Chapter 17: Data Protection & Electronic Crimes-Theory Flashcards
Chapter Introduction.
Law relating to protection of personal data of individual i.e. “Personal Data Protection Bill, 2020” is in draft stage. Before this law, protection of individual was dealt in various other laws e.g.
- Payment System and Electronic Fund Transfers Act, 2007 (for secrecy of customer information held by financial institutions)
- Telecom Consumer Protection Regulations, 2009 (for illegal practice oftelecom operators i.e. illegal use of personal data of subscribers)
- Prevention of Electronic Crimes Act, 2016 (PECA)
What ““Personal Data Protection Bill, 2020” describes? (4)
This law describes:
- Definitions
- Key Principles for Organizations for collection, processing, use and disclosure of personal data of individuals.
- Rights of Individuals regarding their personal data.
- Offences and punishments for violation of data privacy are also discussed in “Prevention of Electronic Crimes Act, 2016”.
Define “Data Subject”.
Natural Persons whose personal data is being collected/processed.
Define “Data Controller”.
A person who collects/processes data.
Define “Personal Data”.
Personal data means information of a Data Subject which is in possession of a Data Controller and
from which he can be identified.
- It includes Sensitive Personal Data.
- It does not include encrypted (or anonymized or pseudonymized) data which is unable to identify an individual.
Define “Sensitive Personal Data”. (5)
It means data relating to Access Controls (i.e. usernames and passwords) which provides access to:
- Financial information (e.g. bank account, debit/credit card or other payment instruments).
- Passport, Biometric Data
- Medical Records (including physical, psychological or mental health records)
- Religious beliefs, ethnicity.
Define “Consent”.
Consent means clear and free agreement by data subject allowing to collect and process data relating to him.
List down Key Principles for Personal Data Processing. (7 Points)
- Lawfulness, fairness and transparency
- Data minimization (i.e. only limited data must be obtained which is necessary for the purpose).
- Purpose limitation
- Accuracy
- Security (i.e. Integrity and confidentiality)
- Storage limitation
- Accountability
List down Rights of Individuals regarding Processing of Personal Data. (9 Points)
- Right to be informed
- Right of access to data (including right to get copies of data)
- Right to rectification of errors
- Right to be forgotten / Right of erasure
- Right to object to processing and marketing
- Right to restrict processing
- Right to data portability
- Right to withdraw consent
- Right to complain to the relevant data protection authority
Introduction to “Prevention of Electronic Crimes Act, 2016”/ What “Prevention of Electronic Crimes Act, 2016” discusses, elaborate.
- Electronic Crimes, and
- Procedures for investigation, and
- Punishments for Electronic Crimes.
Define term “Access to Information System”.
Access to information system means gaining ability to use information system, in part or whole.
Define term “Access to Data”
Access to data means access gaining ability to use, copy, delete or modify data held in a device or information system.
Define term “Damage to Data”.
Data Damage means unauthorized addition, deletion, alteration, relocation or making data unavailable (temporarily or permanently).
Define term “Unauthorized Access”.
It means accessing an information system or data which is not available for general public,
without authorization or in violation of terms and conditions of authorization.
Define term “Critical Infrastructure”.
It means those elements of infrastructure (i.e. assets, facilities, systems, networks, or processes)
whose loss may result in:
- Adverse effect on availability or delivery of essential services (including services whose disturbance can cause loss of life or casualties), taking into account significant economic or
social impact.
- Adverse effect on national security, national defence or functioning of the state.
Government can also designate any Govt. or Private infrastructure to be Critical Infrastructure.
