Sensitive Information as per Information Technology Rules
According to the Information Technology Rules, the following types of data are considered sensitive personal data to which the rules of Information Technology Act apply:
- Financial information such as Bank account or credit card or debit card or other payment instrument details
- Physical, physiological and mental health condition
- Sexual orientation
- Medical records and history
- Biometric information
However, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force cannot be considered sensitive personal data.
- Clear and easily accessible statements of its practices and policies
- Type of personal or sensitive personal data or information collected
- Purpose of collection and usage of such information
- Disclosure of information including sensitive personal data or information
- Reasonable security practices and procedures adopted
The Information Technology Rules require for all body corporates to address any discrepancies and grievances of the provider of information with respect to processing of information in a time bound manner. For this purpose, the body corporate is required to designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer would then be responsible for addressing the grievances of information providers in an expeditiously manner within one month from the date of receipt of grievance.