Sunday, 31 October 2021

 The Information Technology (Amendment) Act, 2008 made significant changes to the Information Technology Act, 2000, introducing Section 43A. This section provides compensation in the case where a corporate body is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. This applies when a corporate body possesses, deals or handles any sensitive personal data or information in a computer resource that it owns, controls or operates.

In 2011, the Government of India prescribed the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[38] by publishing it in the Official Gazette.[39] These rules require a body corporate to provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information.[40] Such a privacy policy should consist of the following information in accordance with the rules:

  1. Clear and easily accessible statements of its practices and policies;
  2. Type of personal or sensitive personal data or information collected;
  3. Purpose of collection and usage of such information;
  4. Disclosure of information including sensitive personal data or information;
  5. Reasonable security practices and procedures.

The privacy policy should be published on the website of the body corporate, and be made available for view by providers of information who have provided personal information under lawful contract.


Online privacy certification programs[edit]

Online certification or "seal" programs are an example of industry self-regulation of privacy policies. Seal programs usually require implementation of fair information practices as determined by the certification program and may require continued compliance monitoring. TRUSTArc (formerly TRUSTe),[41] the first online privacy seal program, included more than 1,800 members by 2007.[42] Other online seal programs include the Trust Guard Privacy Verified program,[43] eTrust,[44] and Webtrust.[45]

Technical implementation[edit]

Some websites also define their privacy policies using P3P or Internet Content Rating Association (ICRA), allowing browsers to automatically assess the level of privacy offered by the site, and allowing access only when the site's privacy practices are in line with the user's privacy settings. However, these technical solutions do not guarantee websites actually follows the claimed privacy policies. These implementations also require users to have a minimum level of technical knowledge to configure their own browser privacy settings.[46] These automated privacy policies have not been popular either with websites or their users.[47] To reduce the burden of interpreting individual privacy policies, re-usable, certified policies available from a policy server have been proposed by Jøsang, Fritsch and Mahler.[48]

No comments:

Post a Comment

  The Information Technology (Amendment) Act, 2008 made significant changes to the   Information Technology Act, 2000 , introducing Section ...