Discretion is essential in dealing with both confidential information and personal information, with the former belonging to the professional domain and the later in the moral /social domain. Till recently, only breach of confidential information was in the legal domain attracting hefty penalties enforced by courts of law as they diluted business advantages.
However, in recent years, breach of personal information too has extended beyond the moral or social domain and entered the law courts, with its breach bringing companies like Facebook and Google to law courts facing suits for large damages of €3.9 billion and €3.7 billion respectively in Europe. Max Schrems, the Austrian privacy campaigner sued these companies in May 2018 for using “all or nothing” choice by asking their users to check a small box for allowing them access to services. This he alleged was in clear violation of the European GDPR requirements that provides users control over the store or use of their personal information.
Data Protection in India
The advent of mobile connectivity in India combined with the wide-spread prevalence of social media, Internet banking and e-commerce has resulted in availability of personal information that can result in potential misuse by people accessing it. In India too, instances of misuse of personal information resulted in an amendment to the Information Technology Act, 2000, in 2008 to include two sections, 43A and 72A, both drafted with the intent of protecting misuse of personal information.
• Section 43A contains the provision for compensating the person whose data is misused. It requires those collecting the data to implement and maintain reasonable security practices and procedures to prevent misuse of sensitive personal data or information and provides compensation of a maximum of Rs. 5 crores to the person affected by its misuse, i.e. wrongful loss to the person or wrongful gain by the person misusing the data.
• Section 72A contains the provision for penalizing the person who has caused the misuse of data. It provides for imprisonment for a period up to three years and/or a fine up to Rs. 500,000/- to a person who causes wrongful loss or wrongful gain by disclosing personal information of another person, without their consent while providing services under the terms of lawful contract.
Following the global trends, India too has proposed the Bill “The Personal Data Protection Bill, 2018” which too protects personal data from being
misused. In line with the European GDPR requirements, Indian law also provides for limiting the purpose at the time of collection, lawful processing, processing personal data based on consent, right to confirmation and access, right to be forgotten, security safeguards in dealing with personal data and the designation of a Data Protection Officer who is responsible for ensuring data protection. The Bill also provides exemption from these regulations where data is used for research, archiving or statistical analysis and journalistic, personal and domestic purposes.
The penal provisions contained in the Bill are quite stiff and operate at two levels. At the lower level, the penalty may extend up to Rs.5 crores or 2% of the worldwide turnover in the previous financial year of the entity violating the bill and at the higher end, Rs.15 crores or 4% of the worldwide turnover.
GDPR for Company Secretaries
The Personal Data Protection Bill, 2018 defines ‘personal data’ as data about a natural person and hence it does not cover the data pertaining to legal entities like companies.
However, as the company stores data pertaining to natural persons, and includes data of personal nature capable of identifying natural person, Company Secretaries need to exercise caution in dealing with data pertaining to natural persons in the course of their work. Further where they store personal data, they or their IT team should ensure that the personal data stored by them have the privacy protected by design. At the highest level of protection for Personal Identifiable Information is ISO 27018 Certification.
We at CimplyFive are glad to share with you, that BLISS and its variants have ISO 27018 certification with the scope “Protection of Personally Identifiable Information (PII) in BLISS and its variants hosted in the cloud environment.” Company Secretaries using BLISS and its variants can be rest assured that the personal information stored by your company is privacy protected by design.