Data Protection Laws

Data Protection in Financial Sector – A Complete Analysis

Data Protection in Financial Sector

Financial Sector stores sensitive and personal data of individuals. Data Protection in financial sector is necessary to mitigate the risk of privacy violations. Since the data is personal and sensitive, privacy violations should not be taken lightly as it adversely affects the individual whose data is breached. The manner in which data breach can take place in the financial sector include: sharing information with third parties without the prior consent of the individual, collecting more information than what is necessary, incorrect recording of personal information, leakage/loss of an individual’s information due to improper security measures.

At present, Data Protection in Financial Sector in India is not codified like the European Union which sets out the standards of data protection to be maintained by individuals and entities. The Personal Data Protection Bill, 2019 was introduced in the lower house of the Parliament however, it was not enactment. This Bill if enacted would have established data protection laws in India. The Information Technology Act, 2000 (“IT Act”[1]) and the rules framed thereunder are applicable for data protection relating to some sensitive data and personal information.  Apart from the IT Act, there is some sector-specific regulation that intends to maintain the secrecy and confidentiality of data.

Applicability of IT Act

In India, Data Protection in Financial Sector is governed by the IT Act along with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT (SPDI) Rules). The IT (SPDI) Rules prescribe the obligations of the data collectors who collect and process personal or sensitive data of data subjects who are individuals who provide their personal data.  As per the IT (SPDI) Rules, personal information means data relating to an individual which is capable of identifying the individual and which either directly or indirectly combines with other data available or likely to be available with the data collector. Data Protection in Financial Sector under the IT (SPDI) Rules include financial data such as bank account details, debit and credit card details or details relating to any other payment instrument. Apart from the financial data, the IT (SPDI) Rules also cover passwords, biometric information, physical, physiological and mental health conditions, and medical records which might be collected by the data collectors in the financial industry. When it comes to receiving and handling sensitive personal data, section 43-A of the IT Act holds data collectors responsible for any negligence in implementing and maintaining reasonable security. In furtherance to this, if any wrongful loss or wrongful gain arises to any person due to the negligence of the data collector then the data collector shall be liable to pay damages to the person(s) affected. In addition, section 72-A of the IT Act provides punishment for disclosure of data that either leads to a breach of lawful contract or was disclosed without the consent of the data subject.

READ  Challenges for Fintech Post Data Protection Bill, 2022: A Brief Overview

Other sector-specific regulations

Apart from the IT Act and rules, data protection in financial sector is also dealt with by certain banking secrecy and other regulatory laws. These laws lay down the obligations of the data collectors to maintain the secrecy and confidentiality of data. These laws have been discussed in brief below:

  • RBI guidelines

RBI issues guidelines relating to data protection in financial sector from time to time which shall be adhered to by the data collectors. One such direction issued by the RBI requires all banks and payment system providers to localize payment transactions in India and to restrict the storage of personal data outside of India. RBI has also laid down directions to safeguard customer information and the type of arrangement banks and non-banking financial companies should have with third parties.

The RBI has adopted the Basel norms by the Basel Committee on Banking Supervision. It issued the Master Circular on Basel III Capital Regulation, 2015 which sets out the applicability of Basel norms in India. The Master circular lays down various provisions on data adequacy and quality concerning the collection of information for internal assessment and risk management. Master Circular on Customer Service in Banks, 2015 was issued by the RBI obligating the banks to maintain secrecy about information arising out of the contractual relationship between the bank and the customer and that no information should be disclosed to third parties except under the prescribed circumstances. The RBI also introduced the Cyber Security Framework in Banks, 2016 which intends to enhance the resilience of the Indian Banking System by improving the mechanism adopted by the banks while addressing and managing cyber risks. Similarly, for NBFCs the RBI has issued the Master Direction on Information Technology Framework for the NBFC Sector, 2017 which focuses on IT governance, IT Policy, information and cybersecurity, IT operations, information security audits, IT services outsourcing, and business continuity planning.

