Personal Information Data Protection
The Rules relate to sensitive personal data or information4.
The Rules apply to a body corporate or any person located within India.
Providers of information, as described in the Rules, are those natural persons who provide sensitive personal data or information to a body corporate.
A body corporate:
- providing services to the providers of information under a contractual obligation directly with them, is subject to the requirements of Collection of Information and Disclosure of Information under the Rules.
- providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirements of Collection of Information and Disclosure of Information under the Rules.
As a provider of banking and financial services, Barclays Bank PLC, India (“Barclays”), either directly or through its authorized service providers, collects, receives, possesses, stores, deals or handles information of providers of information.
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of the Rules.
(i) Statements of Practices and Policies;
The following Privacy Principles are fundamental for Barclays in connection with its activities:
1) personal information will be processed fairly and lawfully.
This means that Barclays will:
- only collect and use necessary personal information if there are lawful bases and legitimate business reasons to do so; and
- be transparent with the providers of personal information as to what information about them will be collected and how it will be processed.
2) personal information will only be used for the purposes for which it was received and about which the provider was informed.
Accordingly, information received for a particular purpose will not be used for any other activity without the provider having been informed, and, where required, only if the provider?s permission is obtained.
3) Barclays will seek personal information that is adequate, and relevant. Barclays will:
- not ask for information beyond what is required for the purpose; and
- not record information merely for its sake.
4) Barclays will endeavour that personal information is accurate and up to date. This means that Barclays will:
- update records when a provider informs Barclays of a change; and
- periodically review and assess the information available.
5) Barclays will only keep personal information for as long as is necessary for the purpose(s) for which it was originally collected.
This means that Barclays will:
- comply with applicable jurisdictional records retention requirements and apply information retention rationale which are reasonable in context; and
- ensure that information is securely disposed of at the end of the appropriate retention period.
6) Barclays will observe the rights afforded to individuals under applicable jurisdictional privacy laws, which may include:
- The right to opt-out of receiving marketing communication from Barclays Group entities
- The right to withdraw consent with regard to information or to opt out with regard to information
- The right to have inaccurate information/discrepancies corrected, and information previously provided amended
- The right of access to information that has been provided
- The right to have grievances addressed expeditiously.
Barclays will endeavour that all queries relating to privacy are promptly and transparently dealt with in accordance with applicable jurisdictional laws and regulations.
7) Barclays will put in place appropriate measures to protect personal information from accidental/unauthorised disclosure, theft, damage, loss, alteration, etc.
- train staff, and inform service providers on privacy obligations.
- deploy commensurate security measures to protect personal information whether it is on or off-site. (The level of security will depend on the nature of the data and the potential harm that could be caused by accidental/unauthorised loss or disclosure of the information).
- comply with applicable jurisdictional confidentiality and security policies and guidelines.
- ensure that a secure method of transit is employed whenever personal information is transferred between locations.
- ensure that where processes are outsourced, the service provider has appropriate security measures in place and is contractually bound to relevant privacy obligations.
8) Barclays will ensure that suitable safeguards are in place when personal information is transferred from India to other countries.
Any personal information which Barclays is responsible for will be adequately protected in the country of destination in consonance with the protection available under the Rules.
(ii) Type of personal or sensitive personal data or information collected (please see Footnote 3);
At Barclays, personal information includes all information about the provider, including visual images or expressions of opinion, recorded in electronic format (e.g. in databases, documents, spreadsheets, email, CCTV, voice recordings, etc.) and all information about persons recorded in structured hard copy filing systems (e.g. personnel files). In brief, any information from which an individual can be identified.
Some personal information may be classified as ’sensitive’ in some jurisdictions and generally, stricter rules apply. This may include, but is not limited to, information relating to an individual’s:
- race or ethnicity,
- political opinions,
- religious beliefs or similar beliefs,
- membership of a trade union,
- physical or mental health or condition,
- sexual orientation,
- commission or alleged commission of any offence,
- social security number,
- genetic data.
(iii) Purpose of collection and usage of such information;
Please refer to A(i).
(iv)Disclosure of Information including sensitive personal data or information;
Barclays or any person on its behalf shall not publish in public, sensitive personal data or information.
Disclosure of sensitive personal data or information by Barclays to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless
(a) such disclosure has been agreed to in the contract between Barclays and the provider of information, or
(b) where the disclosure is necessary for compliance of a legal obligation:
The Rules require that a third party receiving sensitive personal data or information from Barclays or any person on its behalf shall not disclose it further.
Information shall be shared, without obtaining prior consent from the provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents 5 , prosecution, and punishment of offences.
Barclays will act upon a request in writing received from the Government agency which states clearly the purpose of seeking such information, and also states that the information so obtained shall not be published or shared with any other person.
Notwithstanding anything contained above, any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.
(v) Reasonable security practices and procedures6 :
In terms of the Rules,
Barclays or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they
(a) have implemented such security practices and standards, and
(b) have a comprehensive documented information security programme and information security policies
that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.
The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard.
Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection, shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
Either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified shall be deemed to have complied with reasonable security practices and procedures provided these have been certified or audited on a regular basis through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when Barclays or a person on its behalf undertake significant upgradation of processes and computer resources.
In case of an information security breach, Barclays or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
Barclays Group standards have as their underpinning, the ISO27001 framework. The security practices and procedures are subject to statutory audit and regulatory inspection.
B. Collection of information:
(1) Barclays or any person on its behalf, shall obtain consent in writing by letter, facsimile, or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
(2) Barclays or any person on its behalf shall not collect sensitive personal data or information unless
(a) the information is collected for a lawful purpose connected with a function or activity of Barclays or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered necessary for that purpose.
(3) While collecting information directly from the person concerned, Barclays or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned has knowledge of-
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.
(4) Barclays or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
(5) The information collected shall be used for the purpose for which it has been collected.
(6) Barclays or any person on its behalf shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible.
Provided that Barclays shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to Barclays or any other person acting on behalf of Barclays.
(7) Barclays or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not provide the data or information sought to be collected.
The provider of information shall, at any time while availing services or otherwise, also have an option to withdraw its consent given earlier to Barclays.
Such withdrawal of the consent shall be sent in writing to Barclays.
In case of provider of information not providing or later on withdrawing consent, Barclays shall have the option not to provide goods or services for which the said information was sought.
(8) Barclays or any person on its behalf shall keep the information secure as provided in Rule 8 (‘Reasonable Security Practices and Procedures’).
(9) Barclays shall address any discrepancies and grievances of the provider of the information with respect to processing of information, in a time bound manner. For this purpose, Barclays currently designates Allan Perry as the Grievance Officer, who may be contact at +91 22 6175 4623 and email@example.com.
The Grievance Officer shall redress grievances expeditiously and within one month from the date of receipt of grievance.
C. Transfer of information:
Barclays or any person on its behalf may transfer sensitive personal data or information including any information, to
(a) any other body corporate or a person in India, or
(b) located in any other country,
which ensures the same level of data protection that is adhered to by Barclays as provided for under the Rules. The transfer will be allowed only if it is necessary for the performance of the lawful contract between Barclays or any person on its behalf and the provider of information or where such person has consented to data transfer.
1) Data: means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
2) Information: includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche;
3) Please also refer to the Press Note Clarification issued on August 24, 2011 by the Ministry of Communications & Information Technology (Dept. of Information Technology), Government of India.
4) Sensitive personal data or information: Sensitive personal data or information of a person means such personal information which consists of information relating to;
(i) password (means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information);
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information (“Biometrics” means technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, ‘facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes.);
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
5) Cyber incidents: means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorization;
6) Reasonable security practices and procedures: means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;