Sr.

Areas Reference to Assessment Questionss Yes/ No/ Not

No. IT Act Sure/NA
1 Definition of Body S. 43A Is the organization a ‘body corporate’ as defined
Corporate in the IT (Amendment) Act, 2008 (ITAA 2008)?

Definition Any company and includes a firm, sole

proprietorship, or other association of individuals
engaged in commercial or professional activities

2 Organization's Role Is the Organization aware of the privacy role it

performs based on its functions, activities &
business?
Role 1 - Data Provides services to its end customers (individuals
Controller – ‘providers of information’ under the ITAA 2008)
under a direct relationship and determined the
means and purpose of data collection and
processing

Role 2 - Data Provides services to its clients (organizations)

Processor under a lawful contract having indirect
relationship with the end customers (providers of
information) as per the instructions from data
controller; e.g. business process outsourcing
service providers

Role 3 - Data Provides employment or other related services /

Controller benefits to its employees and / or enable
employees to perform their duties
3 Sensitive Personal S. 43A Does the organziation deal (collect, process,
Data or Information store, transfer, access) with following categories
(SPDI) of “sensitive personal data or information” (SPDI)
as defined under sec 43A of the ITAA, 2008? Has
it identified such functions, operations and
actitivities that deal with SPDI?

Definiton of SPDI Rule 3 (u/s (i) Password (Capable of providing information or

43A) access to SPDI listed below
(ii) financial information such as Bank account or
credit card or debit card or other payment
instrument details
(iii). physical, physiological and mental health
condition
(iv) sexual orientation
(v) medical records and history
(vi) biometric information
(vii) any of the detail relating to the above
categories of SPDI or information received under
above categories of SPDI by the organization for
processing, stored or processed under lawful
contract or otherwise
 Any information that is freely available or
accessible in public domain or furnished under
the Right to Information Act, 2005 or any other
law for the time being in force shall not be
regarded as sensitive personal data or
information

4 Privacy Policy Rule 4 Does the organization have a privacy policy?

a) Is it published on the website of the
organization?
b) Is the policy easily accessible?
c) Is the policy simple & easy to understand
d) Does it provide links to organization's practices
and policies
e) Does it state? i Type of SPDI being collected
(refer question no. 3)
ii. Reason for collecting such informationi
iii. The intended usage of the provided
information
v. Disclosure policy and practices of the
organization (refer question number 11)
vi. Reasonable security practices and procedures
adopted by the organization for securing SPDI

5 Collection Limitation Rule 5(2)(a) Does the organization follow any due diligence to
ensure SPDI is collected for a lawful purpose
which is associated with the function or activity
of the organization?

Due Diligence Rule 5 2(b) Does the organization follow any due diligence to
ensure SPDI which is necessary for the above
purpose is only collected?
Informing the Rule 5(3) When directly collecting SPDI from the provider
Providers of of information, does the organization take
Information reasonable steps to ensure that the provider of
information is having knowledge about:

i. the fact that the SPDI is being collected

ii. the purpose for which SPDI is collected
iii. the intended recipients of SPDI
iv. the name & address of the agency which is
collecting the SPDI
v. the agency that will retain the SPDI
6 Consent Rule 5(1) and Does the organization take written consent from
Clarification the provider of information regarding purpose of
Issued u/s usage before collecting their SPDI?
43A

Modes for Obtaining a. Letter

Consent b. Fax
c. Email
d. Click in an online environment
e. Instant messaging
 Consent

f. IVR
g. Any other mode of electronic communication
Choice Rule 5(7) Does the organization provide an option to the
Consent Withdrawl provider of information to decline providing data
or information sought to be collected for availing
7 Purpose Limitation Rule 5(5) Does the organization perform any due diligence
to ensure that the usage of SPDI is consistent with
the purpose for which has been collected?

8 Access & Correction
Mechanisms
Rule 5(6) Does the organization allow providers of
information, as & when requested by them, the
facility to review the SPDI they have provided?
Does the organization have mechanisms in place
that allow providers of information to modify /
update / correct their SPDI, if found to be
outdated and / or incorrect?

9 Information Retention Rule 5(4) Does the organization ensure that the SPDI is not
retained for a period longer than required for its
lawful use or is otherwise required by any other
law for the time being in force?

10 Grievance Officer Rule 5(9) Has the organization designated a grievance

officer to address any discrepancies & grievances
raised by the providers of information?

Publication on website Has the organization published the name and

contact details of the grievance officer on its
website?
Resolution Is the grievance officer mandated to redress the
grievances of the providers of information within
one month (maximum) from the date of the
receipt of grievance?

11 Disclosure of Rule 6(1) Does the contract signed between the

Information organization and providers of information
mention the disclosure of SPDI to third parties?
Prior Permission If not, does the organization take prior permission
of the providers of information before disclosing
their SPDI to third parties or publishing it?

Exceptions Are there any legal obligations under which the

organization needs to disclose the SPDI without
informing or taking permission of the providers of
information?

Publishing in Public Rule 6(3) Does the organization take due diligence to
Domain ensure that the SPDI is not published intentionally
or unintentionally in public domain, i.e., made
available to unauthorized persons or public?

Controls Rule 6(4) Has the organization put in place the mechanisms
/ controls to ensure that the third party with
which SPDI is shared does not disclose it further?
12 Transfer of Rule 7 Does the organization follow due diligence to
Information ensure that the same level of data protection
(please refer Question 13) is adhered to by third
parties (which may be located in India or abroad)
to whom the organization transfers SPDI for
performance of a lawful contract between the
organization and providers of information or
where the providers of information have given
their consent for such transfers?

13 Security Practices Sec. 43A Has the organziation implemented 'Reasonable

Security Practices' for protecting SPDI?
Does the contract signed between organization &
provider of information or between organization
& third party contains provisions that specify
security practices and procedures designed to
protect SPDI from unauthorized access, damage,
use, modification, disclosure or impairment?

Does the contract include: i.

Comprehensive documented information security
policies & program
ii. Managerial, technical, operational & physical
security controls that are commensurate with the
value of information assets being protected and
the risk exposure

iii Audit / assessment mechanisms for testing

implementation of controls
a. Agreement through Rule 8(1), Has the organization implemented documented
contractual 8(2) & 8(3) information security policies & programs that
instruments contain managerial, technical, operational &
physical security controls that are commensurate
with the value of information assets being
protected and the risk exposure? Such security
practices & procedures could be:
a. IS/ISO/IEC 27001
b. Codes of best practices of an industry
association (where the organization is a member)
that are duly approved & notified by the central
government

b. In absense of any Rule 8(4)
Contract
Do such security practices & procedures get
certified or audited by a government approved
independent auditor, on a regular basis (at least
once a year or as & when the organization
undertakes significant up gradation of its
processes & computer resources)?

c. Demonstration of Sec 43A Does the organization maintain the requisite

Security Practices in records, logs, trails, etc. for demonstrating
case of security compliance?
incident / data breach
c. Demonstration of Sec 43A
Security Practices in
case of security
incident / data breach
Can the organization demonstrate that it has
implemented security controls as per the
documented security policies & programs?
Remarks/ Action
Points