Personal and sensitive data might be collected for various purposes. For instance:
Human Resource Management
For Research Studies
Let us look at some existing as well shortly expected legal compliance obligations pertaining to data protection and privacy that non-profits will have to ensure in their activities.
The Law on Personal and Sensitive Data
If a non-profit collects personal and sensitive data, it is required to follow the rules made under the Information Technology Act, 2000. This includes legal obligations regarding collection of information, transfer/Disclosure of data, security practices and procedures for storage and so on.
As per the Section 43A of the Information Technology Act, 2000, all body corporates are responsible for implementing and maintaining reasonable security measures to ensure no wrongful loss/gain is done to any person due to processing, dealing, or handling of sensitive personal information. Failure of this can attract liabilities to pay damages. This applies to all non-profits – including trusts, societies, section 8 companies or any association of individuals engaged in professional activities.
Individuals who have access to personal information under a contract are also responsible for the protection of personal information under Section 72A of the same Act. Disclosure of any personal information without consent of the person or in breach of the contract can attract a punishment of fine and imprisonment.
Good Practices to Implement Re: Data Collection, Processing & Storage:
Foreseeable Changes in Data Protection Laws
The landscape of data protection laws is expected to change upon the passing of Personal Data Protection Bill, 2019. The bill provides for several new requirements like data de-identification, encryption, and anonymization. Some of the new legal introductions that the bill envisages are:
In addition there are proposed laws such as the Digital Information Security in Healthcare Act, 2018 (DISHA) and various regulatory frameworks being proposed on maintaining the confidentiality of personal, non-personal and medical data.
NGOs must start adopting healthy practices recognising the value of data to ensure that the privacy of its data subjects are protected and that data is not illegally mined.
 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011