India's Data Protection Rules And Their Impact On The Banking And Financial Services Industry

Author:Mr Kartik Maheshwari, Gowree Gokhale and Huzefa Tavawalla
Profession:Nishith Desai Associates

Reproduced with permission from World Data Protection Report, null, 09/23/2011. Copyright _ 2011 by The Bureau of National Affairs, Inc. (800-372-1033)

According to a report by global management consultancy McKinsey & Co., as many as 7 percent of bank account holders in India conduct banking transactions online, which represents a sevenfold jump since 2007, whereas branch banking has fallen by 15 percent. Furthermore, it is envisaged that non-traditional forms of banking are going to rise, with an increasing number of banks introducing novel platforms such as telebanking, mobile banking, etc., to provide ease and convenience to their customers.

Usage of the internet and electronic media for conducting business, especially financial transactions, prompted the Government of India to enact the Information Technology Act, 2000 (''Act''). The Act provides for recognition of electronic signatures, e-documents and e–transactions, and seeks to control offences conducted over the internet. Also, post-2001, the Reserve Bank of India introduced guidelines governing internet banking, confidentiality, anti-money laundering and know-your-customer norms, which may have prompted customers to move towards the e-platform, albeit with some concerns with respect to the privacy and security of their banking transactions.

In view of the growing outsourcing industry and e-commerce environment, the Government attempted to introduce a separate bill called the ''Personal Data Protection Bill 2006'' to protect the privacy of individuals, but the bill was not passed into law. In the meantime, the Act was amended in 2008 to include Section 43A and Section 72A to protect personal data (''PI'') and sensitive personal data and information (''SPDI'').

Recently, effective April 11, 2011, the Government also brought into effect certain rules to support the said provisions (''Rules'') (see analysis at WDPR, May 2011, page 11).

Sensitive Personal Data or Information (SPDI) — Whereas any information, not freely available relating to a person's password, financial information, health condition, sexual orientation, medical records and history, biometric information or any detail relating to the above clauses as provided to body corporate for providing service or for processing, stored or processed under lawful contract or otherwise is defined as SPDI.

These Rules apply to bodies corporate or persons located within India and relate to information of natural persons.

Since banks collect SPDI, they need to comply with the Rules, which lay down certain procedures...

To continue reading