Page 313 - DMGT308_CUSTOMER_RELATIONSHIP_MANAGEMENT
P. 313
Customer Relationship Management
Notes elements as appropriate for India be added. For instance, in addition to the reference to racial or
ethnic origin in the Indian context special reference must be made to caste as well. Also, in the
context of the Aadhar program, it will be relevant to include biometric data in the definition of
personal sensitive data. The Group of officers would need to deliberate on this and finalise the
definition of personal data and personal sensitive data as this would be one of the key elements
of the proposed privacy legislation.
12.1.16 Data Collection
All data protection legislations include provisions that deal with and regulate the collection of
data. These provisions usually include the following elements:
It is necessary to inform the data subject of the purpose of the collection of data.
1. The explicit or written consent of the data subject must be obtained for the collection of
data. However, the balance of interests must always be considered and in certain cases, the
requirement to obtain consent may be dispensed with for reasons such as national security,
benefit of the data subject or investigation of a crime or other circumstances that may be
prescribed in the statute
2. The data subject is free to withdraw consent in certain cases.
3. The data that is collected must only be for specific, explicitly defined and legitimate
purposes. For instance, the collection must be authorised under a law. The data subject
must consent (such consent being subject to the test of “balance of interests”) to his personal
data being used for the specified purposes.
4. Collection of data which is of a sensitive nature is generally subject to more control or
may be prohibited. Explicit consent or even approval from a regulatory authority may be
required to be obtained to collect sensitive personal data.
5. Data collected must be proportional to the purpose for which it was collected.
6. The information that is collected must be accurate and up to date.
7. Where the information is not received directly from the data subject, the source of the
information must be informed to data controller.
12.1.17 Data Processing
All the legislations we reviewed include regulations with regard to data processing. Since most
data leakage takes place during remote processing, is important to ensure that adequate measures
are in place to ensure that data transferred to a processor receives the same level of protection.
Most data protections legislations include the following provisions with regard to data
processing:
1. The data controller has to ensure that the data processor processes the information/personal
data for the purpose for which it was collected.
2. Data processing must be done carefully and in a diligent manner.
3. Data processing must for reasonable and legitimate purposes and must be in good faith
and in consideration of the interests of the individual.
4. Data subject must have the knowledge of the purpose for which the data is being processed.
5. Some countries require that the data in the database is used only for the purposes for
which the data base was setup. Also requires the database to be registered subject to
certain conditions.
308 LOVELY PROFESSIONAL UNIVERSITY
