Brief Note On SPDI

In India there is no such specific laws for protection of Data , the privacy and protection of Data are governed by the IT Act “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Data is broadly divided into 2 categories:

  • Personal Data
  • Sensitive Personal Data.

As per the It Act Data is defined as representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formularized manner or is intended to be processed or have been processed in a computer system or computer network and may be any form or stored internally in the memory of the computer.

Sensitive personal data includes information like Passwords, Bank Account details, Credit/debit card details, Present and past health records, Sexual orientation & Biometric data

Apart from the IT Act 2000 the Indian Constitution also protects individual’s right to life and personal liberty under Article 21 and under Article 19(1)(a)  it provides freedom of speech and expression which means that the person has to express himself. The interpretation for Article 19(1)(a) and Article 21 is that the both Articles says that right to privacy is the fundamental right.

In the Supreme court judgment of  Kharak Singh vs The State Of U. P. & Others[1] it as stated by majority that right to privacy is a fundamental right but there are certain restrictions on the basis of compelling public interest.

Another Supreme Court case “R. Rajagopal alias R.R. Gopal and Another Vs.State of Tamil Nadu and Others[2]” It was held  that the petitioners have a right to publish what they allege to be the life story/autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorization. But if they go beyond that and publish his life story, they may be invading his right to privacy. The Constitution exhaustively enumerates the permissible grounds of restriction on the freedom of expression in Article 19(2); it would be quite difficult for courts to add privacy as one more ground for imposing reasonable restriction.

And the most recent judgment of by the Supreme Court on Privacy is Justice K. S. Puttaswamy v Union of India[3] this case was decided by the majority judges. The constitutional bench held that right to privacy is a fundamental right but having some restrictions.

In this case it was asked whether the Indian Constitution even has a fundamental right to privacy, since it is not explicitly stated.  The nine-judge bench said that Indians do have this fundamental right, and that Aadhaar would have to be tested against it.

The data protection is important because there are various data of individual which are online and should not be automatically available to individual. The protection of Data is important to prevent the misuse of information.

The privacy and data protection are connected, if the personal information of any individual is shared without his/her consent will lead to violation of privacy.

The Law which covers the principle of privacy and data protection is the Information Technology Act

The IT Rules 2011 governs the personal data and the Sensitive personal Data or information. That under Section 43-A of the IT Act it is stated that  the compensation for negligence in implementing and maintaining ‘reasonable security practices and procedures’ in relation to ‘sensitive personal data or information’ (“SPDI”),  and Section 72-A of the IT Act mandates punishment for disclosure of ‘personal information’ in breach of lawful contract or without the information provider’s consent.

As per the definition given by the IT Rules 2011,

 “Personal information has been defined under the Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”

Sensitive personal data exists as the concept of sensitive personal data or information under the Rules. Rule 3 specifies that the following types of data or information shall be considered as personal and sensitive:

  • Passwords
  • Bank Account details
  • Credit/debit card details
  • Present and past health records
  • Sexual orientation
  • Biometric data

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

These rules are applicable to body corporate or any person located in India and rules lay out specific provisions related to SPDI. In India currently this is the most detailed provisions for protection of SPDI.

As there is Privacy Bill is still pending to become law and that bill covers all the concepts of personal data, Sensitive Personal Data and includes new category of Data known as critical Personal Data. But for now the IT Rules governs the protection of the same.

Information Provider 

Any person who provides information to the body corporate is known as the provider of information. The information provider has certain rights, that the information which is collected by the body corporate will only be collected after the consent of the information provider, the provider will have right to withdrew the consent and can abstain for  giving consent and such withdrawal should be in writing to the body corporate.

Collection & Disclosure 

The data is collected by the body corporate only after the consent of the individual and such SPDI should be used for lawful purpose only, and there can be instances where the information provider should be given an opportunity to provide alternative information instead of SPDI

It is mandatory for the body corporate to take reasonable steps to protect the information. Further the body corporate is not allowed publishing any sensitive personal data or information. But there are certain exceptions to this. Two exceptions are:

  • When there is contract between the body corporate and the information provider to disclose such information.
  • for any legal obligation

Information provider should be allowed to amend or review the SPDI at any point of time for the information which is provided.

Transfer of SPDI

 The SDPI can be transferred by the body corporate, but before transferring the information the t body corporate should check that the other side is having same or equal quality of data protection which is with the body corporate according to the rules stated. Further the information can be shared with the government agencies under the law to obtain information.

Disclosure to Third Party

For transferring the information of the information provider to the third party apart from the government agencies the body corporate should ask for the permission of the same. The body corporate can only provide information by them if it is prior mentioned in the contract.

Privacy Policy

It is mandatory for the corporate body to provide privacy policy in which it should be written  very clear that what type of information is collected ,the purpose for collection such information should be clear, details should be given for disclosure of sensitive personal information to third party, required precaution must be taken by the organization to protect data.

Grievance Officer

The Rules mandate that the body corporate should appoint a grievance officer to address the complaint and the contact details of the grievance officer must be available on the website of the body corporate.

Difference between the Draft bill and the SPDI Rules

  • SPDI rules apply to the body corporate and the individual located in India, whereas the bill apply to the government private entities incorporated in India and incorporated outside India.
  • The SPDI can be processed only after the consent of the information provider, whereas according to the bill along with consent, functions of the state, compliance under law or order of court, prescribed emergencies or any other purpose as specified by the Authority.
  • According to the Rules the data provider has right to withdrew consent and can abstain from giving consent. As per the bill the onus of the personal data will be on the data collector and not the data provider and that the data provider have right to access the data and right to forgotten data.
  • In the rules there are no such provisions as to where the data is to be kept or stored within the territory of India, whereas as per the bill the data needs to be stored within the territory of India.
  • That according to the Rules the data can be transferred to the third party provided the third party is having same level of data protection. And for the bill it allows the cross border transfer of Personal Data and Sensitive Personal Data where (i) transfer of data is according to standard contractual clauses or intra-group schemes that have been approved by the Authority; or (ii) the Central Government in consultation with the Authority has prescribed a country or section within a country or a particular international organization where such transfers are permissible based on the adequacy of the data protection framework in such country; or (iii) a particular transfer is approved by the Authority on grounds of necessity. Along with (i) and (ii) mentioned above, the data provider’s consent will be required to transfer the Personal Data and Sensitive Personal Data.
  • As per the bill there will be separate authority for taking the applications for data protection.

Data privacy is the basic human right and there is a need of stringent law to govern it. It is important to have data protection law so that there is proper process and regulation of data, protection of rights of individual, so that there is enforcement of rules against unauthorized access and penalties if someone goes against the policies.

Author: Aishani Singh, Litigation Associate at Khurana & Khurana, Advocates and IP Attorneys.  In case of any queries please contact/write back to us at


[1] 1963 AIR 1295, 1964 SCR (1) 332

[2] (1994) 6 SCC 632.

[3] WP (C) 494/2012

Leave a Reply



  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010