The Ministry of Communications & Information Technology has provided some clarification about the new Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, with the result to exempt outsourcing processes.
The press note of Department of Information Technology clarifies that any body corporate located in India which provides services of processing sensitive personal data or information under contractual obligation with any legal entity (located within or outside India) is not subject to the requirement of Rules 5 & 6.
These two rules are the cornerstone of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as they concern how data are collected and what information must be provided to data subjects, the consent of data subject and other key issues (data retention, data security, disclosure of information to third parties and Government agencies).
On the contrary, any body corporate, which provides services to the provider of information under a contractual obligation directly with them, is subject to Rules 5 & 6.
The notification defines the notion (still vague) of “providers of information” as “those natural persons who provide sensitive personal data or information to a body corporate”.
About the consent it is also clarified that Rule (1) – which considers only written consent given by letter, fax or email – also includes “any mode of electronic communication”.