Sensitive personal data

This article is written by Vansh Ved

Introduction 

All regulations discussed relate to and apply to the country of India but are not necessarily limited to only citizens of India. The following article includes mentions of the sections of the Personal Data Protection Bill, 2019 (hereunder also referred to as the PDPA) which has not yet been passed by the Parliament and is currently holding the status of a Bill in a discussion. 

What constitutes ‘Sensitive’ Personal Data and what is ‘Critical’?

Personal Data, or simply data capable of identifying a natural person, directly or indirectly, apart from its general definition, is broadly categorised under two types under the proposed Indian Personal Data Protection Act (2019) – Sensitive personal data and Critical personal data. The owner of such personal data to whom such data relates is known as a Data Principal and the individual or entity responsible for determining the use of, collecting, storing, and processing such personal data is known as the Data Fiduciary. 

Download Now

The parts of Personal Data that are categorically starred or marked as ‘CRITICAL’ by the Central Government of India refer to Critical personal data. This type of data is strictly prohibited from being transferred outside the territory of the country and is supposed to be processed within the boundaries of the nation. This rule holds exemption in two circumstances and these two only. One of them being a transfer in lieu of prompt action, to an individual providing health or medical services. And the other one is to a country, entity, or organization that has gained the approval by word of the Central Government, that it possesses adequate protection according to the standards stated under the ‘applicable laws’ (certainly referring to the PDPA, 2019 as well as presumably the respective data privacy law of the country) and abide by the terms set by the International Agreements concluded by the countries.

Sensitive Personal Data is the part of Personal Data that is categorised as ‘sensitive’ to a person’s privacy and can affect the same if not sensitively, carefully, and specially collected, stored, processed, transferred, or erased. One of the reasons behind the watchful handling of such data, the Act mentions, is the extent of harm that may be caused to a data principal if the safety or privacy of such data is compromised due to any sort of misappropriation or mishap during the entire course of the fulfillment of the purpose it was collected for. Other reasons include the ‘expectation’ on the part of the data principle from the authority processing such information, to keep it confidential and the impact, processing of certain data in a certain undefined manner may have on a group or class of data principles.

The Act definitively interprets a bunch of data related to an individual as ‘sensitive’. The list includes – Financial data, official identifier, and biometric data, genetic, health, or biological data, data related to sexual orientation or gender status (mainly intersex or transgender status), data on caste/class/tribe, sex life, and lastly political or religious beliefs and affiliations. 

Laws currently protecting Sensitive Personal Data in the country

The Law, currently responsible for governing all data in the country and regulating procedures related to the processing of personal data is the Information Technology Act, 2000 and the amendments that followed with it. The provisions provided by the IT Act clearly fall short of the adequate amount of protection personal data demands and deserves. 

An additional amendment under this act named the Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules (hereinafter referred to as the IT Rules, 2011) was added in the year 2011 by the Department of Information technology under MeitY. 

The proposed Personal Data Protection Act has a nearly identical definition of ‘Sensitive Personal data’ to that of the IT Rules, 2011. The Rules include almost all the categories of data falling under the purview of Sensitive personal data under the PDPA and additionally include passwords as a separate item on the list as well as information provided to body corporates for the purpose of processing by way of lawful contract or the provision of services by such body. 

The IT Rules, 2011 also define standards of collection and processing of personal data by body corporates. They define consent, duties of data fiduciaries towards data principals, conditions for collection of such data, review, and correction, limitations to retention, restrictions, and reliefs of the body corporates regarding the transfer of such data further to third parties or another body, within or outside the country. The current Rules governing your sensitive personal data, provide this leeway to body corporates to transfer sensitive personal data to a fellow body corporate or an individual, inside or outside the country, with the data principal’s consent, if substantiated that it provides an adequate and equivalent amount of protection as the original data fiduciary ensures.

The Laws that will govern Sensitive data (PDPA)

The Personal Data protection bill, 2019, soon to be enacted as a law in the country, is a much more extensive and up-to-date version of the sections and rules of the Information Technology Act, 2000 governing and protecting personal data and its privacy in this country. 

Some important sections of the proposed bill that directly and crucially deal with Sensitive Personal Data are:

Section 3 (36)

Defines categories of personal data that recognize as sensitive personal data (listed above)

Section 15 

This section of the act describes the grounds and authority involved with tagging personal data as ‘Sensitive’.

Section 16

Section 16 deals with the processing of personal and sensitive personal data of children. It goes by defining the manner of processing, obtaining the guardian’s consent, risks involved with such processing, and so on. The section also provides the duties and responsibilities of a ‘guardian data fiduciary’, a data fiduciary handling websites or services dealing with the personal data of children, or an individual who processes large amounts of personal/sensitive personal data of minors. Profiling and target marketing practices that involve tracking and behavioural monitoring are strictly prohibited under the law. 

Section 27

Creates a mandate for data fiduciaries processing sensitive personal data among other categories, to conduct an impact assessment according to the provisions of the PDPA. 

