Page 307 - DMGT308_CUSTOMER_RELATIONSHIP_MANAGEMENT
P. 307

Customer Relationship Management




                    Notes          Section 43-A prescribes compensation in the event a body corporate that possesses, deals or
                                   handles any sensitive personal data  or information  in a  computer resource which it  owns,
                                   controls or operates, is negligent in implementing and maintaining reasonable security practices
                                   and procedures and consequently causes wrongful loss or wrongful gain to any person. This
                                   section makes no mention of non-digital data. Data protection legislation should cover within
                                   its ambit data stored in any electronic medium or a relevant filing system (such as a salesperson’s
                                   diary).
                                   This section does not provide any protection to data stored in the non-electronic medium. In
                                   addition, though the section does make mention of sensitive personal information it does not
                                   do so in comparison with personal information which is at a very different level. In essence,
                                   under this provision there appears to be no difference between what is traditionally considered
                                   to be personal information and sensitive personal information.
                                   Section 72-A prescribes punishment for disclosure of information in breach of a lawful contract.
                                   Any person who, in the course of providing services under a lawful contract, gains access to any
                                   material containing personal information discloses, without consent, or in breach of the contract,
                                   this material to anyone else will be punished. The problem with this provision is that there is no
                                   definition of personal information and in the context of the provisions of Section 43-A which
                                   speaks of personal sensitive information, creates a bit of inherent confusion between different
                                   sections of the IT Act. While the section does criminalise the act of breach of confidentiality, it
                                   does not offer any form of compensation to the victims of such breach. In the context of invasion
                                   of privacy, that is probably the most important remedy. The section is narrowly drafted and
                                   only deals with personal information obtained under the provisions of a contract for providing
                                   services. As a matter of fact, personal information can be obtained through a number of different
                                   methods and all such personal information must be protected.

                                   While these amendments do provide some amount of protection against breaches of privacy
                                   they are in no way a complete solution. It is important that terms such as “personal information”
                                   and “sensitive personal information” are defined clearly. A higher degree of care must prescribed
                                   for, sensitive personal information, in terms of its collection, utilization and disclosure. It is also
                                   important to ensure that data stored in the non-electronic medium should also be covered and
                                   protected. More importantly, while the provisions newly introduced into the IT Act 2008 provide
                                   a framework for data protection into the country, where none existed before, a full-fledged data
                                   protection legislation needs to include regulations on collection, control, utilization and proper
                                   disposal of data. These important principles must be addressed to have an effective data protection
                                   regime in India.

                                   Potential Conflicts between Data Protection Legislation and other Laws

                                   There have been various concerns voiced about the fact that the enactment of a data protection
                                   regime will conflict with some already existing and necessary legislations. In this regard questions
                                   have been raised about data protection in the context of the right to information as well as in the
                                   context of credit verification processes. Can a data protection law co-exist with these statutes?

                                   12.1.8 Data Protection and the Right to Information

                                   There are some concerns about whether the rights granted by privacy legislation would run
                                   contrary to the rights available under the Right to Information Act which provides citizens the
                                   right to access public information.
                                   In the first place, data protection legislations exist around the world even in countries that have
                                   enacted detailed  public information  access legislations. These two types of  laws have been
                                   proven to be capable  of existing  side by side. It could even  be said that the right to protect



          302                               LOVELY PROFESSIONAL UNIVERSITY
   302   303   304   305   306   307   308   309   310   311   312