Rule 7
Intimation of personal data breach
U/s 8(6)
| No | Description |
| (1) | On becoming aware of any personal data breach in respect of personal data collected by the Data Fiduciary or generated by processing the same, the Data Fiduciary shall forthwith initimate the Board, through the website of the Board in such form as may be provided there at, to the best of the knowledge of the Data Fiduciary,- |
| (a)a description of the breach, including its nature | |
| (b)the date and time when the Data Fiduciary became aware of the breach | |
| (c)the timing or duration of occurrence of the breach | |
| (d)the location where the breach occurred | |
| (e)the extent of the breach, in terms of the nature and quantum of data involved and | |
| (f)the potential impact of the breach | |
| (2) | The data fiduciary shall also intimate to the Board the details of such personal data breach, through the website of the Board in such form as may be provided there at, to the best of knowledge of the Data Fiduciary, within seventy two hours of becoming aware of the same- |
| (a)The broad facts related to the events, circumstances and reasons leading to the breach | |
| (b)a detailed description of the extent of the breach, including details regarding the actual or estimated number of data principals affected or likely to be affected | |
| (c)Updated information, if any, in respect of the intimation given under sub-rule (1) | |
| (d)the measures implemented or proposed, if any , to mitigate risk to data principals; | |
| (e)any findings regarding the person who caused the breach and | |
| (f)remedial measures taken to prevent the recurrence of such a breach | |
| (3) | A Data Fiduciary may use a personal Data breach intimation artifact for the purpose of giving an intimation under sub rule (1) or sub rule (2) |
| (4) | On becoming aware of any personal data breach in respect of personal data collected by the Data fiduciary from a data principal or generated by processing the same, the data fiduciary shall intimate such breach to such affected data principal, specifying in a concise, clear and plain manner the following details, namely. - |
| (a) | a description of the breach, including its nature, such as whether it ass on account of unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data |
| (b) | the timing or duration of occurrence of the breach |
| (c) | the extent of the breach, in so far as it relates to the Data principal |
| (d) | the consequences to the data principal that are likely to arise from the breach |
| (e) | measures implemented by the data fiduciary, if any to mitigate risk to the data principal |
| (f) | safety measures that the data principal may take to protect her interests; and |
| (g) | name and contact details of the data protection officer or any other person as specified in rule 8 for purposes of any communication regarding such breach |
| (5) | The intimation under sub-rule (4) shall be- |
| (a) | given through any mode of communication of the data principal that is registered with the data fiduciary, or through any other effective method, such as an in-app notification; and |
| (b) | easily storable or preservable by the data principal for future reference |
| (6) | The board may, in relation to a personal data breach, upon a request being made in writing by the data fiduciary in this behalf, if it is satisfied that there are grounds for doing so, allow such data fiduciary a longer period for giving an intimation under sub-rule (2) ,or to intimate the details required to be intimated thereunder in a phased manner or as and when they become available. |