Data Protection for Civil Society Organisations

Personal and sensitive data might be collected for various purposes. For instance:

Human Resource Management

• Personal and Sensitive Personal Data of permanent employees and contractual workers. 
• Personal Data of job applicants and interns

For Research Studies

• Sensitive and personal data of research subjects. This may include a wide array of personal and sensitive information based on the scope of the study, such as name, address, date of birth, caste, health history, annual income etc
• Sensitive and personal data collected for impact measurement projects. 
• Data Collected for journalistic purposes

Other Instances

• Personal and Sensitive data of customers 
• Personal data of visitors to the office building
• Mailing lists

Let us look at some existing as well shortly expected legal compliance obligations pertaining to data protection and privacy that non-profits will have to ensure in their activities.

The Law on Personal and Sensitive Data

If a non-profit collects personal and sensitive data, it is required to follow the rules made under the Information Technology Act, 2000. This includes legal obligations regarding collection of information, transfer/Disclosure of data, security practices and procedures for storage and so on.

Central Rules[1] mandates the provision of a privacy policy on the website of all body corporates which collect personal and sensitive data. Further, it requires all body corporates to designate a Grievance Redressal Officer devoted for timely redressal of grievances. It also mandates implementation of reasonable security practices, procedures and standards to ensure security of the collected data. 

As per the Section 43A of the Information Technology Act, 2000, all body corporates are responsible for implementing and maintaining reasonable security measures to ensure no wrongful loss/gain is done to any person due to processing, dealing, or handling of sensitive personal information. Failure of this can attract liabilities to pay damages. This applies to all non-profits – including trusts, societies, section 8 companies or any association of individuals engaged in professional activities.

Individuals who have access to personal information under a contract are also responsible for the protection of personal information under Section 72A of the same Act. Disclosure of any personal information without consent of the person or in breach of the contract can attract a punishment of fine and imprisonment. 

Central Rules 

Central Rules made under the Information Technology Act mandates the provision of a privacy policy on the website of the body corporate. Access to this policy by subjects who provide sensitive information must be ensured. The privacy policy must include: 

• Clear and easily accessible statements of its practices and policies;
• Type of personal or sensitive personal data or information collected; 
• Purpose of collection and usage of such information;
• Disclosure of information including sensitive personal data or information; and
• Reasonable security practices and procedures undertaken.

Good Practices to Implement Re: Data Collection, Processing & Storage: 

1. Having a legal basis for securing the information via consent form/ agreement
2. Obtaining written consent from the provider of sensitive information
3. Informing the provider of the purpose of usage of such collection
4. Collection of information only if: 

• There is a lawful purpose connected with a function of activity of the body corporate or any person on its behalf; and 
• Sensitive personal data or information is considered necessary for that purpose.

1. Encryption of data to ensure safekeeping
2. Data anonymization to ensure that any information cannot be traced back to the data principle (If possible)
3. Limiting access to personal and sensitive data through multiple levels of security measures
4. Caution while transferring personal or sensitive data (through informed and implicit consent)– via proper confidentiality obligations in contracts/MOUs                 
5. Timely disposal/erasure of data &robust data retention policies
6. Have the following policies tailored to your organization’s activities and risk levels:

• Data protection policy
• Privacy policy
• Cookies policy
• Data Processing Policy
• Data Retention policy
• Data protection clauses in agreements with third parties processing the data

Foreseeable Changes in Data Protection Laws

The landscape of data protection laws is expected to change upon the passing of Personal Data Protection Bill, 2019. The bill provides for several new requirements like data de-identification, encryption, and anonymization. Some of the new legal introductions that the bill envisages are:

• Restriction on the storage of personal data outside India.
• Restrictions on the transfer of critical personal data (as notified by the central government) for processing outside India.
• Specific obligations in obtaining/ processing of information pertaining to children

In addition there are proposed laws such as the Digital Information Security in Healthcare Act, 2018 (DISHA) and various regulatory frameworks being proposed on maintaining the confidentiality of personal, non-personal and medical data.

NGOs must start adopting healthy practices recognising the value of data to ensure that the privacy of its data subjects are protected and that data is not illegally mined.

[1] The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011