Page 32 - Approved Social Media Framework and Guidelines
P. 32

(vi)    Biometric information;

                       (vii)    any  detail relating to the  above  clauses  as  provided  to  body  corporate for
                              providing service; and

                       (viii)   any of the information received under above clauses by body corporate for
                              processing, stored or processed under lawful contract or otherwise:

                       Provided that, any information that is freely available or accessible in public domain
                       or furnished under the Right to Information Act, 2005 or any other law for the time
                       being in force shall not be regarded as sensitive personal data or information for the
                       purposes of these rules.

                   x.  For  the  purposes  of  protecting  such  sensitive  personal  data,  the  Government  has
                       mandated  that  any  legal  entity  who  is  processing,  dealing  or  handling  sensitive
                       personal data must implement reasonable security practices and procedures.

                   xi.  The  Government  further  stipulate  that  ISO  27001  is  one  acceptable  standard  of
                       reasonable security practices and procedures.  Thus, all Government departments
                       which are providing social media facilities must comply with ISO 27001.  In case the
                       Government departments do not comply with ISO 27001 and provides social media
                       facilities on which network sensitive personal data is going to be stored, processed
                       or handled or dealt, the said Government department could be in breach of the law
                       and could face legal consequences.

                   xii. Further  under  the  Information  Technology  (Intermediary  guidelines)  Rules,  2011,
                       since the said Government department who is provide social media facilities is an
                       intermediary,  it  has  to  comply  with  the  Information  Technology  (Intermediary
                       guidelines)  Rules,  2011.    Under  Rule  3(4)  of  the  said  rules,  the  Government
                       department shall act within thirty six hours on receiving the written complaint form
                       an  affected  person  and  where  applicable,  work  with  user  or  owner  of  such
                       information to disable such information that is in contravention of sub-rule (2).

                   xiii.  Further the Government department shall preserve such information and associated
                       records for at least ninety days for investigation purposes.

                   xiv. In  case,  if  the  Government  department  does  not  comply  with  any  of  the  above
                       requirements of law, then the said Government department as also the concerned
                       head of the department who is responsible for the social media facilities and the
                       concerned IT head would be liable for civil and criminal consequences.

                   xv. The  civil  consequences  could  consist  of  being  sued  for  damages  by  way  of
                       compensation  upto  5  crore  Rupees  under  summary  proceedings  before  the
                       adjudicatory authorities specially constituted under the Information Technology Act,



                                                      Page 32 of 38
   27   28   29   30   31   32   33   34   35   36   37