CHAPTER VII
TRANSPARENCY AND ACCOUNTABILITY MEASURES
29. Privacy by Design. —
Every data fiduciary shall implement policies and measures to ensure that—(a) managerial, organisational, business practices and technical systems are designed in a manner to anticipate, identify and avoid harm to the data principal;
(b) the obligations mentioned in Chapter II are embedded in organisational and business practices;
(c) technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
(d) legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
(e) privacy is protected throughout processing from the point of collection to deletion of personal data;
(f) processing of personal data is carried out in a transparent manner; and
(g) the interest of the data principal is accounted for at every stage of processing of personal data.
30. Transparency. —
(1) The data fiduciary shall take reasonable steps to maintain transparency regarding its general practices related to processing personal data and shall make the following information available in an easily accessible form as may be specified—(a) the categories of personal data generally collected and the manner of such collection;
(b) the purposes for which personal data is generally processed;
(c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;
(d) the existence of and procedure for the exercise of data principal rights mentioned in Chapter VI, and any related contact details for the same;
(e) the existence of a right to file complaints to the Authority;
(f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under section 35;
(g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and
(h) any other information as may be specified by the Authority.
(2) The data fiduciary shall notify the data principal of important operations in the processing of personal data related to the data principal through periodic notifications in such manner as may be specified.
31. Security Safeguards.—
(1) Having regard to the nature, scope and purpose of processing personal data undertaken, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, the data fiduciary and the data processor shall implement appropriate security safeguards including—(a) use of methods such as de-identification and encryption;
(b) steps necessary to protect the integrity of personal data; and
(c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodically as may be specified and may take appropriate measures accordingly.
32. Personal Data Breach.—
(1) The data fiduciary shall notify the Authority of any personal data breach relating to any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.
(2) The notification referred to in sub-section (1) shall include the following particulars—
(a) nature of personal data which is the subject matter of the breach;
(b) number of data principals affected by the breach;
(c) possible consequences of the breach; and
(d) measures being taken by the data fiduciary to remedy the breach.
(3) The notification referred to in sub-section (1) shall be made by the data fiduciary to the Authority as soon as possible and not later than the time period specified by the Authority, following the breach after accounting for any time that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm.(4) Where it is not possible to provide all the information as set out in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without undue delay.
(5) Upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.
(6) The Authority, may in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website.
(7) The Authority may, in addition, also post the details of the personal data breach on its own website.
33. Data Protection Impact Assessment. —
(1) Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.
(2) The Authority may, in addition, specify those circumstances, or classes of data fiduciaries, or processing operations where such data protection impact assessment shall be mandatory, and may also specify those instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment.
(3) A data protection impact assessment shall contain, at a minimum—
(a) detailed description of the proposed processing operation, the purpose of processing and the nature of personal data being processed;
(b) assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
(c) measures for managing, minimising, mitigating or removing such risk of harm.
(4)Upon completion of the data protection impact assessment, the data protection officer shall review the assessment prepared and shall submit the same to the Authority in such manner as may be specified.
(5) On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.
34.Record-Keeping. —
(1)The data fiduciary shall maintain accurate and up-to-date records of the following—(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;
(b) periodic review of security safeguards under section 31;
(c) data protection impact assessments under section 33; and
(d) any other aspect of processing as may be specified by the Authority.(2) The records in sub-section (1) shall be maintained in such form as specified by the Authority.
(3) Notwithstanding anything contained in this Act, this section shall apply to the Central or State Government, departments of the Central and State Government, and any agency instrumentality or authority which is “the State” under Article 12 of the Constitution.
35. Data Audits. —
(1) The data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.
(2) The data auditor will evaluate the compliance of the data fiduciary with the provisions of this Act, including—
(a) clarity and effectiveness of notices under section 8;
(b) effectiveness of measures adopted under section 29;
(c) transparency in relation to processing activities under section 30;
(d) security safeguards adopted pursuant to section 31;
(e) instances of personal data breach and response of the data fiduciary, including the promptness of notification to the Authority under section 32; and
(f) any other matter as may be specified.
(3) The Authority shall specify the form, manner and procedure for conducting audits under this section including any civil penalties on data auditors for negligence.
(4) The Authority shall register persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, with such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may specify, as data auditors under this Act.
(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.
(6) The Authority shall specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).
(7) Notwithstanding sub-section (1) where the Authority is of the view that the data fiduciary is processing personal data in a manner that is likely to cause harm to a data principal, the Authority may order the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.
