Directions : Study the following information carefully and answer the questions given below.
The outbreak of COVID-19 and its development into a pandemic has led governments across the world to take extraordinary measures to protect their residents. The Central Government and various State Governments in India, along with public-health authorities, not-for-profit organizations and corporates, are collecting, tracking, and using information about individuals to slow down the spread of COVID-19; however, since a large proportion of such information could be categorized as 'personal data' or 'sensitive personal data' its use is subject to the data protection laws in India. It is, therefore, essential that a balance is struck between an individual's right to privacy and public interest at large. Separately, as a result of the COVID-19 pandemic, corporates are also required to implement aberrant measures to safeguard their employees and extended workforce. In this regard, the collection of personal data by corporates will need to be undertaken in compliance with the requirements of data protection laws in India.
The Information Technology Act, 2000 (the "IT Act") read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules", together with the IT Act "Data Protection Laws") contain specific provisions governing protection of personal data in India. The SPDI Rules classify information related to physical, psychological and mental health condition of a person as sensitive personal data or information ("SPDI") and any other information that relates to a natural personal which is capable of identifying such person as personal information ("PI").
The public-health authorities and corporates are able to collect personal information of an individual, such as medical records, data related to physical and mental health condition, body temperature, etc., however, such information is classified as SPDI under the Data Protection Laws and may only be collected subject to compliance with certain conditions specified under law. Further, information such as personal and official travel history of an individual or such individual's family members may not constitute SPDI but will be considered as PI.
SPDI is subject to greater protection under the Data Protection Laws. For example, such information may only be collected for a lawful purpose connected with a function or activity of the body corporate when such collection is necessary for that purpose; a person concerned must be aware of the fact that such information is being collected, intended recipients of the information, and the purpose for which the information is being collected; the provider of the information shall be given an option to not provide the information sought; and any organization or person holding such SPDI shall not retain that information for longer than is required for the purpose for which such information may lawfully be used. An organization collecting SPDI is required to obtain informed consent of the information provider prior to disclosing such information to any third party, except when such information is shared to government agencies in accordance with the Data Protection Laws (example in case of pandemic). The SPDI Rules also specify that a corporate collecting personal data is required to comply with reasonable security practices and procedures such as the International Standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements".
Pursuant to the landmark decision of the Supreme Court of India in KS Puttaswamy v. Union of India (2017), the court held that right to privacy is a part of the right to life and personal liberty and is a fundamental right under the Constitution of India. The Supreme Court of India also observed that the right to privacy is not absolute; however, any restriction is required to be within the framework of law.
6 videos|292 docs
|
|
Explore Courses for CLAT exam
|