Sensitive Personal Data: definition and legal protection

Priyanka kumari
9th semester BALLB

Introduction
Growing digitization is an attribute of the current information era. Our entire lives are measured
by technological innovations. These gathered data serve as the framework for data-driven
services, also known as smart services. They may adapt their functions to suit the needs of the
user by adapting to a particular circumstance. Thus, it should come as unexpected that their
primary resource—data—is suddenly an asset that is also tradeable. Nevertheless, this tendency
has drawbacks as well because the collected data provides a wealth of information about
different data subjects. Data protection rules limit the processing of sensitive data to avoid
uncontrolled insights into private or confidential topics. In this context, easily navigable privacy
mechanisms are a crucial component.
Regardless of whether the data was initially gathered in India or another country, the DPDPA
safeguards personal information processed in India. Even if the data is handled outside of India,
the Act nonetheless governs the handling of Indian citizens' personal information.
Data protection laws frequently employ consent as a means of approving the use of sensitive and
personal information. There are various ways to interpret the importance and purpose of consent
in such laws. It may be said to play a major, even starring, role in demonstrating respect for data
sovereignty and informational self-determination.

Meaning of Data and its types

"Personal data is the new currency of the digital world and the new oil of the internet."
Even the new data protection law i.e. the Digital Personal Data Protection Act, 2023 has does
not divide personal data into categories such as sensitive personal data and general personal data;
instead, it encompasses all types of personal data. There used to be a distinction between several
sorts of data under Indian law, each of which needed a different set of safeguards. The Act
streamlines the system for all data fiduciaries ("Data Fiduciary") and data processors ("Data
Processor") that hold and process (as defined below) the data of the data principals or subjects
("Data Principal") by eliminating all distinctions and treating all types of data under a single
heading.

Sensitive data is any information that could be harmful to a person or organization if it were
stolen or made public. This includes private business information, financial information, health
information, and personally identifiable information (PII). Cybercriminals target data because it
is frequently gathered and handled in data-driven organizations.

Data takes a new shape in form of sensitive data

Confidential information that needs to be kept safe and out of the hands of anyone without
authorization is referred to as sensitive data.

By implementing adequate data protection and information security procedures intended to stop
data breaches and leaks, access to sensitive data should be restricted.

There is an urgent need for better data management and Third-Party Risk Management
framework designs as a result of increased regulatory scrutiny over the security of sensitive data.
Under article 9 of the General Data Protection Regulation (GDPR) defines sensitive data as any
personal data that could cause harm or adverse consequences for an individual if disclosed. This
includes data that reveals:

● Racial or ethnic origin

● Political opinions
● Religious or philosophical beliefs
● Trade-union membership
● Genetic data
● Biometric data processed solely to identify a human being
● Health-related data
● Data concerning a person's sex life or sexual orientation
● Financial information (bank account numbers and credit card numbers)
● Classified information
In the global healthcare industry, change has become the new normal. For the foreseeable future,
the digitalization of health and patient data is actually causing a significant and fundamental
change in clinical, operational, and financial models as well as in the economy as a whole. Even
though it may be expensive, a smooth integration of widely disparate big healthcare data
technologies can help us better understand clinical and organizational processes, as well as
improve patient flow, safety, quality of care, and the overall patient experience by facilitating a
faster and safer patient throughput.

This was the case with South Tyneside NHS Foundation Trust, a provider of acute and
community health services in northeast England that recognizes the value of always giving
patients high-quality, safe, and compassionate care. However, in order to improve resource
allocation and wait times and to make sure that any problems are found early and addressed, the
trust needs a better understanding of how its hospitals operate.

Information Technology Act, 2000

Section 43A of the Act defines sensitive personal data as information that can be used to
identify a natural person, either directly or indirectly. The Act also requires companies
that handle sensitive personal data to maintain reasonable security practices and
procedures. If a company is negligent in this regard, they are liable to pay compensation
to the affected person.

Right to Information Act, 2005.—

As per Section 8(1)(j)10, information which relates to personal information the disclosure
of which has no relationship to any public activity or interest, or which would cause
unwarranted invasion of the privacy of the individual unless the Central Public
Information Officer or the State Public Information Officer or the appellate authority, as
the case may be, is satisfied that the larger public interest justifies the disclosure of such
information.
 Unique Identification Authority of India v. Central Bureau of Investigation(2017) 7scc
263

In this case, the CBI requested access to the Unique Identification Authority of India
database in order to look into a criminal offense. In an interim ruling, the Supreme Court
ruled that the Unique Identification Authority of India should not give any biometric data
to any other organization without the individual's written agreement after they have been
assigned an Aadhaar number.

