India inks data privacy law

Over the years, the offshore outsourcing industry has grown used to dealing with issues raised under the UK, EU or US data protection laws, and CIOs and experienced outsourcing and privacy practitioners have developed effective solutions to most of the problems presented.

Those happy days are now gone. India has issued a new data protection law which will trap unwary offshore outsourcing projects. And two other key offshore outsourcing destinations — China and the Philippines — are both progressing their own sets of laws on data privacy.

Issued quietly on April 13, the snappily-titled Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 apply to all organisations that collect and use personal data and information in India. There are three main problem areas created by the new rules.

- The new rules apply in addition to any existing data protection rules in the source country of the data. So effectively there’s a ‘double-dip’ effect of a project having to comply with two sets of privacy rules which are similar, but slightly different.
- The new Indian rules are unclear in many respects. Lots of terms are undefined and it’s not clear exactly how they apply to particular typical scenarios.
- In some respects the Indian laws are more restrictive than typical Western rules – especially when it comes to the treatment of so-called ‘sensitive data’. The rules require prior written consent, without exception, to collect and use sensitive personal data which is far more restrictive than the comparable EU or US laws.

The Indian IT Ministry takes the position that these new rules will boost offshore outsourcing by showing international companies that their data is safe in India.

But that wasn’t really the point.

Data controllers already have to protect their data in accordance with the rules in place where the data is collected,

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams