, violation of privacy, and cyber terrorism.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules,2011 were framed under the provisions of the Act and it lays down additional requirements for commercial and business entities to follow with respect to the collection and disclosure of sensitive information. The rules define ‘sensitive personal data or information of a person’ as that which consists of passwords, financial information, sexual orientation, medical records and history, biometric information etc.

PERSONAL DATA PROTECTION BILL,2019

Introduced in the Lok Sabha by the Minister of Electronics and Information Technology, the Personal Data Protection Bill,2019 seeks to provide for the personal data protection of individuals and establish an Authority to govern the same.

Highlights of the Bill:

  1. Governs the processing of personal data by the Government, companies incorporated in India and foreign companies dealing with personal data of individuals in India.
  2. Personal data is categorised as sensitive personal data and includes financial data, biometric data, caste, religious or political beliefs etc.
  3. An individual or entity called a data fiduciary will decide the means and purpose of processing personal data and such processing will be subject to certain conditions and limitations.
  4. Individuals are entitled to certain rights such as obtain confirmation from fiduciary, seek correction of data in case of errors etc.
  5. The grounds for processing of data are enumerated and the significance of consent is emphasized.
  6. Includes social media intermediaries that enable online interaction between users and allow sharing of information.
  7. Setting up of a Data Protection Authority and lays down functions of the authority such as to protect interests of individuals, prevent misuse of personal data, ensure compliance of Bill. etc. The composition of the Authority is also mentioned.
  8. In case an individual explicitly consents to the transfer of sensitive personal data outside India, subject to additional conditions, it will be allowed.
  9. The Central Government has the power to exempt any of its agencies from the provisions of the Act in certain circumstances.
  10. Processing or transferring of data in violation of the Bill and failure to conduct a data audit would amount to punishable offences.
  11. The Bill seeks to delete the provisions related to compensation payable by companies for failure to protect personal data in the Information Technology Act,2000.[14]

On a bare reading of the Bill, the similarity to the GDPR can be observed. This Bill, if enacted, is a step in the right direction to ensure that the citizens and institutions in the country are protected and their interest safeguarded from any illegal acts or infringement by both State and non State actors.

PROTECTION OF MEDICAL DATA

Though certain aspects of sensitive information are already protected under existing laws, there exist several aspects that need to be given due attention.

Health Data is one such aspect of sensitive information that has to be protected. Medical Data is usually disclosed by individuals to medical institutions, insurance companies etc. It is very important for the data to be kept confidential and these need to be governed by specific laws. The draft of the Digital Information Security in Healthcare Act(DISHA) has been prepared by the Ministry of Health and Family Welfare to secure the healthcare sector data in India.

RIGHT TO INFORMATION AND THE SENSITIVE INFORMATION PROTECTION

Right to Information is derived from the right of freedom of expression to “seek and receive information”.[15] The right is covered under the ambit of the right to freedom of speech and expression guaranteed under Art.19(1)(a) of the Indian Constitution.[16] Though some are of the view that both the rights are different sides of the same coin, Right to Information with respect to right to privacy has been a topic of debate. .

It is well established that right to information was established for a more transparent and accountable Government. But the conflict arises when the Right is exercised in cases of third party information , elected officials and these aspects call for the balancing of both rights.

The European Court of Human Rights held that in cases where lack of information might endanger an individual’s health, they may demand information from the government.

The Supreme Court in a landmark case, held that where there is another individual’s life and the enjoyment of fundamental rights is at stake, right to privacy can be compromised.[17]

However, the Right to Information Act,2005 exempts certain sensitive information from being disclosed. Section 8 of the Act enumerates the exemptions from disclosure of such information. Those information that concern the sovereignty, integrity and security of India[18], involves infringement of copyright vested with a person other than State[19] and is furnished by the intelligence and security organisation, need not be disclosed by the Government.[20]

CONCLUSION

Though there exist various laws that govern and provide for the protection of sensitive information, the country needs specific legislation, fast track courts and governing bodies to keep everything in check. The lack of laws in the subject area is detrimental and poses a threat of irrecoverable damage to the society as a whole. Especially in the present scenario, with the world experiencing major crisis due to the spread of COVID-19, certain measures have been introduced by the Government. Aarogya Sethu is one such initiative by the Indian Government to keep track of the patients by tracking their locations and whereabouts. Due to the absence of a definitive framework within which this initiative should function, there is a potential for the application to infringe the right to privacy of the people.

Therefore, there is a certain degree of urgency attached to the issue and calls for laws that are flexible enough to keep up with the pace of the rapid technological advancements. This will ensure that the rights guaranteed to the citizens are safeguarded and the Constitutional principles upheld.


[1] R.Rajagopal v. State of T.N.,(1994) 6 SCC 632.

[2] General Data Protection Regulation,2016 art.4(1).

[3] General Data Protection Regulation,2016 art.5.

[4] General Data Protection Regulation,2016 art.6.

[5] Maneka Gandhi v.Union of India, AIR 1978 SC 597.

[6]  R.Rajagopal v. State of T.N.,(1994) 6 SCC 632.

[7] AIR 2017 SC 4161.

[8] Mr.’X’ v. Hospital ‘Z’, AIR 1995 SC 495.

[9] Malak Singh v. State of Punjab, AIR 1981 SC 760.

[10] People’s Union for Civil Liberties v. Union of India, AIR 1997 SC 568.

[11] Indian Copyright Act,1957 sec.2(o).

[12] Burlington Home Shopping Pvt. Ltd. v. Ranjish Chibber, 1995 PTC (15) 278.

[13] Information Technology ACt,2000 sec .43.

[14] Ministry of Law and Justice, The Personal Data Protection Bill,2019, PRS Legislative Research,https://www.prsindia.org/billtrack/personal-data-protection-bill-2019.

[15] Universal Declaration of Human Rights,art.19.

[16] Bennett Coleman and Co. v. Union of India, AIR 1973 SC 106.

[17] Mr.’X’ v. Hospital ‘Z’, AIR 1995 SC 495.

[18] Right to Information Act,2005 sec.8.

[19] Right to Information Act,2005 sec.9.

[20] Right to Information Act,2005 sec.24.

Leave a Reply