SENSITIVE INFORMATION AS PER INFORMATION TECHNOLOGY RULES
The rules of Information Technology Act apply to the following data which is considered sensitive and personal:
- The financial information of a user such as bank account/credit card/debit card/any other payment instrument details
- The physical, physiological and mental health condition of a user
- The sexual orientation of a user
- The medical records and history of a user
- The biometric information of a user
However, any information which is freely available or accessible in the public domain/ or given under the Right to Information Act, 2005/or through any other law in force at the time, will not be considered sensitive personal data.
- It should clearly mention what type of personal/sensitive data or information is being collected
- The purpose of collection and usage of such information has to be clearly mentioned
- The disclosure of information including sensitive personal data or information has to be mentioned
- It has to mention how reasonable security practices and procedures have been adopted
The Information Technology Rules states that all companies have to address any discrepancies and grievances of the provider of information, in regard to processing that information in a time bound manner. The company has to designate a Grievance Officer and publish his or her name and contact details on their website. The Grievance Officer would be responsible for addressing the grievances of information providers within one month from the date of receipt of grievance.