One aspect of the right to privacy was informational privacy. In the digital era, threats to
privacy can come from both state and non-state actors. The current court commends the
Union Government for examining and implementing a strong data protection regime. In
order to establish such a regime, individual interests and the State's justifiable concerns
must be carefully and sensitively balanced.

Critical personal data is defined as the portions of personal data that the Central Government of
India has designated as "CRITICAL" or highlighted. Such information is intended to be handled
inside the borders of the country and is completely forbidden to be sent outside of it. There are
just two situations in which this regulation is excluded. One of them is a transfer to a person
offering health or medical services in place of immediate action. The second is to a nation, entity,
or organization that has received approval from the Central Government that it has sufficient
protection in accordance with the standards outlined under the "applicable laws" (presumably
referring to the PDPA, 2019 as well as the country's respective data privacy law) and that it
complies with the conditions established by the international agreements that the nations have
reached.

Sensitive personal data is the portion of personal data that is classified as "sensitive" to an
individual's privacy and that may have an impact on that person's privacy if it is not
gathered, stored, processed, transferred, or deleted with exceptional care and sensitivity.
"The extent of harm that may be caused to a data principal if the safety or privacy of such
data is compromised due to any sort of misappropriation or mishap during the entire
course of the fulfillment of the purpose for which it was collected is one of the reasons
 for the watchful handling of such data," the Act states.Additional justifications include
the data principle's "expectation" that the authority handling the data will maintain its
confidentiality and the potential effects of processing specific data in an ambiguous way
on a class or group of data principles.

The Laws that will govern Sensitive data (PDPA)

The portions and regulations of the Information Technology Act, 2000 that control and
protect personal data and its privacy in country are greatly expanded upon and updated
in the Personal Data Protection Bill, 2019, which is shortly to become law in the nation.

Sensitive personal data is directly and critically addressed in a number of significant areas of the
proposed bill, including:

Section 3 (36)

Defines categories of personal data that recognize as sensitive personal data (listed above)

Section 15

This section of the act describes the grounds and authority involved with tagging personal data as
'Sensitive'

Section 33

This section specifies that sensitive personal data is to be transferred outside India only under the
conditions specified under subsection (1) of Section 34 of this Act but it is to be stored strictly
within the country.

Section 34

Sub-section (1) of Section 34 states that transfer of sensitive personal data outside the country
can only be done when explicit and informed consent of the data principal is obtained for such
transfer
Section 93 (2)(a)

Section 93 of the Act deals with the powers of the Central Government to make rules regarding
the provisions of this Act. Clause (a) of the sub-section (2) of Section 93 mentions that the
Central Government may make rules, additions, or amendments to the categories of Sensitive
Personal Data defined under Section 15 of the Act.

Transfer of Sensitive Personal Data

The new oil is not data. The new water is it. There are a hundred ways to use and consume data
flows, and they are vital to the survival of information technology in this world. As internet
businesses and services began to flourish globally, their service providers, IT departments, and
other regulators began moving the data they collected to foreign locations. Until recently, these
transfers—also known as cross-border transfers—took place freely in a nation like India without
any formal regulations established by the Indian government or other authorities.

The foundations for the limitations on the transfer of personal data to other nations and
companies that were not previously mentioned in data processing agreements were established
by the IT Rules, 2011. It said that corporations that receive personal data must only transmit that
data to another corporation or to another nation if that nation or entity guarantees the same
degree of protection (to guarantee sufficient protection) as the corporation itself. According to
the Rules, a transfer can only be carried out if it is necessary to complete a legitimate contract,
serve a legitimate purpose, or get the informed consent of the data principle.

The transfer of critical and sensitive data is extensively covered by Section 34 of the Personal
Data Protection bill of 2019. It is a significantly more refined form of the 'transfer' of personal
data described by the IT Rules, 2011. This Act, through section 34 along with other sections,
extensively covers and describes the meaning and scope of the transfer of personal data, the
codes of practice to be followed during such transfer, rights of the data subject, exemptions of
certain data processors, and lastly, the penalties related to it.

Role of government in protecting the personal data in form of sensitive data

In India's online civilization, privacy is undoubtedly an indispensable and emerging topic. India
must place its greatest emphasis on privacy and implement robust measures to protect the
privacy of its citizens and those of other countries whose data may be temporarily or
permanently stored in India.

