CHAPTER VI
TRANSPARENCY AND ACCOUNTABILITY MEASURES
22.Privacy by design policy.
(1) Every data fiduciary shall prepare a privacy by design policy,
containing—
(a) the managerial, organisational, business practices and
technical systems
designed to anticipate, identify and avoid harm to the data principal;
(b) the obligations of data fiduciaries;
(c) the technology used in the processing of personal data is in accordance
with commercially accepted or certified standards;
(d) the legitimate interests of businesses including any innovation is
achieved without compromising privacy interests;
(e) the protection of privacy throughout processing from the point of
collection to deletion of personal data;
(f) the processing of personal data in a transparent manner; and
(g) the interest of the data principal is accounted for at every stage of
processing of personal data.
(2) Subject to the regulations made by the Authority, the data fiduciary may
submit its privacy by design policy prepared under sub-section (1) to the
Authority for certification within such period and in such manner as may be
specified by regulations.
(3) The Authority, or an officer authorised by it, shall certify the privacy
by design policy on being satisfied that it complies with the requirements
of sub-section (1).
(4) The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority.
23. Transparency in processing of personal data.
(1) Every data fiduciary shall take necessary steps to maintain transparency
in processing personal data and shall make the following information
available in such form and manner as may be specified by regulations—
(a) the categories of personal data generally collected and the manner of
such collection;
(b) the purposes for which personal data is generally processed;
(c) any categories of personal data processed in exceptional situations or
any exceptional purposes of processing that create a risk of significant
harm;
(d) the existence of and the procedure for exercise of rights of data
principal under Chapter V and any related contact details for the same;
(e) the right of data principal to file complaint against the data fiduciary
to the Authority;
(f) where applicable, any rating in the form of a data trust score that may
be
accorded to the data fiduciary under sub-section (5) of section 29;
(g) where applicable, information regarding cross-border transfers of
personal data that the data fiduciary generally carries out; and
(h) any other information as may be specified by regulations.
(2) The data fiduciary shall notify, from time to time, the important
operations in the processing of personal data related to the data principal
in such manner as may be specified by regulations.
(3) The data
principal may give or withdraw his consent to the data fiduciary through a
consent manager.
(4) Where the data principal gives or withdraws consent to the data
fiduciary through a consent manager, such consent or its withdrawal shall be
deemed to have been communicated directly by the data principal.
(5) The consent manager under sub-section (3), shall be registered with the
Authority in such manner and subject to such technical, operational, financial and
other conditions as may be specified by regulations.
Explanation.—For the purposes of this section, a "consent manager" is a data
fiduciary which enables a data principal to gain, withdraw, review and
manage his consent through an accessible, transparent and interoperable
platform.
24. Security safeguards
(1) Every data fiduciary and the data processor shall, having regard to the
nature,
scope and purpose of processing personal data, the risks associated with
such processing,
and the likelihood and severity of the harm that may result from such
processing, implement necessary security safeguards, including—
(a) use of methods such as de-identification and encryption;
(b) steps necessary to protect the integrity of personal data; and
(c) steps necessary to prevent misuse, unauthorised access to, modification,
disclosure or destruction of personal data.
(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodically in such manner as may be specified by regulations and take appropriate measures accordingly.
25. Reporting of personal data breach.
(1) Every data fiduciary shall by notice inform the Authority about the
breach of any personal data processed by the data fiduciary where such
breach is likely to cause harm to any data principal.
(2) The notice referred to in sub-section (1) shall include the following
particulars, namely:—
(a) nature of personal data which is the subject-matter of the breach;
(b)
number of data principals affected by the breach;
(c) possible consequences of the breach; and
(d) action being taken by the data fiduciary to remedy the breach.
(3) The notice referred to in sub-section (1) shall be made by the data
fiduciary to the
Authority as soon as possible and within such period as may be specified by
regulations, following the breach after accounting for any period that may
be required to adopt any urgent measures to remedy the breach or mitigate
any immediate harm.
(4) Where it is not possible to provide all the information specified in
sub-section (2)
at the same time, the data fiduciary shall provide such information to the
Authority in phases without undue delay.
(5) Upon receipt of a notice, the Authority shall determine whether such
breach should be reported by the data fiduciary to the data principal,
taking into account the severity of the harm that may be caused to such data
principal or whether some action is required on the
part of the data principal to mitigate such harm.
