In 1890, Warren and Brandeis were pioneers in conceptualising the notion of privacy. In today’s information age, marked by globalisation, concerns over surveillance and privacy have escalated. With technology making giant leaps, governments have harnessed it to keep a very close eye on what people do, both in the real world and on the internet. This practice raises some big worries about infringing on an individual’s right to keep their stuff private.
All the data that’s gathered on individuals can be used to pull their strings, which really underlines why we need to keep an eye on government surveillance. The main job of the state is to keep its citizens safe while not sticking its nose too far into their business. Getting this balance right means we need some solid policies and plans in place that protect people’s privacy rights while still making sure the country stays secure. In this blog, we shall see all about privacy policy for businesses in India.
Fundamental Factors of a Privacy Policy for Businesses in India
The basic essentials of a privacy policy for businesses in India, based on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 or SPDI Rules are:
Consent, Notice, and Transparency
A privacy policy must be clear, unambiguous, and must contain comprehensible statements of practices and policies adopted by the organisation. The organisation must obtain consent before collecting or using such information. Consent includes notions of ‘notice’ and ‘choice’. ‘Notice’ denotes the manner in which the privacy policy is presented to the users whereas a ‘Choice’ is expressly provided to opt-in and/or opt-out of the information sharing requirements.
Definition Clause
A privacy policy should have comprehensive and explicit definitions of the general terms (such as data, users, SPDI etc.) used in the policy.
User Information
A privacy policy should illustrate the type of PI or SPDI being collected.
Purpose
A privacy policy must clearly identify, in unambiguous terms, the purpose of data collection. Further, it should have a data minimisation clause to limit collection and processing to that which is relevant and reasonably necessary to accomplish legitimate commercial purposes. A change in the purpose triggers the requirements of notifying the users of such change.
Sharing and storage of user data
An organisation must obtain permission from users prior to disclosure of the collected PI / SPDI to third parties and/or its affiliates, except where such disclosure is mandated under law. Further, it should have data retention clauses governing the period of retention and the manner of disposal once the purpose is served.
Data security
The privacy policy must inculcate reasonable security practices and procedures adopted by the organisation, including electronic and physical safeguards to maintain security and confidentiality of data through authorised access, browser encryption etc.
Notification of change
Additionally, an announcement via email or website popups is required to reflect periodic reviews and updates in the policy.
Contact information
The privacy policy should contain email, postal and telephonic coordinates of organisation to address queries or exercise of user’s data protection rights.
Dispute Resolution
The SPDI Rules require appointment of a Grievance Officer for users to report complaints or unsatisfactory reparation of the same by organisation.
Components of the Privacy Policy for Businesses in India
Mentioned below are the major components of privacy policy for businesses in India:
1. Types of Data Gathered
The privacy policy for businesses in India must transparently outline the types of information being collected. This includes Personal Identifiable Information and Sensitive Personal Data, which should be explicitly mentioned.
2. Method of Data Collection
The privacy policy should detail how data is collected and its sources. This encompasses various channels such as email communication, support emails, and third-party APIs for login, specifying the data collected through these methods.
3. Purpose of Data Collection
The policy should clearly state the purpose behind data collection. Only the minimum necessary personal information should be collected for these specific purposes, with notification and obtaining of individual consent. Any change in purpose must be communicated to the individual.
4. Use of Third-Party Plugins and Data Collection
When a company relies on third-party plugins, the policy needs to tell users about these plugins, why they’re used, and whether they gather any information. It must also make it clear that the company isn’t accountable for data gathered by other websites.
5. Security Safeguards and Procedures
The privacy policy for businesses in India should detail the organisation’s security measures, in accordance with SPDI rules. This should include a comprehensive, documented information security program covering technical, managerial, physical, and operational security measures.
6. Usage of Cookies and Web Beacons
The policy should address the usage of cookies and web beacons, explaining their purpose and function. It should also inform users about their ability to disable cookies and any data collected through these technologies, such as browser type and IP address.
7. Contact for Complaints
The organisation should designate a grievance officer whose name and contact information should be prominently displayed on the website. This officer is responsible for addressing user complaints and discrepancies, with a commitment to resolve issues within one month of receiving a grievance submission.
Final Thoughts
Privacy policy for businesses in India are the bedrock of data protection in the digital age. They encompass vital elements like consent, data types, and security measures. Such policies strike a balance between individual privacy and collective security, underpinning trust in a data-driven world. They acknowledge the need for user consent, transparency, and minimal data collection.
Privacy policies address the intricacies of third-party plugins, cookies, and dispute resolution. In essence, they are indispensable tools for businesses dealing with the complex terrain of privacy and data security in the country.