Since each nation has a varied level of protection for its inhabitants' data, the transnational
character of the data that flows over the Internet makes online privacy more challenging.

India has signed on to the European Union's (henceforth referred to as the "EU") General Data
Protection Regulation (henceforth referred to as the "GDPR"), which allows international digital
companies to conduct business under certain restrictions, rather than adopting the isolationist
framework like the Chinese regulation that prohibits global players like Facebook and Google
from operating within its borders. However, the Indian Draft Privacy Bill contains certain extra
limitations on top of the EU rules.

The main laws governing data privacy in India are the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
(henceforth referred to as the "IT Rules"), which are governed by the Information Technology
Act, 2000 (henceforth referred to as the "IT Act").

Information pertaining to a person's income, health, gender identification, and biometrics are all
considered sensitive personal data under the IT Rules. The IT Act also requires businesses to
have suitable security practices and policies in place to protect sensitive personal information.

In addition to the IT Act, the government established the Computer Emergency Response Team
(currently referred to as "CERT-In") to tackle cyber security threats and vulnerabilities and
collaborate with other authorities.

The government also works with other governments, international organizations, and states to
share cyber security best practices and data.
Another instance of the Indian government's desire for more communication access is the Central
Monitoring System (henceforth referred to as the "CMS").

Technology has made it possible for security organizations to directly intercept conversations
and avoid service providers. It is now unclear if the technology will make it possible to monitor
internet traffic and digital communications in addition to phone conversations. It's also unclear
what safeguards the system has in place.

Further, the government is working to: monitor personal data and not violate an individual's
rights by ordering any authority or agency to intercept, monitor, and permit surveillance of an
individual's data or privacy if the action is taken to preserve good relations with other nations,
protect public order and the national interest, stop the commission of crimes that are punishable
by law, or for a number of other reasons.

However, it is now essential to record the reasons for doing so in writing in order to avoid the
abuse of such rights. Section 69A of the IT Act has also been used by the government to ban a
number of websites that may be detrimental to the nation's interests or contain unlawful content.

As a result, the government now enforces reasonable restrictions for the sake of national security,
acting as a watchdog for both the protection of individual rights and personal data.a

Role of data driven entities in protecting sensitive data

The majority of corporate sectors had embraced business intelligence by 2010, and a
sophisticated suite of BI and analytics technologies supported this widespread adoption.
However, the desire for a more sophisticated framework for managing massive data sets has
increased since the advent of the web. Google detailed their MapReduce structure in a 2004
research article [2], and shortly after, Hadoop, its open-source counterpart, gained a lot of
traction among web-scale businesses.
massive computer and storage infrastructure may now be built more readily by businesses thanks
to the cloud, and new pricing models for running cloud-based massive data repositories now
depend on the queries they execute rather than the volume of data they hold. As a result,
practically every internet firm may now create a petabyte-scale datastore by following the route
of least resistance. Data is now widely available to many internal stakeholders due to increased
demand from sales, marketing, customer success, and data-driven strategies. Security teams and
cloud architects face significant challenges in ensuring that access is provided to those who can
be trusted with it in a secure, compliant, and efficient manner.

Sensitive data must be protected by data-driven enterprises to prevent financial and legal
repercussions, reputational harm, and a decline in customer trust. Here are a few strategies to
safeguard private information.

Encryption Transform information into a code that only authorized individuals may decipher.
Encrypt data both in transit and at rest, including when sending it over public networks to third
parties.

Data security policy: Create a thorough data security policy and implement it.

Security precautions: Put security measures in place like:

Authentication with many factors

Verification using biometrics

Solutions for preventing data loss (DLP)

Controls over user access

Policies for offboarding

Logs of audits

Control of variations
Redundancies and backups: Establish redundancies and backups for your data.

Training: Give staff members frequent cybersecurity instruction.

Conduct risk assessments on a regular basis.

Documentation: Keep thorough records.

Monitoring: Keep an eye on things continuously.

Existing Methods for Protecting Sensitive Information

Sensitive data protection is not a novel subject, and there are solutions that tackle different facets
of the issue. Nevertheless, each solution only tackles a portion of the issue, necessitating a
comprehensive strategy for protecting sensitive data.

