Page 24 - KDU Law Journal Volume 4 Issue 2
P. 24
KDU Law Journal Volume 04 Issue II
September, 2024
Rule 8(1) , Reasonable Security Practices and Procedures of IT
47
Rule 2011, focuses on data protection and privacy. The rule requires
organizations to implement appropriate security measures to protect
personal data from unauthorized access, disclosure, alteration, or
destruction. This includes implementing access controls, encryption,
and secure data storage practices. The IT Rules 2011 concerning
privacy are an important step towards establishing a legal framework
for safeguarding individuals’ privacy rights in the digital age. By
implementing these provisions, proactive measures ensure the
privacy and security of information in the digital age.
Addressing Privacy Concerns in the Age of Digital
Transformation
The emergence of new technologies such as IoT (Internet of Things),
artificial intelligence (AI), machine learning, and big data analytics
has further complicated the privacy landscape. These technologies
have the potential to analyze and interpret vast amounts of personal
data, raising concerns about the potential misuse or unauthorized
access to such information. The current legal framework for
protecting privacy is a topic of considerable debate with both
strengths and weaknesses.
Strengths of Existing Legal Frameworks:
(a) Constitutional recognition of the right to privacy as a
fundamental right by the Supreme Court of India, particularly
through the landmark judgement of Justice K S Puttawamy
47 Rule 8(1) Reasonable Security Practices and Procedures-A body corporate or a person
on its behalf shall be considered to have complied with reasonable security practices and
procedures, if they have implemented such security practices and standards and have a
comprehensive documented information security programme and information security
policies that contain managerial, technical, operational and physical security control
measures that are commensurate with the information assets being protected with the nature
of business. In the event of an information security breach, the body corporate or a person
on its behalf shall be required to demonstrate, as and when called upon to do so by the
agency mandate under the law, that they have implemented security control measures as
per their documented information security programme and information security policies.
Supra note 45.
law.faculty@kdu.ac.lk
17