(6) The Authority may, in addition to requiring the data fiduciary to report
the personal data breach to the data principal under sub-section (5), direct
the data fiduciary to take appropriate remedial action as soon as possible
and to conspicuously post the details of the personal data breach on its
website.
(7) The Authority may, in addition, also post the details of the personal
data breach on its website..
26. Classification of data fiduciaries as significant
data fiduciaries.
(1) The Authority shall, having regard to the following factors, notify
any data fiduciary or class of data fiduciary as significant data
fiduciary, namely:—
(2) The data fiduciary or class of data fiduciary referred to in
sub-section (1) shall register itself with the Authority in such manner
as may be specified by regulations.
(3) Notwithstanding anything in this
Act, if the Authority is of the
opinion that any processing by any data fiduciary or class of data
fiduciary carries a risk of significant harm to any data principal, it
may, by notification, apply all or any of the obligations specified in
sections 27 to 30 to such data fiduciary or class of data fiduciary as
if it is a significant data fiduciary.
(4) Notwithstanding anything contained in this section, any social media
intermediary,—
(i) with users above such threshold as may be notified by
the Central
Government, in consultation with the Authority; and
(ii) whose actions have, or are likely to have a significant impact on
electoral democracy, security of the State, public order or the
sovereignty and integrity of India,
shall be notified by the Central Government, in consultation with the
Authority, as a significant data fiduciary:
Provided that different thresholds may be notified for different classes
of social media
intermediaries.
Explanation.—For the purposes of this sub-section, a "social media
intermediary" is an intermediary who primarily or solely enables online
interaction between two or more users and allows them to create, upload,
share, disseminate, modify or access information using its services, but
shall not include intermediaries which primarily,—
(a) enable commercial or business oriented transactions;
(b) provide access to the Internet;
(c) in the nature of search-engines, on-line encyclopedias, e-mail services or on- line storage services.
27. Data protection impact assessment.
(1) Where the significant data fiduciary intends to undertake any
processing
involving new technologies or large scale profiling or use of sensitive
personal data such as genetic data or biometric data, or any other
processing which carries a risk of significant harm to data principals,
such processing shall not be commenced unless the data fiduciary has
undertaken a data protection impact assessment in accordance with the
provisions of this section.
(2) The Authority may, by regulations specify, such circumstances, or
class of data fiduciary, or processing operation where such data
protection impact assessment shall be mandatory, and also specify the
instances where a data auditor under this Act shall be engaged by the
data fiduciary to undertake a data protection impact assessment.
(3) A data protection impact assessment shall, inter alia, contain—
(a) detailed description of the proposed processing operation, the
purpose of processing and the nature of personal data being processed;
(b) assessment of the potential harm that may be caused to the data
principals whose personal data is proposed to be processed; and
(c) measures for managing, minimising, mitigating or removing such risk
of harm.
(4) Upon completion of the data protection impact assessment, the data
protection officer appointed under sub-section (1) of section 30, shall
review the assessment and submit the assessment with his finding to the
Authority in such manner as may be specified by regulations.
(5) On receipt of the assessment and its review, if the Authority has
reason to believe
that the processing is likely to cause harm to the data principals, the
Authority may direct the data fiduciary to cease such processing or
direct that such processing shall be subject to such conditions as the
Authority may deem fit.
28. Maintenance of records.
(1) The significant data fiduciary shall maintain accurate and
up-to-date records of
the following, in such form and manner as may be specified by
regulations, namely:—
(a) important operations in the data life-cycle including collection,
transfers, and erasure of personal data to demonstrate compliance as
required under section 10;
(b) periodic review of security safeguards under section 24;
(c) data
protection impact assessments under section 27; and
(d) any other aspect of processing as may be specified by regulations.
(2) Notwithstanding anything contained in this Act, this section shall
also apply to the State.
(3) Every social media intermediary which is notified as a significant
data fiduciary under sub-section (4) of section 26 shall enable the
users who register their service from India, or use their services in
India, to voluntarily verify their accounts in such manner as may be
prescribed.
(4) Any user who voluntarily verifies his account shall be provided with
such demonstrable and visible mark of verification, which shall be
visible to all users of the service, in such manner as may be
prescribed.