Data Cataloging and Classification

The majority of data governance projects begin by attempting to identify the types of data being
generated, processed, stored, and read as well as where it is located inside the company. In order
to create a map of all data flows, this method typically calls for the cooperation and sharing of
information from all parties involved. This covers the type of data being accessed, who is
accessing it, and where it is kept. Due to team members' geographical and time zone distribution,
this is a significant challenge for large organizations in and of itself. These endeavors typically
start slowly and fail in the middle.

The fact that data is a shifting target, particularly in cloud environments where creating new data
repositories is quick and simple and traditional IT control is less effective, is another barrier to
the success of this strategy. The situation and context will probably have changed by the time
these efforts produce results, and the organization may unintentionally hold even more sensitive
data.

Lastly, even after learning the location of sensitive data, businesses still have trouble turning that
knowledge into action without comparing it to the real access patterns that indicate whether or
not sensitive data has been compromised. Since there are numerous ways to exfiltrate data after it
is exposed, depending on Data Loss Prevention (DLP) solutions to supply that context is
frequently too little, too late.

Access Control and Permissions Management

Organizations should establish guardrails and perimeters to limit access to sensitive information.
Despite tools for managing data stores, they are not data-aware, making it challenging to define
access control on specific parts of a data store's schema, especially in semi-structured and
unstructured data stores.

Masking, Encryption, and Tokenization

Organizations use duplication and de-risk techniques like masking, encryption, and tokenization
to protect sensitive data, such as making a production database available for development team
debugging.

The approach to data cloning is effective for specific use-cases but fails at scale due to its slow
process, increased risk, and increased operational overhead, resulting in increased infrastructure
costs and increased operational overhead.

Existing security strategies are inefficient and inefficient, resulting in operational overhead. As
organizations adopt cloud technologies and handle more data under strict privacy regulations, a
new approach is needed.

Secure Data Access Cloud

Satori offers a comprehensive platform that provides real-time data discovery, classification, and
behavior analysis, ensuring data access security, privacy, and compliance across all cloud and
legacy data stores, making legitimate access quick, efficient, and easy.

Code42 is dedicated to safeguarding confidential information, minimizing data loss and

exfiltration through the use of solutions such as Incydr. Incydr is an intelligent data protection
system that provides the context, visibility, and control your team needs to prevent IP theft and
data leaks.

A secure data enclave is a system that enables data owners, including governments and
commercial companies, to facilitate authorized uses of data by other parties while maintaining
control over data access and security. Compared to the more popular method of transferring data
from the owner to another party through a data sharing agreement, this model of data use
provides the data owner with extra protections and technical controls.

Even with the finest legal tool for data sharing, it might be difficult to achieve the full
accessibility and auditing that the data owner maintains over the other party's access under the
data usage model. In order to control access to sensitive administrative data, we outline the
crucial technical requirements for a Secure Data Enclave, offer a reference architecture for its
implementation on Amazon Web Services using managed cloud services, and outline four use
cases of this architecture in collaboration with state governments.

A Secure Data Enclave has governance controls that offer best practices and guidelines for how
data owners govern system use, in addition to the technical controls (represented by the letter
"T") that enforce more restrictions on data users' use of the system.Above all, the data owner
owns and controls the Secure Data Enclave. Never leave the custody of the data owner.

Conclusion

Sensitive refers to any information that must be protected due to its confidential nature. This can
include personal information, financial records, health information, and proprietary business
data. The breach or unauthorized access to such data can lead to significant implications for
individuals and organizations, including identity theft, financial loss, and reputational damage.

Protecting sensitive data has grown crucial with the growth of digital communication and online
storage. To ensure compliance with laws like the Health Insurance Portability and Accountability
Act (HIPAA) in the US or the General Data Protection Regulation (GDPR) in Europe,
organizations are frequently obliged to put strong data protection policies and systems in place.
Strict rules on the collection, storage, and processing of sensitive data are required by these
regulations.Organizations should take a multi-layered approach to data protection in order to
reduce risks. Access controls, encryption, and frequent audits to find vulnerabilities are all part
of this. Since many data breaches are the result of human error—such as phishing campaigns or
improper management of sensitive data—employee training is also essential.

Ensuring that third-party vendors adhere to data security requirements is crucial, in addition to
safeguarding data inside the company. Contractual agreements that specify data protection
procedures are frequently able to do this.

To sum up, handling sensitive data is an essential duty for both people and businesses. The
dangers of sensitive data breaches and leaks can be considerably decreased by implementing
thorough security measures, upholding legal compliance, and encouraging a culture of
knowledge and alertness. Prioritizing data protection helps businesses gain the trust of
stakeholders and customers, which opens the door to long-term success.