Web users have the right to know that the personal details that many business websites, blogs and online shopping sites ask them to fill out are in safe hands. It is not just to fulfill legal demands, but also an effective tool of transparency towards customers. It is a global norm that such a legal document be exhibited online wherever collection or sharing of personal information is involved.
The India context
India is the biggest platform of data outsourcing and has, in the recent past, faced a lot of cyber crime, data theft, etc. Therefore, there is a need for a regulating mechanism to deal with these crimes effectively and ensure highest security of internet databases.
The Information Technology Act of 2000 is the consolidated document that lays down guidelines for the development and maintenance of websites, electronic records and digital signatures. The Act defines cyber crimes such as hacking, infusion of virus, unauthorized copying of, tampering with information and also prescribes penalties for them.
An amendment to the Act, in 2008, brought such activities as circulation of offensive or obscene content, identity theft, impersonation, cyber terrorism, voyeurism and child pornography into the criminal domain.
A further amendment in 2009 states that any negligence while handling sensitive personal information is likely to pay penalty and is liable for punishment. This includes disclosure of sensitive personal information without consent of the person.
– The Information: The users need to be clearly told what information is being collected, e.g. forms to purchase, subscribe and sign up. Other information such as hostnames and IP addresses should be mentioned here.
How the data is collected: Here, the method of collection of information is to be described. Is it automated? Is the user asked to fill forms or refer other names, addresses, etc.
– Storage of data: The location of the database and any country or region specific laws that apply are to be mentioned.
– Third party sharing: Almost all websites share the information in their databases with others, such as courier services, or banks. The user needs to be informed that their information maybe shared within the legal domain.
– Website contact details: Email addresses, postal addresses, phone numbers, etc. have to be mentioned so as to allow users to get in touch in case of queries or grievances.
Sensitive Personal Information According to The Information technology Rules, 2011 sensitive information includes the following.
• Financial information such as bank account, credit card or debit card details.
• Information describing physical, physiological or mental health condition of a person
• Sexual relationship and orientation
• Medical records
• Biometric data.
Creating, updating, monitoring or managing privacy policies also involves certain best practices. For those who are responsible, whether it’s part of your job because you’re an entrepreneur and everything is your responsibility, or you’re hoping to add this area to your book of knowledge, there are certain best practices to keep in mind. Some of the points are given below:
1) The policy must be written in plain English. If a lawyer is drafting the policy then you must ask it to be written in simple language which will be understood by the consumer or visitor.
2) Something found free on the Internet should not be just cut and pasted as your own. The risk of penalties is very real and therefore your policy should be your own and reflect the unique circumstances of your site.
4) Follow the policy! Do not deceive the consumers by not following the policy. What is written should be followed.
5) Consumers, readers, forum visitors, or others should have the right to opt out of having their personal information retained.
7) The information that you take from consumers should be secure too. The potential disclosure or sale of private information can be devastating.
8) Try and get a well-respected privacy certification program for credibility.
Consumers are becoming increasingly intuitive and will refuse to provide information that they feel is not required. If you do ask for extremely personal information, be clear on why you need it and how secure it will be.
What we post on Facebook, Twitter or other online social media all constitute personal information and we cannot imagine how this kind of data can be used or misused. Privacy policies are often not given the attention they deserve. A company may dish out a policy without even realizing its actual merit.
Nikita Bhatia is the co-founder of VenturEasy, an online platform for Company registration, book-keeping, accounting, tax consultancy and legal compliances in India. A Chartered Accountant and company secretary by profession, she has wide experience in the fields of audit, accountancy, taxation and corporate governance.
For any queries/ discussions, email at [email protected]