Outsourcing and security: issues in the Indian BPO sector

A primary concern for the managers of a business outsourcing work to India is data security. Security breaches may result in losing not only large sums of money and potentially sensitive data but also the trust of the client. Data security is an essential aspect of the business process outsourcing (BPO) industry.

Although there is no specific legislation dealing with data protection the jurisprudence relating to data security has its source in the Indian Constitution, Article 21 of which states that no person will be deprived of his life or personal liberty except according to the procedures established by law.

Judicial activism has led to the inclusion of privacy within the realm of fundamental rights and, further, the Supreme Court has on various occasions held that personal liberty means life free from encroachments unsustainable in law. Any unlawful invasion of privacy would make the offender liable for the consequences in accordance with the law.

The Indian Penal Code does not specifically address issues relating to breaches of data privacy but, under the code, liability for such breaches can be inferred from related crimes. Section 403 of the code imposes criminal liability for dishonest misappropriation or conversion of movable property for one’s own use.

Moreover, Section 43 of the Information Technology Act foresees civil liability in cases of data and computer database theft, and may cover computer trespass, unauthorised digital copying, the downloading and extraction of data, computer databases or information, the theft of data held or stored in media, the unauthorised transmission of data or programs within a computer, computer system or computer network, the use of spyware, etc.

Further, Section 72 of the act states that any person who, in pursuance of any of the powers conferred under the act, rules or regulations made thereunder, has allowed access to any electronic record, book, register, etc, to any person shall be punished with imprisonment for a term that may extend to two years or a fine of up to 100,000 rupees ($1,675), or both.

Companies, primarily BPO call centres, are making use of contract law to secure the data that is circulated within their organisations. Non-circumvention and non-disclosure agreements, user-licence agreements, etc, are entered into by them. BPO companies have also been using various processes that set out standards of information security management that restrict the quantity of data that can be made available to the employees of the call centres.

Data compilation being an aspect of copyright law, the Indian Copyright Act sets out the punishments in cases of infringement. Further, Section 63 B of the act provides that any person who makes use on a computer of an infringing copy of a computer program shall be punishable for a minimum period of six months and a maximum of three years in prison.

Privacy rules

On April 11, 2011 the Ministry of Communications and Technology published rules implementing certain provisions of the Information Technology Act 2008 dealing with the protection of sensitive personal data and the security practices and procedures that must be followed by organisations dealing with sensitive personal data.

"prior to collection of sensitive data, the body corporate or the data processor must obtain prior written consent, by letter, fax or email, from the prospective provider regarding the purpose of usage of such data."

These rules, also known as data privacy rules, refer consistently to ‘sensitive personal data or information’. Personal information means any information that relates to a natural person that either directly or indirectly, in combination with other information available or likely to be available within a body corporate, is capable of identifying such a person.

Under the data privacy rules, sensitive data is defined as personal information that relates to:

a) Passwords;

b) Financial information such as bank account or credit card or debit card or other payment instrument details;

c) Physical, psychological and mental health conditions;

d) Sexual orientation;

e) Medical records and history;

f)  Biometric information;

g) Any detail relating to (a)—(f) above received by the body corporate for provision of services; or

h) Any information relating to (a)—(g) that is received, stored or processed by the body corporate under a lawful contract or otherwise.

Sensitive data is broadly defined to include data obtained by any method, including lawful contract. It is to be noted that any information that is freely available, accessible in the public domain, or furnished under the Right to Information Act, is excluded from the ambit of the above definition.

The body corporate has been defined as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The term ‘body corporate’ is not restricted to a body corporate established in India but includes a foreign body corporate, an issue relevant in the IT BPO industry. Furthermore, application of the rules is not limited to sensitive data belonging to Indian residents.

The data privacy rules state that prior to collection of sensitive data, the body corporate or the data processor must obtain prior written consent, by letter, fax or email, from the prospective provider regarding the purpose of usage of such data. Further, sensitive data must not be collected unless it is for a lawful purpose connected with a function of the body corporate, or the data processor, and the collection is necessary for that purpose.

While collecting sensitive data directly from the provider, the body corporate or the data processor must ensure that the provider is informed about the following:

i.  
The fact that sensitive data is being collected;

ii.
The purpose for which it will be used;

iii.
Who the intended recipients are;

iv.
Which agency is collecting it; and

v.  
Which agency will be retaining the sensitive data.

Further, prior to collection of sensitive data, the corporation or the data processor must ensure that the provider is given the option of declining to provide the sensitive data. A provider that has already consented to the collection of sensitive data must be able to communicate a withdrawal of consent, in writing, at any time. The data privacy rules, however, do not detail procedures to be followed by the provider in exercising his right to access the data.

The data privacy rules implement Section 43A of the IT Act, under which a body corporate that processes deals or handles sensitive data in a computer resource is liable to pay compensation if it is negligent in implementing and maintaining reasonable security practices and procedures, and such negligence results in wrongful loss or wrongful gain to any person.

The IT Act does not, however, provide for specific penalties for breach of obligations under the data privacy rules relating to the collection, processing, disclosure or transfer of sensitive data. Under Section 72A of the IT Act, a person who is providing services under a lawful contract may be liable to imprisonment for a term of up to three years or a fine up to 500,000 rupees ($8,374) for disclosure of personal information of any individual: (a) with the intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and (b) without the consent of such an individual, or in breach of lawful contract.

The IT Act does not define ‘personal information’. It is however defined in the context of sensitive data under the data privacy rules that implement Section 43A of the IT Act.

Private efforts

The National Association of Service & Software Companies (NASSCOM) is India's national information technology trade group and has been the driving force behind many private-sector efforts to improve data security.  For example, NASSCOM has created a national skills registry, which is a centralised database of employees of IT services and BPO companies. This database is for verification, with independent background checks, of the human resources within the industry.

Further, a self-regulatory organisation has been launched that will establish, monitor and enforce privacy and data protection standards for India’s BPO industry. The organisation has already completed its initial round of funding and the final rollout phase, including industry membership, is underway.

Pravin Anand is managing partner at Anand and Anand. He can be contacted at: pravin@anandandanand.com

Shantanu Sahay is a managing associate at Anand and Anand. He can be contacted at: shantanu@anandandanand.com