The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E). These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.