  • Insurance Regulatory and Development Authority of India Act, 1999

This Act obligates insurance providers to maintain the confidentiality of policy holder’s information and to have adequate security measures in place. It also obligates the insurance providers to ensure that any disclosure to a third party for services outsourced to such third parties is subject to the data privacy standards and policies of such insurance providers. Only legally permitted disclosures to statutory authorities are allowed to be made by the Insurance providers under the Act. Certain additional requirements are imposed by the IRDAI to ensure confidentiality. They are mainly in the form of regulations issued by the IRDAI like the IRDAI (Maintenance of Insurance Records) Regulations, 2015 which ensures that the records are stored with the necessary security and exclusively in India. The IRDAI (Protection of Policyholder’s Interest) Regulations, 2017 ensures the maintenance of total confidentiality of policy holder’s information except when it becomes necessary to disclose the information to statutory authorities due to the operation of any law. Further, the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 require the insurers to ensure that their outsourcing service providers maintain confidentiality in policy holder’s data and have adequate security policies to ensure such confidentiality and it also ensures that in case the outsourcing agreement is terminated, the customer data is retrieved and not used by the outsourcing service provider.

  • Income Tax Act, 1961
READ  Information and Cyber Security Policy 

This Act prescribes the data protection requirements relating to bookkeeping and maintenance of information relating to transactions. Further, the income tax authorities are entitled to seek disclosure of certain personal information which shall be disclosed in accordance with the provisions of the IT Act or the IT (SPDI) Rules.

  • Prevention of Money Laundering Act, 2002

This Act allows regulatory and investigating authorities to seek disclosure of certain data subject to the provisions of the IT Act and IT (SPDI) Rules.

  • Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983

This Act prohibits public financial institutions from disclosing or sharing any information relating to the affairs of the clients.

  • Banking Regulation Act, 1949

This Act along with the associated regulations contain principles of privacy regulating the collection, retention and security of customer data.

  • Credit Information Companies (Regulation) Act, 2005

This Act prescribes the manner in which credit information companies should handle data. It sets out obligations of credit information companies concerning access to data, fidelity and secrecy of data, collection of data of limited purposes, norms for disclosure, and obligation to maintain confidentiality and accuracy. Further, the regulatory authority under the Act is empowered to lay down standards for data retention from time to time.

  • Banker’s Book Evidence Act, 1891

Under this Act, the officers of banks are prohibited from disclosing bank records to anyone except when specifically ordered by a court of law for a reason.

  • Payment and Settlement Systems Act, 2007

This Act regulates the payment services such as debit and credit card transactions, smart card operations, money transfer operations or any other similar operations. It ensures the confidentiality of documents or any other data obtained from participants in the payment system other than where the court has passed orders. The RBI has issued a Circular on Storage of Payment Data, 2018 requiring all payment system providers to store the data in India and the transactions should be end-to-end encrypted and processed as a part of payment instructions. Only where the transaction involves a foreign leg, the data may if required, be stored in the foreign country. The RBI has also introduced the Framework for Outsourcing of Payment and Settlement Related Activities by Payment System Operators, 2021 which obliges the payment system operators to outsource their activities like that of banks.

READ  Digital Personal Data Protection Bill, 2022 Earns Parliamentary Approval

Data Management and Data Protection in Financial Sector

The data management and data protection in financial sector across various industries are subject to IT (SPDI) Rules. The IT Act and the IT (SPDI) Rules require a data collector to obtain prior written or electronic consent from the data subject for the collection of information. As per the IT (SPDI) Rules, the collection of information is to be done after providing the following information to the data subject:

  1. Informing that data is going to be collected
  2. The purpose of the collection of data
  3. The intended recipients of the collected data
  4. Name and address of the agency collecting and retaining the data.

Further, the data collectors must allow the data subjects to not disclose or withdraw consent to the disclosure of or retention of sensitive personal data by the data collectors at any time in writing.

Banks, financial institutions or any other institution in the financial sector that is a data collector is obliged to publish their privacy policies on their website specifying the following:

  1. Clear and accessible statements of policies and practices
  2. Type of personal data collected
  3. The intended purpose for collecting such information
  4. Disclosure of any information as provided under Rule 8 of the IT (SPDI) Rules
  5. Reasonable Security practices and procedures as provided under Rule 8 of the IT (SPDI) Rules


Data protection in financial sector has always been important. However, with the advancement in technology, rise in complexity in transactions and involvement of intermediaries in transactions, it has become easier for data and information to be breached. Thereby increasing the need for data protection law. In India, though there are several laws regulating data protection in financial sector but India still lacks a codified data protection law like the EU General Data Protection Rules which gives high regard to the consent of an individual for the collection of data and expressly prescribes rights and obligations of various parties.

Also Read:
Data Protection and Offshore Banking
Data Protection in the Banking Industry

Trending Posted