Information Security Policies

In the absence of a specific privacy related regulation in India, IT (Amendment) Act, 2008 – Section 43A is a step in the right direction to protect the privacy rights of the individual in the digital economy and bringing individual privacy into focus.

IT (Amendment) Act, 2008 in its present form does not explicitly define ‘sensitive personal information’, though government is expected to do the same through the issuance of rules pertaining to section 43A, IT (Amendment) Act, 2008.

When defining ‘sensitive personal information’, it becomes very important to take into consideration the evolving data privacy and security ecosystem within an organization. To categorize any particular data element as ‘sensitive personal information’, it could be analyzed from three primary overlapping perspectives:

Content - Personal information that ‘by content’ can be considered sensitive should be included in the purview of ‘sensitive personal information’.

• Biometric Data of employees
• Digital copies of personal photographs of employees
• Digital copies of ID Cards (License, Passport, etc.) of employees, etc

Purpose - Personal Information that is used for authorization and authentication of any individual in any transaction / process.

• Employee Registration Information
• Employee Movement Information
• Employee User ID and password, etc.

Impact - Personally identifiable information that could cause adverse impact in the form of embarrassment and / or harm to an individual.

• Sexual Preferences,
• Health Information, etc.

We are here to advise you on the approaches for defining ‘reasonable security practices’ within your office environment as per business standards and pros & cons associated with each approach.