were notified by the Government of India under the Information Technology Act, 2000 and came into force on 11 April 2011. These rules regulate how organizations handle Sensitive Personal Data or Information (SPDI) in electronic form and impose legal accountability for negligence in data protection.
Applicability
The rules apply to every body corporate, including companies, firms, sole proprietorships, and professional entities that:
- collect, receive, store, process, or handle personal data
- operate in India or process data in connection with business carried out in India
Foreign entities are also covered if the data processing has a nexus with India.
Sensitive Personal Data or Information (SPDI)
SPDI under the rules includes:
- passwords
- financial information (bank account, credit/debit card details)
- physical, physiological, and mental health records
- medical records and history
- sexual orientation
- biometric information
Information that is publicly available or disclosed under the RTI Act is excluded.
Obligations of Body Corporates
Organizations handling SPDI must:
- publish a clear privacy policy on their website
- collect data only for lawful and necessary purposes
- obtain prior consent before collecting SPDI
- use the data strictly for the stated purpose
- retain data only as long as required by law or business need
- allow individuals to review and correct their information
Disclosure and Data Transfer
- SPDI cannot be disclosed to third parties without consent, except for legal obligations
- Cross-border or third-party transfers are allowed only if:
- the recipient ensures the same level of data protection, and
- the transfer is necessary for lawful contract performance
Reasonable Security Practices
Compliance requires implementation of reasonable security practices and procedures, which may include:
- adoption of ISO/IEC 27001, or
- a government-approved documented information security programme
Security controls must address managerial, technical, operational, and physical safeguards.
Liability for Data Breach
If a body corporate is negligent in implementing security practices and causes wrongful loss or gain:
- it is liable to pay compensation under Section 43A of the IT Act
- liability is civil, not criminal, and does not require intent
Grievance Redressal
- appointment of a Grievance Officer is mandatory
- contact details must be published
- complaints must be resolved within one month
Legal Significance
These rules form India’s first enforceable data protection framework for private entities and continue to apply where not expressly overridden by newer data protection laws. Non-compliance exposes organizations to financial liability and regulatory scrutiny.