Rule 10
10. Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian.—
(1) A Data
Fiduciary shall adopt appropriate technical and organisational measures to
ensure that verifiable consent of the parent is obtained before the
processing of any personal data of a child and shall observe due diligence,
for checking that the individual identifying herself as the parent is an adult
who is identifiable if required in connection with compliance with any law
for the time being in force in India, by reference to—
(a) reliable
details of identity and age available with the Data Fiduciary; or
(b)
voluntarily provided details of identity and age or a virtual token mapped to
the same, which is issued by an entity entrusted by law or the Central
Government or a State Government with the maintenance of such details or a
person appointed or permitted by such entity for such issuance, and includes
such details or token verified and made available by a Digital Locker service
provider.
Illustration.
C is a child, P is her parent, and DF is a Data
Fiduciary. A user account of C is sought to be created on the online platform
of DF, by processing the personal data of C.
Case 1: C informs DF that she is
a child. DF shall enable C’s parent to identify herself through its website,
app or other appropriate means. P identifies herself as the parent and
informs DF that she is a registered user on DF’s platform and has previously
made available her identity and age details to DF. Before processing C’s
personal data for the creation of her user account, DF shall check to confirm
that it holds reliable identity and age details of P.
Case 2: C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3: P identifies
herself as C’s parent and informs DF that she is a registered user on DF’s
platform and has previously made available her identity and age details to
DF. Before processing C’s personal data for the creation of her user account, DF
shall check to confirm that it holds reliable identity and age details of P.
Case 4: P identifies herself as C’s parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
(2) A Data Fiduciary, while obtaining verifiable consent from an
individual identifying herself as the lawful guardian of a person with
disability, shall observe due diligence to verify that such guardian is
appointed by a court of law, a designated authority or a local level
committee, under the law applicable to guardianship.
(3) In this rule, the
expression—
(a) “adult” shall mean an individual who has completed the age of
eighteen years;
(b) “Digital Locker service provider” shall mean such
intermediary, including a body corporate or an agency of the appropriate
Government, as may be notified by the Central Government, in accordance with
the rules made in this regard under the Information Technology Act, 2000 (21
of 2000);
(c) “designated authority” shall mean an authority designated under
section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016)
to support persons with disabilities in exercise of their legal capacity;
(d) “law applicable to guardianship” shall mean,—
(i) in relation to an
individual who has long term physical, mental, intellectual or sensory
impairment which, in interaction with barriers, hinders her full and
effective participation in society equally with others and who despite being
provided adequate and appropriate support is unable to take legally binding
decisions, the provisions of law contained in Rights of Persons with
Disabilities Act, 2016 (49 of 2016) and the rules made thereunder; and
(ii)
in relation to a person who is suffering from any of the conditions relating to
autism, cerebral palsy, mental retardation or a combination of such conditions
and includes a person suffering from severe multiple disability, the provisions
of law of the National Trust for the Welfare of Persons with Autism, Cerebral
Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999) and
the rules made thereunder;
(e) “local level committee” shall mean a local
level committee constituted under section 13 of the National Trust for the
Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and
Multiple Disabilities Act, 1999 (44 of 1999);
(f) “person with disability”
shall mean and include—
(i) an individual who has long term physical, mental,
intellectual or sensory impairment which, in interaction with barriers,
hinders her full and effective
participation in society equally with others
and who, despite being provided adequate and appropriate support, is unable
to take legally binding decisions;
and
(ii) an individual who is suffering
from any of the conditions relating to autism, cerebral palsy, mental
retardation or a combination of any two or more of such conditions and includes
an individual suffering from severe multiple disability.