Legal Background
Privacy Policy
Fundamental factors of a Privacy Policy
1.Consent, Notice and Transparency
2. Definition Clause
3. User Information
A privacy policy should illustrate the type of PI or SPDI being collected.
4. Purpose
A privacy policy must clearly identify, in unambiguous terms, the purpose of data collection. Further, it should have a data minimization clause to limit collection and processing to that which is relevant and reasonably necessary to accomplish legitimate commercial purposes. A change in the purpose triggers the requirements of notifying the users of such change.
5. Sharing and storage of user data
An organization must obtain permission from users prior to disclosure of the collected PI / SPDI to third parties and/or its affiliates, except where such disclosure is mandated under law. Further, it should have data retention clauses governing the period of retention and the manner of disposal once the purpose is served.
6. Data security
The privacy policy must inculcate reasonable security practices and procedures adopted by the organization, including electronic and physical safeguards to maintain security and confidentiality of data through authorized access, browser encryption etc.
7. Notification of change
Additionally, an announcement via email or website popups is required to reflect periodic reviews and updates in the policy.
8. Contact information
The privacy policy should contain email, postal and telephonic coordinates of organization to address queries or exercise of user’s data protection rights.
9. Dispute Resolution
The SPDI Rules require appointment of a Grievance Officer[2] for users to report complaints or unsatisfactory reparation of the same by organization.