The general classification of data divided into categories one is public data and other is private data. Public data is accessible to all the public at large such as birth and death records whereas, private data is personal to individuals or organizations and cannot freely be disseminated by anyone without prior permission. Personal data usually refers to the information or data which relate to an individual who can be identified from that information or data whether collected by any Govt. or private organization or agency.

It is quite natural such private information might be at risk while in the hands of those organizations. Although India does not have any express legislation governing privacy or data protection but Information of Technology Act consists of some provisions concerning with the privacy policies. Indian Govt. has also notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Provisions under Indian Constitution:

Right to privacy is a fundamental right under Article 21 of the constitution of India. This was affirmed by the Hon’ble Supreme Court in its landmark judgement namely ‘Justice K.S Puttaswamy versus Union of India’ dated 24th August, 2017, wherein the right to privacy policy declared as an integral part of Part III of the Constitution of India.

Important Sections relating to personal data under IT Act:

Section 43 A: –This Section creates the liability for loss of any personal data on the body corporates who possess and control any personal information belongs to the individuals in negligent manner. The term body corporate involves all kind of organizations whether it is company or sole proprietorship. The body corporates are required to maintain reasonable security practices and procedures.

Section 72 A: – This section applies on the individuals and intermediaries who provide their services while having access to any material containing personal information of any person under legal contract. If such individual or intermediaries deliberately disclose such content of the person without consent then it amounts to an offence under this provision. Such an offence may attract the imprisonment for a term which may extend to 3 years or with fine extendable upto 5 lacs or with both.

It is marked here that IT rules established by the Govt. mandates every online service provider to publish their privacy policies on their website.  The corporate bodies are also required to obtain consent of the individuals before disclosing their personal data unless it is required under any law.

Do the provisions of the IT Act apply to the entities outside India?

As per Section 75 of the IT Act the provisions of the IT Act shall apply to an offence or contravention committed outside India by any person of the act or conduct constituting an offence or contravention involves a computer, computer system or company network located in India.

What kind of data can be treated as sensitive personal data or information?

The IT rules prescribed the personal information which can be considered as sensitive personal data or information, which includes the following data:-

  • Password
  • Financial information.
  • Health parameters which may includes physical and mental health conditions and medical records or history.
  • Sexual orientation
  • Biometric information

Are body corporates required to plan their privacy policy?

Yes, it is necessary for body corporates to maintain their privacy policies if they collect, receive, possess, store, deal or handle information of provider of information. The body corporate must publish the privacy policy for dealing or handling of personal information including sensitive personal data or information. Moreover, it has to be ensured that such information is available for view by such providers of information who have provided such information under lawful contract. Such policies are require to be published on website of body corporate or any person on its behalf and shall provide for clear and easily accessible statements of its practices and policies.

What must be included in the privacy policy?

The followings points are required to be a part of privacy policy of any corporate:-

  • Type of personal or sensitive personal data or information collected.
  • Purpose of collection and usage of such information.
  • Disclosure of information including sensitive personal data or information.
  • Reasonable security practices and procedures.

What are the provisions related to disclosure of information under the IT Act:

Sensitive personal data or information can be disclosed only with the prior permission from the provider of such information. The consent of the information provider may be skipped in the following cases:-

  • Where disclosure of such information has been agreed to in the contract between the body corporate and provider of information.
  • Where the disclosure is mandatory for compliance of a legal obligation.

Can information provider withdraw his/her consent for any collected information?

Yes, information provider has option to withdraw his/her consent which has been given earlier. Such withdrawal of consent can be intimated to the concerned body corporate in writing. However, body corporate can refuse to provide goods or services to such information provider who later on withdraws his/her consent for the information.


Privacy is an emerging issue in any nation. As organizations collect greater amount of information from online as well about online users, and as the government continues to seek greater access and surveillance capabilities. India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians as well as foreigners whose data resides temporarily or permanently in India.

-Kiranpreet Kaur

Associate at Aggarwals & Associates, S.A.S. Nagar, Mohali