Indian BPO exempted from new IT security rules.

After the angst expressed by the $14-billion Indian BPO industry over the new data protection rules this year, the government has finally relented. It has clarified that the new rules won't apply to outsourcing providers located in India.

After Nasscom's submission, the government this week issued a clarification stating that BPOs located in India will be governed only by specific contracts signed with their global and Indian customers.

The rules, in their previous form, were impacting a large number of BPOs that collect credit card or financial information from companies and individuals in US or Europe. Sensitive information here refers to physical, physiological and mental health condition, medical records and history. All medical transcription firms operating out of India have to have access to medical records of patients in US.

The new Section 43A of the Indian IT Act stated that a corporate shall have to obtain permission through letter or fax or email from each client before collection of sensitive information. Thus, BPOs would have to inform the client regarding purpose of usage before collection of such information, if they went by the IT rules 2011.

Nasscom and Data Security Council of India have welcomed the clarification issued by the IT ministry on the notified Rules under Section 43A of the IT Act. The government has added that consent can now given by any mode of electronic communication, such as SMS or call, and not restricted to consent provided through letter, fax or email.

"The rules issued recently had created possible interpretation issues for outsourcing companies. We thank the government for their support in issuing the necessary clarifications," said Nasscom president Som Mittal.

The rules related to implementation of reasonable security practices by body corporate for sensitive personal information, which here refers to financial details related to bank account, credit card or other payment instruments.

A large number of BPOs in India have clients such as American Express, Citibank, HSBC, Bank of America and collect financial information before undertaking any transaction. The government's clarification, however, advises the service providers to follow 'reasonable security practices' for protecting sensitive personal information processed by them.