36. Data Protection Officer. —
(1) The data fiduciary shall appoint a data protection officer for carrying out the following functions—
(a) providing information and advice to the data fiduciary on matters relating to fulfilling its obligations under this Act;
(b) monitoring personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of this Act;
(c) providing advice to the data fiduciary where required on the manner in which data protection impact assessments must be carried out, and carry out the review of such assessment as under sub-section (4) of section 33;
(d) providing advice to the data fiduciary, where required on the manner in which internal mechanisms may be developed in order to satisfy the principles set out under section 29;
(e) providing assistance to and cooperating with the Authority on matters of compliance of the data fiduciary with provisions under this Act;
(f) act as the point of contact for the data principal for the purpose of raising grievances to the data fiduciary pursuant to section 39 of this Act; and
(g) maintaining an inventory of all records maintained by the data fiduciary pursuant to section 34.
(2) Nothing shall prevent the data fiduciary from assigning any other function to the data protection officer, which it may consider necessary, in addition to the functions provided in sub-section (1) above.(3) The data protection officer shall meet the eligibility and qualification requirements to carry out its functions under sub-section (1) as may be specified.
(4) Where any data fiduciary not present within the territory of India carries on processing to which the Act applies under section 2(2), and the data fiduciary is required to appoint a data protection officer under this Act, the data fiduciary shall appoint such officer who shall be based in India and shall represent the data fiduciary in compliance of obligations under this Act.
37. Processing by entities other than data fiduciaries. —
(1) The data fiduciary shall only engage, appoint, use or involve a data processor to process personal data on its behalf through a valid contract.
(2) The data processor referred to in sub-section (1) shall not further engage, appoint, use, or involve another data processor in the relevant processing on its behalf except with the authorisation of the data fiduciary, unless permitted through the contract referred to in sub-section (1).
(3) The data processor, and any employee of the data fiduciary or the data processor, shall only process personal data in accordance with the instructions of the data fiduciary unless they are required to do otherwise under law and shall treat any personal data that comes within their knowledge as confidential.
38. Classification of data fiduciaries as significant data fiduciaries. —
(1) The Authority shall, having regard to the following factors, notify certain data fiduciaries or classes of data fiduciaries as significant data fiduciaries—
(a) volume of personal data processed;
(b) sensitivity of personal data processed;
(c) turnover of the data fiduciary;
(d) risk of harm resulting from any processing or any kind of processing undertaken by the fiduciary;
(e) use of new technologies for processing; and
(f) any other factor relevant in causing harm to any data principal as a consequence of such processing.
(2) The notification of a data fiduciary or classes of data fiduciaries as significant data fiduciaries by the Authority under sub-section (1) shall require such data fiduciary or class of data fiduciaries to register with the Authority in such manner as may be specified.
(3) All or any of the following obligations in this Chapter, as determined by the Authority, shall apply only to significant data fiduciaries—
(a) data protection impact assessments under section 33;
(b) record-keeping under section 34;
(c) data audits under section 35; and
(d) data protection officer under section 36.
(4) Notwithstanding sub-section (3), the Authority may notify the application of all or any of the obligations in sub-section (3) to such data fiduciary or class of data fiduciaries, not being a significant data fiduciary, if it is of the view that any processing activity undertaken by such data fiduciary or class of data fiduciaries carries a risk of significant harm to data principals.
39. Grievance Redressal. —
(1) Every data fiduciary shall have in place proper procedures and effective mechanisms to address grievances of data principals efficiently and in a speedy manner.
(2) A data principal may raise a grievance in case of a violation of any of the provisions of this Act, or rules prescribed, or regulations specified thereunder, which has caused or is likely to cause harm to such data principal, to—
(a) the data protection officer, in case of a significant data fiduciary; or
(b) an officer designated for this purpose, in case of any other data fiduciary.
(3) A grievance raised under sub-section (2) shall be resolved by the data fiduciary in an expeditious manner and no later than thirty days from the date of receipt of grievance by such data fiduciary.
(4) Where, a grievance under sub-section (2) is not resolved within the time period mentioned under sub-section (3), or where the data principal is not satisfied with the manner in which the grievance is resolved, or the data fiduciary has rejected the grievance raised, the data principal shall have the right to file a complaint with the adjudication wing under section 68 of the Act in the manner prescribed.
(5) Any person aggrieved by an order made under this section by an Adjudicating Officer in accordance with the procedure prescribed in this regard, may prefer an appeal to the Appellate Tribunal.