Executive Summary
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) continue to apply alongside the Digital Personal Data Protection Act, 2023, creating a dual regulatory framework:
- Scope: Body corporate collecting, storing, or processing SPDI
- SPDI definition: Passwords, financial data, health, biometrics, sexual orientation
- Consent requirement: Prior written consent before collection
- Purpose limitation: Only for lawful, necessary purposes
- Security standards: IS/ISO/IEC 27001 or equivalent
- Third-party transfer: Only with consent or contractual safeguards
- Grievance redressal: Designated officer, monthly resolution
- Penalties: Compensation under Section 43A for breach
- Current status: Still applicable until DPDP rules finalize transition
This guide examines SPDI Rules obligations and their interaction with DPDP Act.
1. Statutory Framework
Legal Basis
| Source |
Provision |
| IT Act Section 43A |
Compensation for negligent data handling |
| IT Act Section 72A |
Punishment for disclosure without consent |
| SPDI Rules 2011 |
Detailed obligations |
| DPDP Act 2023 |
New framework (not yet fully effective) |
Applicability
| Entity |
Covered |
| Body corporate |
Company, firm, sole proprietorship, LLP |
| Collection |
Collects SPDI from data providers |
| Processing |
On behalf of another body corporate |
| Location |
India or providing services to India |
Relationship with DPDP Act
| Aspect |
Current Status |
| SPDI Rules |
Still in force |
| DPDP Act |
Enacted but rules pending |
| Overlap |
Both apply until explicit repeal/transition |
| Conflicts |
DPDP likely to prevail (newer, specific law) |
| Compliance |
Organizations must comply with both |
Categories of SPDI (Rule 3)
| Category |
Examples |
| Passwords |
Login credentials, PINs |
| Financial information |
Bank account, credit card, debit card, financial transactions |
| Physical/physiological/mental health |
Medical records, disabilities, diagnoses |
| Sexual orientation |
LGBTQ+ status |
| Medical records and history |
Treatment, prescriptions, test results |
| Biometric information |
Fingerprints, iris scans, facial recognition |
What is NOT SPDI
| Category |
Reason |
| Publicly available information |
Already in public domain |
| Information under RTI |
Accessible to public |
| Name, address, phone |
General contact details (not "sensitive") |
| Job title, employer |
Professional information |
SPDI vs. Personal Data (DPDP)
| Concept |
SPDI Rules |
DPDP Act |
| Scope |
Narrower (only sensitive) |
Broader (all personal data) |
| Categories |
6 specific categories |
Any data relating to identifiable person |
| Protection level |
Higher standards for SPDI |
Uniform standards for all personal data |
3. Consent Requirements
Prior Written Consent (Rule 5(1))
| Requirement |
Specification |
| Timing |
Before collection |
| Form |
Written (electronic form acceptable) |
| Lawful purpose |
Must be stated |
| Transparency |
Provider must know what data is collected |
| Information |
Requirement |
| Fact of collection |
That SPDI is being collected |
| Purpose |
Why data is needed |
| Intended recipients |
Who will receive/access data |
| Name and address |
Of entity collecting data |
| Retention period |
How long data will be kept |
Valid Consent Elements
| Element |
Description |
| Free |
No coercion or undue influence |
| Informed |
Full disclosure of purpose and use |
| Specific |
For particular purpose |
| Unambiguous |
Clear affirmative action |
| Withdrawable |
User can revoke consent |
4. Purpose Limitation and Collection
Lawful Purpose (Rule 5(2))
| Requirement |
Description |
| Lawful |
Not prohibited by law |
| Necessary |
Required for stated purpose |
| Directly related |
Connected to business function |
Prohibited Purposes
| Purpose |
Status |
| Unlawful activity |
Prohibited |
| Surveillance |
Without lawful authority |
| Discrimination |
Based on sensitive attributes |
| Unrelated use |
Beyond stated purpose |
Collection Limitation
| Principle |
Implementation |
| Minimal collection |
Only necessary SPDI |
| Direct collection |
From data provider (preferred) |
| Avoid function creep |
No expansion beyond original purpose |
5. Disclosure and Transfer
Third-Party Sharing (Rule 6)
| Condition |
Requirement |
| Consent required |
Prior permission from provider |
| Contractual obligation |
Service providers bound by contract |
| Same level of protection |
Recipient must protect SPDI equally |
| Purpose limitation |
Only for consented purpose |
When Disclosure Permitted Without Consent
| Scenario |
Legal Basis |
| Government order |
Under law or court order |
| Legal obligation |
Statutory requirement |
| Emergency |
Life-threatening situation |
Cross-Border Transfer
| Requirement |
Specification |
| Consent |
Required (unless exception applies) |
| Same protection level |
Recipient country must ensure equivalent protection |
| Contractual safeguards |
Data transfer agreements |
6. Security Requirements
Reasonable Security Practices (Rule 8)
| Standard |
Specification |
| IS/ISO/IEC 27001 |
International standard |
| Documented policy |
Written information security policy |
| Comprehensive |
Managerial, technical, operational, physical safeguards |
Security Policy Contents
| Element |
Description |
| Access control |
Who can access SPDI |
| Encryption |
Data protection mechanisms |
| Incident response |
Breach handling procedures |
| Audit |
Regular security reviews |
| Training |
Employee awareness |
| Physical security |
Premises protection |
Technical Safeguards
| Measure |
Implementation |
| Encryption |
Data at rest and in transit |
| Access controls |
Role-based permissions |
| Firewalls |
Network segmentation |
| Antivirus |
Malware protection |
| Logging |
Audit trails |
| Backup |
