In our earlier article we understood who is Data Fiduciary & Data Principal, the relation between them and the connecting link between the two is Data itself. Now in this article we will discuss the Obligation of Data Fiduciary which is mentioned in Chapter II of the Bill.
The Obligation of Data Fiduciary (Chapter II)
- Data Fiduciary is obliged to limit the processing of Personal Data
The personal data shall be processed in a fair & reasonable manner by ensuring the privacy of the Data Principal.
- Data Fiduciary is obliged to limit the collection of Personal Data
This section basically restricts the acquisition of Personal Data and mandates that only the required data which is must for the purpose to be collected and nothing more or less.
- Data Fiduciary is required to send notice
Under this obligation the Data Fiduciary is required to give the notice to the Data Principal at the time of collection of Personal Data.
- Data Fiduciary is to maintain the quality of processed Data
Under this obligation the Data Fiduciary is mandated to take necessary steps in order to ensure that the data processed is Complete, Accurate, Not Misleading and Updated one as needed for the required purposes.
- Data Fiduciary has to maintain the restriction on retention of Personal Data
The Data Fiduciary is not allowed to retain the Personal Data beyond the period necessary for the purposes and on the fulfilment of purposes (processing), Data Fiduciary is mandated to delete the Personal Data.
The Bill further mandates Data Fiduciary to undertake the periodic review to determine the necessity of retention of Personal Data.
- Data Fiduciary is accountable for the Personal Data
The obligation provision u/s. 10 makes the Data Fiduciary responsible for compliance with the provision of the Bill (Potential Act) with respect to processing undertaken by it or on its behalf.
- Data Fiduciary to ensure the consent
The processing of the Data shall not be undertaken unless consent is obtained from the Data Principal at the time of its processing/collection. It further states the Consent shall not be valid unless it is- free, informed, specific, clear and capable of being withdrawn.
In case of Sensitive Personal Information, such data shall be obtained only by expressed information about the purpose or operation which is likely/or has potential to cause significant harm to the Data Principal.
The detailed meaning & provisions about the Sensitive Personal Data we shall discuss in tomorrow’s post as this can be a talk of the discussion and compliance.
Picture Credit- https://www.termsfeed.com