Section 43A of the IT Act provides that a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Regulation 2.2 imposes an obligation of secrecy on every medical practitioner barring in exceptional circumstances justifying the disclosure of information in larger public interest.

These rules made under section 87(2) read with section 43A of the IT Act define sensitive personal data or information, and lay down the reasonable security practices and procedures that the body corporates must abide by. These rules lay down that such body corporates collecting sensitive personal data must have a privacy policy in place. Further, it lays down provisions by which collection, disclosure or transfer of such information shall be deemed permissible. Specifically, Rule 6(1) stipulates that sensitive personal information, including financial information, cannot be disclosed by a private financial institution without the permission of the provider, unless there is an agreement to that effect in the contract. The Rules also lay down the technical standards which the body corporates must abide.

This Act provides that every establishment keeping the records of HIV-related information of protected persons shall adopt data protection measures in accordance with the guidelines to ensure that such information is protected from disclosure. Data protection measures shall include procedures for protecting information from disclosure, procedures for accessing information, provision for security systems to protect the information stored in any form and mechanisms to ensure accountability and liability of persons in the establishment.