Data recovery capability |
7. Grievance Redressal
Grievance Officer (Rule 5(9))
| Requirement |
Specification |
| Appointment |
Mandatory for entities collecting SPDI |
| Publication |
Name and contact on website |
| Accessibility |
Easy to contact |
| Timeline |
Redress within one month |
Grievance Types
| Grievance |
Description |
| Unauthorized disclosure |
SPDI shared without consent |
| Incorrect data |
Inaccurate information |
| Excessive collection |
More data than necessary |
| Retention beyond period |
Data kept longer than stated |
| Security breach |
Unauthorized access |
8. Data Provider Rights
Access and Correction (Rule 5(6))
| Right |
Description |
| Review |
Access to SPDI held |
| Correction |
Amend inaccurate data |
| Withdrawal |
Revoke consent |
| Deletion |
Request removal (subject to legal obligations) |
Withdrawal of Consent
| Aspect |
Specification |
| Right |
Can withdraw consent anytime |
| Effect |
Body corporate must stop processing |
| Exceptions |
Legal/contractual obligations may require retention |
| Notification |
Body corporate must inform of consequences |
9. Retention and Deletion
Retention Period
| Principle |
Requirement |
| No longer than necessary |
Delete when purpose fulfilled |
| Legal retention |
May be required by other laws (7 years for financial records, etc.) |
| Withdrawal of consent |
Delete unless legal obligation |
Secure Deletion
| Method |
Application |
| Data wiping |
Overwrite data multiple times |
| Physical destruction |
Shred/destroy storage media |
| De-identification |
Remove identifiers (if retention needed) |
| Certification |
Document deletion |
10. Penalties and Liability
Section 43A - Compensation for Negligence
| Element |
Specification |
| Negligence |
Failure to maintain reasonable security |
| Breach |
Unauthorized disclosure of SPDI |
| Wrongful loss/gain |
Damage to data provider |
| Compensation |
Payable to affected person |
Determining Negligence
| Factor |
Assessment |
| Security standards |
Compliance with IS/ISO 27001 |
| Industry practice |
Reasonable practices in sector |
| Nature of SPDI |
Sensitivity of data |
| Breach cause |
Internal vs. external attack |
Section 72A - Criminal Penalty
| Element |
Penalty |
| Disclosure without consent |
Up to 3 years imprisonment + fine up to Rs. 5 lakhs |
| Mens rea |
Intentional disclosure |
| Breach of contract |
Violating lawful contract |
11. Comparison: SPDI Rules vs. DPDP Act
Key Differences
| Aspect |
SPDI Rules 2011 |
DPDP Act 2023 |
| Scope |
Only SPDI (6 categories) |
All personal data |
| Consent |
Written consent |
Any form (including digital) |
| Purpose |
Lawful purpose |
Specified purpose |
| Grievance timeline |
1 month |
15 days |
| Penalties |
Compensation (no maximum) |
Fixed penalty tiers (up to Rs. 250 Cr) |
| Rights |
Access, correction, withdrawal |
Same + portability, grievance appeal |
| Children |
No specific provision |
Enhanced protection (below 18) |
| Cross-border |
Same protection level |
Notified countries only |
Areas of Overlap
| Provision |
SPDI Rules |
DPDP Act |
Compliance Strategy |
| Consent |
Required |
Required |
Follow stricter standard (written) |
| Security |
IS/ISO 27001 |
Reasonable security |
IS/ISO 27001 sufficient |
| Grievance |
1 month |
15 days |
Follow 15-day timeline |
| Third-party transfer |
Consent + contract |
Consent + contract |
Both satisfied |
12. Sector-Specific Applications
Healthcare
| SPDI Category |
Application |
| Medical records |
Diagnosis, treatment, prescriptions |
| Health information |
Test results, genetic data |
| Consent |
Patient consent before sharing with insurers, labs |
| Retention |
Medical records retention laws also apply |
Financial Services
| SPDI Category |
Application |
| Financial information |
Bank accounts, credit cards, transactions |
| Passwords |
Online banking credentials |
| Consent |
For credit checks, third-party sharing |
| Security |
PCI-DSS + IS/ISO 27001 |
E-Commerce
| SPDI Category |
Application |
| Payment information |
Credit/debit card details |
| Passwords |
Account login credentials |
| Consent |
For marketing, analytics |
| Security |
Payment gateway compliance |
13. Compliance Checklist
Pre-Collection Phase
Collection Phase
Storage and Processing Phase
Disclosure and Transfer Phase
Retention and Deletion Phase
Grievance Redressal Phase
14. Key Takeaways for Practitioners
SPDI Rules Still Apply: Despite DPDP Act, SPDI Rules 2011 remain in force until explicit repeal.
Dual Compliance: Organizations must comply with both SPDI Rules and DPDP Act provisions.
6 SPDI Categories: Passwords, financial data, health, sexual orientation, medical records, biometrics.
Written Consent Mandatory: Prior written consent required before collecting SPDI.
IS/ISO 27001 Required: Reasonable security practices mean documented policy and international standards.
Grievance Officer: Mandatory appointment with one-month resolution timeline.
Section 43A Compensation: Negligent SPDI breach triggers compensation liability (no cap).
Third-Party Sharing: Requires consent plus contractual safeguards ensuring same protection level.
Conclusion
The SPDI Rules 2011 continue to provide a critical framework for protecting sensitive personal data in India, even as the DPDP Act comes into force. The requirement for written consent, IS/ISO 27001 security standards, and designated grievance officers creates a robust protection mechanism for the six categories of SPDI. Organizations must navigate the dual regulatory landscape, ensuring compliance with both frameworks until a clear transition path emerges. The higher standards for SPDI (written consent, international security certifications) reflect the greater risks associated with this particularly sensitive category of personal data.
