The IT Department has clarified that overseas clients, who outsource work to Indian service providers, will not be required to take additional consent from their own customers on collection and usage of personal data. The move comes as a relief to the Indian outsourcing industry, as the rules that were earlier notified in April this year under Section 43 (A) of Information Technology Act, had created confusion in the BPO industry and led to interpretations that such a permission may be required.
In effect, the latest clarification means that although the Indian service provider will be required to implement reasonable security practices, it will not have to inform the individual customers (of the overseas client, say, a US bank) about the purpose of usage of data while collecting it. It has been clarified that overseas customers of IT and BPO industry will continue to be governed by the data protection legislations in their respective countries and that the service providers in India, will, in turn, be governed by contract signed with the entity that has outsourced the work.
“The April rules were leading to misinterpretation as if they imposed an additional consent burden on outsourcer…This was seen as a disincentive for the outsourcing industry. The Department has clarified that this was not the intent and that the rules (on sensitive personal data or information) are not applicable to companies outside India,” says Dr Kamlesh Bajaj, CEO, Data Security Council of India.
In a statement, Mr Som Mittal, President of Nasscom said that data security and privacy were key enablers for the growth of the global sourcing sector. “However, the rules issued (earlier this year) had created possible interpretation issues for outsourcing companies and we thank the government for their support in issuing the necessary clarifications,” Mr Mittal said.