Data PrivacyUnderlying difference between Personal Data and Sensitive Personal Data

INTRODUCTION

Any piece of information used by any individual to identify other individual with some accuracy is known as personal data, which can be name, number, address, age email id, etc. Personal data can even be a piece of information that classifies the presence of any individual. Physical address or phone number is considered personal data and one can even be contacted using that information.

Personal data is also classified as any information that can affirm any individual’s physical existence. For example, a name, home address, Internet Protocol address, location data, etc., all fall under the ambit of personal data.

Subsequently, sensitive personal data are the specific set of special categories of data that must be treated and safeguarded with an additional layer of security. Usually, these categories are data pertaining to racial or ethnic origin, political opinions, genetic data, biometric data, etc.

The misuse or mishandling of personal data or sensitive personal data can result in severe consequences, including identity theft, financial fraud, and other forms of cybercrime. Therefore, it is essential to understand the importance of such  data and take necessary measures to safeguard it.

CURRENT POSITION OF DATA PROTECTION LAWS IN INDIA

The Right to Privacy and data protection have been declared as a fundamental right by the Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, in 2017. The Information Technology Rules, 2011 (IT Rules, 2011) governs the handling of personal information, including sensitive personal data or information, by regulating its collection, storage, handling, transfer, disclosure, and security practices. However, the IT Rules are considered inadequate as they do not address the misuse of data collected from children, data breaches by corporations outside India, and the narrow definition of sensitive data.

In 2019, the Personal Data Protection Bill (“2019 Bill”) was introduced in the Indian Parliament to address concerns around the collection, processing, and storage of personal data of individuals by both Government and private entities. Eventually, in August 2022, the Bill introduced in 2019 was  withdrawn from Parliament by the Government. Later, On November 18, 2022, the Ministry of Electronics and Information Technology proposed new Bill, namely the Digital Personal Data protection Bill, 2022. (“2022 Bill”).

PERSONAL DATA AND SENSITIVE PERSONAL DATA UNDER THE 2022 BILL

The 2022 Bill defines “personal data” as any data about an individual who is identifiable by or in such data. The 2022 Bill on data protection differs from the 2019 Bill on Sensitive Personal Data.

Unlike the 2019 Bill, the 2022 Bill does not distinguish between sensitive and critical personal data. On the contrary, the Sensitive Personal Data was defined under Section 2 (35) of 2019 Bill. The 2019 Bill interpreted a bunch of data related to an individual as ‘sensitive’. The list includes – Financial data, official identifier, and biometric data, genetic, health, or biological data, data related to sexual orientation or gender status (mainly intersex or transgender status), data on caste/class/tribe, sex life, and lastly political or religious beliefs and affiliations.

The 2019 Bill was applicable to all forms of personal data, but, the 2022 Bill is only applicable to digital personal data, which includes both online and offline data that has been digitized. The 2022 Bill also allows for the transfer of personal data, subject to conditions determined by the Central Government after an assessment of relevant factors.

The Government may also issue further conditions for cross-border data transfers when notifying the jurisdictions outside India where personal data may be transferred. The 2022 Bill does not include requirements for data localization for critical personal data.

DIFFERENCE BETWEEN PERSONAL DATA AND SENSITIVE PERSONAL DATA

The definition of “personal data” under 2022 Bill refers to any information or data that pertains to an identifiable individual. The data may either be directly identifying or may be used in conjunction with other available data to identify the individual.

Personal data may include a variety of information such as name, address, email address, phone number, date of birth, identification number, biometric information, financial information, location data, online identifiers, and other details that can be linked to an individual. The said definition of personal data is critical as it forms the basis of data protection regulations and outlines the scope of protection afforded to individuals with regard to their personal data.

On the other hand, sensitive personal data is a category of personal data that requires special handling due to its sensitive nature and potential impact on an individual’s privacy if not collected, stored, processed, transferred, or erased carefully and securely.

The 2022 Bill does not recognize the concept of sensitive personal data, that may cause significant harm to a Data Principal if compromised due to any mishap during its collection or processing. However, it acknowledges that individuals have an expectation of confidentiality when such data is processed by authorities.

Under Section 11 (1) of 2022 Bill, the Central Government can notify any Data Fiduciary as “Significant Data Fiduciary” on the basis of the volume and sensitivity of personal data processed by that Data Fiduciary.

The 2022 Bill have not identified any type of data as “sensitive” but, in general several types of data can be identified as sensitive, including financial data, official identifiers, biometric data, genetic, health or biological data, data related to sexual orientation or gender status, data on caste/class/tribe, sex life, and political or religious beliefs and affiliations.

AMLEGALS REMARKS

Sensitive personal data is a subset of personal data that requires special handling due to its sensitive nature and potential impact on an individual’s privacy. While personal data refers to any information or data related to an identifiable individual, sensitive personal data specifically includes information that, if compromised, may cause significant harm to the individual.

The data protection regulations in various countries provide additional protection for sensitive personal data by imposing stricter regulations on its collection, processing, storage, and transfer. It is essential for organizations to recognize and appropriately handle sensitive personal data to protect the privacy and security of individuals.

– Team AMLEGALS assisted by Mr. Vinay Sachdev (Intern)