The Data Protection Authority (DPA) may specify mandatory categories or circumstances where a data protection impact assessment to ensure the safety of the data and identification of the risks related to it. Such impact assessments, under the law, must contain reports on the purpose of such processing, nature of data processed, risks to the data principal, and lastly the measures adopted, if any, to avoid and minimize those potential risks to their sensitive personal data.

A Data Protection Officer must be appointed by the data fiduciary to review this impact assessment thoroughly and submit his/her report to the Data protection authority in order to get the data fiduciary approved for such processing of concerned data. The DPA has the authority to approve or disapprove a data fiduciary from processing certain data based on the report of the officer. 

Section 33

This section specifies that sensitive personal data is to be transferred outside India only under the conditions specified under subsection (1) of Section 34 of this Act but it is to be stored strictly within the country. 

Section 34

Sub-section (1) of Section 34 states that transfer of sensitive personal data outside the country can only be done when explicit and informed consent of the data principal is obtained for such transfer along with the following clauses: 

  1. Such transfer is pertaining to a lawful contract or an ‘intra-group scheme’ that has:
    1. Made effective provisions for adequate protection of the rights of the data principal under this Act.
    2. Made provisions establishing liability of the data fiduciary/ controller for the damages caused to the data principal in case such data fiduciary does not comply with the contractual provisions.
  2. Such transfer is allowed by the Central Government, in consultation with the DPA and their joint finding that the country or organization of such country in question has an adequate level of protection under the applicable laws. 

Section 50 (6)(r)

This sub-section includes the provision that the DPA may include the processing of sensitive personal data for research and purposes defined in section 38 of the Act and thereby define, the code of practice and instructions for the processing of such data collected for the defined purpose. 

Section 57

The deadliest Section of the Act, defining penalties for the violations of the provisions of any one or more sections or chapters under this Act.

A heavy fine of Rupees 5 crores or 2% of a data fiduciary’s worldwide turnover (whichever is higher) is charged for actions in contravention to or in violation of:

  • Section 25: Post Data breach protocols
  • Section 26 (2): Registration as a data fiduciary with the DPA
  • Section 27: Data protection impact assessments (circumstances for such assessment, steps, the  and technicalities involved, the appointment of a DPO) 
  • Section 29: Data audit and audit of policies and conduct
  • Section 30: Appointment of a significant DPO

An even heavier fine extending up to Rupees 15 crores or 4% of the worldwide turnover (whichever is higher) is charged for violations of the provisions of:

  • Chapter II – Obligations and Duties of the Data Fiduciary
  • Chapter III – Grounds for the processing of any type of personal data without consent 
  • Section 24 – Security safeguards strictly followed for processing and;
  • Chapter VII – provisions for transfer of Personal Data (sensitive or critical) outside India

Section 93 (2)(a)

Section 93 of the Act deals with the powers of the Central Government to make rules regarding the provisions of this Act. Clause (a) of the sub-section (2) of Section 93 mentions that the Central Government may make rules, additions, or amendments to the categories of Sensitive Personal Data defined under Section 15 of the Act. 

Transfer of Sensitive Personal Data

Data is not the new oil. It is the new water. Data flows are consumed, used in a hundred different ways, and extremely crucial for the survival of information technology in this world. As internet companies and services started booming around the world, its service providers, IT teams, and other regulators started transferring the data the company collected, to locations outside the country, and these transfers (also called cross border transfers), in a country like India, until very recently, occurred freely without official regulations defined by the government or any other authority of India. 

The IT Rules, 2011 laid out foundations for the restrictions on the transfer of personal data to other countries as well as other entities, not initially specified in data processing agreements. It laid out that body corporates receiving personal data must transfer such data to another body corporate or another country only if such a country or entity ensures the same level of protection (in order to ensure adequate protection) as the body corporate itself. The Rules also specify that the only conditions for the execution of such transfer must be for the fulfillment of a lawful contract, for a lawful purpose, or where the data principle’s informed consent for such transfer has been taken.

Section 34 of the Personal Data Protection bill, 2019, widely covers the scope of the transfer of sensitive as well as critical data. It is a much more refined version of the ‘transfer’ of personal data defined under the IT Rules, 2011. This Act, through section 34 along with other sections, extensively covers and describes the meaning and scope of the transfer of personal data, the codes of practice to be followed during such transfer, rights of the data subject, exemptions of certain data processors, and lastly, the penalties related to it. 

Section 57 of the PDP bill came in as a serious threat to unauthorised and violative transfer under the provisions of this bill. The section defines the penalties of transferring data outside India in violation of the provisions of Sections 33 and 34 of the Act, which is extended up to a sum of 15 Crores or 4% of its worldwide turnover (gross), whichever is higher. If implemented well, meaning the reporting, assessment and rightful identification of illegal transfers, the heavy fines for these violations can prove to be extremely efficient deterrents to unauthorised transfers outside the country as well as can lead to mandatory appointments of in-house auditors and data protection officers that can look over such transfers and authorisations.  

Rights to protect your Sensitive Personal Data (as a Fundamental Right)

The absence of a definite law governing personal data in the country was the reason for the appointment of the Srikrishna Committee that has drafted the proposed Personal Data Protection Bill, 2019. This bill is currently going through review in the parliament and is yet to pass and become an Act.