29.Audit of policies and conduct of processing,etc.
(1) The significant data fiduciary shall have its policies and the
conduct of its processing of personal data audited annually by an
independent data auditor under this
Act.
(2) The data auditor shall evaluate the compliance of the data fiduciary
with the provisions of this Act, including—
(a) clarity and effectiveness of notices under section 7;
(b) effectiveness of measures adopted under section 22;
(c) transparency in relation to processing activities under section 23;
(d) security safeguards adopted pursuant to section 24;
(e) instances of personal data breach and response of the data
fiduciary, including the promptness of notice to the Authority under
section 25;
(f) timely implementation of processes and effective adherence to
obligations under sub-section (3) of section 28; and
(g) any other matter as may be specified by regulations.
(3) The Authority shall specify, by regulations, the form and procedure
for conducting
audits under this section.
(4) The Authority shall register in such manner, the persons with
expertise in the area of information technology, computer systems, data
science, data protection or privacy, possessing such qualifications,
experience and eligibility having regard to factors such as
independence, integrity and ability, as it may be specified by
regulations, as data auditors under this Act.
(5) A data auditor may assign a rating in the form of a data trust score
to the data fiduciary pursuant to a data audit conducted under this
section.
(6) The Authority shall, by regulations, specify the criteria for
assigning a rating in the form of a data trust score having regard to
the factors mentioned in sub-section (2).
(7) Notwithstanding anything contained in sub-section (1), where the
Authority is of the view that the data fiduciary is processing personal
data in such manner that is likely to cause harm to a data principal,
the Authority may direct the data fiduciary to conduct an audit and
shall appoint a data auditor for that purpose.
30. Data protection officer.
(1) Every significant data fiduciary shall appoint a data protection
officer possessing such qualification and experience as may be specified
by regulations for carrying out the following functions—
(a) providing information and advice to the data fiduciary on matters
relating to fulfilling its obligations under this Act;
(b) monitoring personal data processing activities of the data fiduciary
to ensure
that such processing does not violate the provisions of this Act;
(c) providing advice to the data fiduciary on carrying out the data
protection impact assessments, and carry out its review under
sub-section (4) of section 27;
(d) providing advice to the data fiduciary on the development of
internal mechanisms to satisfy the principles specified under section
22;
(e) providing assistance to and co-operating with the Authority on
matters of compliance of the data fiduciary with the provisions under
this Act;
(f) act as the point of contact for the data principal for the purpose
of grievances redressal under section 32; and
(g) maintaining an inventory of records to be maintained by the data
fiduciary
under section 28.
(2) Nothing contained in sub-section (1) shall prevent the data
fiduciary from assigning any other function to the data protection
officer, which it may consider necessary.
(3) The data protection officer appointed under sub-section (1) shall be
based in India and shall represent the data fiduciary under this Act.
31. Processing by entities other than data fiduciaries
(1) The data fiduciary shall not engage, appoint, use or involve a data
processor to process personal data on its behalf without a contract
entered into by the data fiduciary and such data processor.
(2) The data processor referred to in sub-section (1) shall not engage,
appoint, use, or involve another data processor in the processing on its
behalf, except with the authorisation of the data fiduciary and unless
permitted in the contract referred to in sub-section (1).
(3) The data processor, and any employee of the data fiduciary or the
data processor, shall only process personal data in accordance with the
instructions of the data fiduciary and treat it confidential.
32.Grievance redressal by data fiduciary.
(1) Every data fiduciary shall have in place the procedure and effective
mechanisms to redress the grievances of data principals efficiently and
in a speedy manner.
(2) A data principal may make a complaint of contravention of any of the
provisions of this Act or the rules or regulations made thereunder,
which has caused or is likely to cause harm to such data principal, to—
(a) the data protection officer, in case of a significant data
fiduciary; or
(b) an officer designated for this purpose, in case
of any other data fiduciary.
(3) A complaint made under sub-section (2) shall be resolved by the data
fiduciary in an expeditious manner and not later than thirty days from
the date of receipt of the complaint by such data fiduciary.
(4) Where a complaint is not resolved within the period specified under
sub-section (3),
or where the data principal is not satisfied with the manner in which
the complaint is resolved, or the data fiduciary has rejected the
complaint, the data principal may file a complaint to the Authority in
such manner as may be prescribed.