Sensitive Personal Data under Personal Data Protection Bill-2019 (Part-6)

In our last article we just had a subtle mention of Sensitive Personal Data, now in this article we will discuss its meaning, Categorisation of personal Data as Sensitive Personal Data, Processing of Sensitive Personal Data of Children, Prohibition of processing of Sensitive Personal Data, Condition of transfer of Sensitive Personal Data etc.

What is Sensitive Personal Data?

The Sensitive Personal Data is which may reveal, related to or constitute the data of followings-

1. Financial Data
2. Health Data
3. Official Identifier
4. Sex Life
5. Sexual Orientation
6. Biometrics Data
7. Generic Data
8. Transgender Status
9. Intersex Status
10. Caste or Tribe
11. Religious or Political Belief or affiliation or data categorised so u/s.15 of the act.

Categorisation of Personal Data as Sensitive Personal Data

Basically, section 15 authorizes the Central Government to notify the categories of personal data which are to be marked as “Sensitive Personal Data”. While doing such categorization the considering factors should be measured by evaluating the risk of significant harm to the Data Principal by such processing, expectation of confidentiality, the adequacy of protection afforded to it etc.

Transparency & Accountability Measures

In case when the Data Fiduciary intends to undertake the processing of Sensitive Personal Data for as mentioned above, which carries a substantial harm to Data Principal then the commencement of processing cannot take place unless the Data Fiduciary has undertaken a Data Protection impact assessment as per the provisions.

Restriction on Transfer of the Sensitive Personal Data

The act imposes a condition and clarifies that the Sensitive Personal Information may be transferred outside India but it cannot continue to be stored in India. The Sensitive Personal Information may one be transferred when the expressed consent is obtained from the Data Principal for such transfer.

However, in case of transfer by intra- group scheme the approval of such transfer to be given only when the provisions are made for-

1. Effective protection of the rights of Data Principal,
2. Liability of the Data Fiduciary due to non-compliance of those provisions

The sensitive personal Information is subjected to an adequate level of protection before its transfer. 

Picture Credit- https://www.financialexpress.com