Up to this point in time in the country, the act responsible for the protection of information and personal data of the country’s citizens was and remains in the hands of the well renowned Information Technology Act, 2000 and rules made by the Act. The sections and rules of the IT Act, 2000 are ones giving rights to the citizens to protect their personal data (sensitive and general) and privacy. 

The primary provision of the IT Act, 2000 that provides protection of personal and sensitive personal data in the country is Section 43A of the Act. The section created the rights of data principals in the country against body corporates and all that was possible to do with their data by these data controllers. A more elaborate and specific version of this section was released in the form of the IT Rules, 2011 that specifically targeted a limited number of scenarios of processing, transfer, privacy, and protection of the personal data of data principals collected by body corporates. The Rules created the Rights to the disclosure of information by the Data fiduciaries for the purpose of fact-checking, the Rights to be informed as to the purpose of such information, its recipients, and the addresses of the places where such information is about to be processed and; Right to providing informed and unambiguous consent to such processing, transfer, third-party processing or simply, collection. 

Section 72A of the IT Act, 2000, establishes the punishments for the breach of a lawful contract protecting such personal information. The section prescribes a fine of up to Rs. 5 Lakh or an imprisonment term of up to 3 years or both for a breach of a lawful contract by the disclosure of such information to an unauthorised third party or to the public at large. 

Rights created by the provisions of the IT Act, do not hold a strong ground without a constitutional certification of those rights. If the Right to privacy in a country is not promised, none of the above-mentioned provisions could ensure the fundamental protections of a citizen’s privacy and data. 

The case that established the Right to Privacy as a Fundamental Right under the Constitution of India was that of Justice K.S. Puttaswamy (Retd.) v. The Union of India. The case involved a challenge against the constitutional validity of the provisions of the Aadhar Scheme introduced in the country. This case thus included the Right to Informational Privacy within its claim for the Right to privacy as a fundamental right. 

The Judgement on the 24th of August, 2017, concluded the Right to Privacy as a Fundamental Right under the Right to Life and Personal Liberty under Article 21 of the Constitution. Not only that, it created a mandate for the Parliament to formulate information and data privacy laws in the country and acknowledging the dire requirements for such laws.

Sensitive Personal data, including biometrics (as put into question in the above-mentioned case), financial data, data related to sexual orientation, political affiliation, and several other types of personal data, are pieces of information sacred to an individual’s privacy. Any leak, breach, or unauthorised access to such data can seriously harm the privacy and further, possibly pose a risk to such person’s safety and right to life and personal liberty as well. The inclusion and conclusion of the Right to informational privacy within the purview of a fundamental right put Sensitive Personal Data in a protected position as a law is to specially protect it. In July 2017 the Srikrishna Committee was formed that submitted its first report in 2018 and later, its 2019 report, currently in discussion in the Parliament.

Rights created under the new Act that can better protect SPD

Rights created by the proposed PDP Bill that can be instrumental in protecting one’s personal data include the following: 

Right to confirmation and access under Section 17 gives the data principal the right to confirm with a data fiduciary that his/her personal data is currently being processed or is already processed. It also gives a data principal the right to obtain information about what personal data of the principal is being processed and what procedures and activities are involved with such processing. The data principal has the right to be informed clearly and in an understandable manner, about such processing as well as the data fiduciaries involved with processing such data. 

Right to correction and erasure under Section 18 gives data principals the right to get corrected, completed, updated, or erased, data that is either inaccurate, incomplete,  or old. Data that is no longer necessary for the specified purposes of collection, can be asked to be erased by the data principal. In cases of rejection of requests of a data principal to carry out any of the above-mentioned changes to their personal data, a data fiduciary owes the data principal a justification for such rejection in writing. 

Right to Data portability under Section 19 which gives a data principal, the right to have his/her personal data transferred from the current data fiduciary to another. This personal data involves the data provided as well as independently obtained by the original data fiduciary during the process of providing services to the data principal. This right to port data to another fiduciary, cannot however be enforced when such processing involves performing functions of a state or when such transfer could disclose trade secrets of the original data fiduciary. 

And lastly, the Right to be Forgotten under Section 20 of the Act gives the data principal, the right to restrict or prevent any further use of his/her information by a data fiduciary. Such a right can be enforced in situations where the personal data collected for a particular purpose, fulfill such purpose and is no longer necessary or where the consent given to the data fiduciary to process such data has been withdrawn by the data principal or where the disclosure of the concerned data had been made contrary to the provisions of this Act or any other law in the country in force at the time. 

A data principal can enforce this right only on through an order by the Adjudicating Officer made in reference to an application that is to be made by the data principal mentioning the grounds for such enforcement. The Adjudicating Officer then, on the basis of the sensitivity of the data, its importance, and the nature of the activities of the data fiduciary passes an order that, if necessary, may restrict or entirely cease such activities of the data fiduciary disclosing such information. 

These Rights however are subject to some restrictions and fees (for portability and application to be forgotten). A data fiduciary is also entitled to not go ahead with such requests if they harm the rights of any other data principal under the provisions of this Act. 


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here