Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Yes. Critical infrastructure is classified as a ‘protected system’ under the IT Act and its operation is subject to the Protected System Rules. Sectors that are typically classified as protected systems include telecoms, banking, insurance, transport, finance, power, energy and governance.
Protected system entities must:
- obtain approval for all information security policies from an information steering committee;
- appoint a chief information security officer;
- conduct vulnerability, threat or risk analysis on an annual basis; and
- ensure the timely reporting of cyber security incidents.
Any significant changes in network configuration are subject to approval by the information steering committee.
The cybersecurity provisions applicable to specific sectors are described in questions 1.2 and 4.1.
(b) Certain types of information (personal data, health information, financial information, classified information)?
India has no dedicated data protection law. However, specific provisions of the IT Act, along with the SPDI Rules, protect both personal information and SPDI, as applicable.
‘Personal information’ has been defined to mean information which relates to a natural person and which, either directly or indirectly in combination with any other available information, is capable of identifying such person. SPDI is a sub-category of personal information and includes specified datasets such as:
- passwords;
- financial information such as bank account, credit card, debit card or other payment instrument details;
- physical, physiological and mental health conditions;
- sexual orientation;
- medical records and history; and
- biometric information.
Section 72A and Section 43A of the IT Act and rules framed thereunder deal with the protection of personal data and SPDI respectively. Some of the requirements include:
- obtaining prior consent;
- publishing a privacy policy; and
- maintaining reasonable security standards and procedures, as applicable.