(Personal, Sensitive and Biometric Information)
Legal Division (firstname.lastname@example.org)
Information surround us and is generally captured in virtually everything we do. While some of the information are shared voluntarily; some are disseminated without an express consent, i.e. every time we do a google search, while we try to book a flight, or even when we scroll through shopping portals. Of the several ways in which data is collected, the most prominent one seems to be that collected by various companies and technological platforms while providing goods and services. Another easy access to data is the data available with the bankers, generally received during the KYC process, whereby an individual provides various information such as name, birth, address, Aadhaar number etc.
With globalisation and rapid digitalization, large quantum of data is either collected or shared or generated every micro second. Data has become the new currency in today’s time. While there is no doubt that such information are immensely valuable and several companies are willing to pay for its access, however, it is difficult to determine the exact potential contained by data in its form, and therefore, the likely exploitation. Several multinational organisations are paying huge sum of money to access this data and make business strategies to cater to the needs of the customers. This position is further complicated by government and regulators demanding and seeking access to data from the citizens and corporate. Thus, a need to protect the data from being misused or disclosed for fraudulent purposes becomes necessary.
Considering the risk involved during information sharing process, one may often whether information provided by an individual to a service provider can be disclosed to a third party who is not privy to such information? If yes, are the recipients subject to any restrictions on information sharing? In India, there are a host of laws and judicial pronouncements addressing the issue. By way of this write-up, we intend to delve on the same.
Banker’s Secrecy Obligations:
The general view prevailing till 1924 was that the banker would not make himself liable in any case where he gives bona fide answers to inquiries made by persons really interested, provided he confined his answers to the facts within his knowledge. However, this view was modified by the decision in Tourneir v. National Provincial and Union Bank of England .
In the case of Shankarlal Agarwalla v. State Bank of India AIR 1987 Cal 29, the Hon’ble Calcutta High Court referred to Halsbury’s Laws of England, Vol 1, 2nd edition, which stipulates that:
“It is an implied term of the contract between a banker and his customer that the banker will not divulge to third persons, without the consent of the customer, express or implied, either the state of the customer’s account, or any of his transactions with the bank or any information relating to the customer acquired through the keeping of his account, unless the banker is compelled to do so by order of a Court, or the circumstances give rise to a public duty of disclosure or the protection of the banker’s own interests requires it.”
Referring to Paget’s Law of Banking (9th Edition, page 166), the court observed that among the duties of the banker towards the customer may be reckoned the duty of secrecy. Such duty is a legal one arising out of the contract and is not merely a moral one. Breach of it, therefore, gives a claim for nominal damages or for substantial damages if inquiry is resulted from the breach. It is, however, not an absolute duty, but is a qualified one subject to certain reasonable, if not essential, exceptions. One such instance is the duty to obey an order under the Banker’s Book Evidence Act.
Further, in the case of Kattabomman Transport Corporation Ltd. v. State Bank of India AIR 1992 Ker 351, it was held that among the duties of the banker towards the customer is the duty of secrecy. Such duty is a legal one arising out of the contract and is not merely a moral one.
Restrictions on Sharing of Customer’s Personal and Account based Information and the Relevant RBI Notifications
1. Master Direction- Know Your Customer (KYC) Direction, 2016 (Updated as on August 09, 2019) (“KYC Directions”)
While the bankers collect and store various information and documents received from their customers during the KYC process, Paragraph 56 of the Directions stipulate that banks will maintain complete secrecy regarding the customer information which arises out of the contractual relationship between the banker and customer. It further states that “Information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer.”
However, just like every rule is subject to certain exceptions, the KYC Directions also lay down certain exceptions to the aforementioned rule. The same is enlisted herein below:
(a) where disclosure is under compulsion of law;
(b) where there is a duty to the public to disclose;
(c) the interest of bank requires disclosure; and
(d) where the disclosure is made with the express or implied consent of the customer.
2. Master Circular on Customer Service- UCBs
Paragraph 25.10.3 of the Circular provides that the banks are required to take appropriate measures to protect the confidential information such as customer name, signature, account number etc. and ensure that these information are not misused by banks or their vendors. Further, due care and secure handling is also required to be exercised during the movement of cheques from the time they are tendered over the counters or dropped in the collection boxes by customers.
3. Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Pre-paid Card Operations of Banks and Credit Card issuing NBFCs
Giving due recognition to customer’s rights, the Master Circular stipulates that the card issuing bank/NBFC should not reveal any information relating to customers obtained at the time of opening the account or issuing the credit card to any other person or organization without obtaining their specific consent, as regards the purpose for which the information will be used and the organizations with whom the information will be shared (akin to paragraph 16, which provides for similar restriction on sharing of data obtained at the time of issuing debit cards). In this regard, the circular also specifies that the application form should contain the consent.
In case where the customers gives his consent for the bank sharing the information with other agencies, banks should state and explain clearly to the customer the full meaning/ implications of the disclosure clause. Further, the information being sought from customers should not be of such nature as will violate the provisions of the laws relating to secrecy in the transactions.
In addition, banks/NBFCs are made solely responsible for the correctness of the data provided as above.
Further, the Circular prohibits any co-branding non-banking entity to access any details of customer’s accounts that may violate bank’s secrecy obligations.
Sharing of Customer’s Credit Information
Credit related information pertaining to an individual or a body corporate are definitely relevant for financial institutions, and while the bankers are allowed to publish information of default to CIBIL, the disclosure is definitely not free from restrictions.
We often find people complaining about marketing calls for card cards, etc. Sometimes the customer himself seeks credit referrals from their regular banks, for the purpose of availing loans, etc, and in such case, the entity providing credit undertakes a check from the entity having access to customer’s regular transaction details. Section 17 of the Credit Information Companies (Regulation) Act, 2005 lays down the procedure to be followed by the credit information company or credit institutions for furnishing credit information, which comprises of information with respect to nature of loans, credit worthiness of an individual and such like. Sub- section 3 of the said section states that every credit information company can provide credit information to its specified user, only on receipt of request from him, in accordance with the provisions of the said Act, and directions issued thereunder by the Reserve Bank of India from time to time in this behalf. Here, the term specified user means a credit institution, a credit information company and such person or institution as may be specified by the RBI.
Further, Section 22 of the CIC Act protects the credit information from an unauthorised access. It provides as follows:
“22(1) No person shall have access to credit information in the possession or control of a credit information company or a credit institution or a specified user unless the access is authorised by this act or any other law for the time being in force or directed to do so by any court or tribunal and any such access to credit information without such authorisation or direction shall be considered as an unauthorised access to credit information.”
To read more on sharing of credit information to Fintech companies, one may refer to our article here.
Restriction on Collection, Sharing and Storage of Biometric and Demographic Information:
The debate relating to the data privacy has reached new heights after the Apex Court judgment in Justice K.S. Puttaswamy and Ors. v. Union of India AIR 2017 (SC) 4161 (more commonly known as Aadhaar judgment), wherein it was held that “right to privacy” is a fundamental right guaranteed by Part III of the Constitution of India, and discussing the issue whether the Aadhaar Act violates right to privacy, the Hon’ble Supreme Court observed that “After detailed discussion, it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21.”
The aforementioned decision had far reaching ramifications on the laws and regulations present in India. The court held that identity of a person is a great significance in individual’s life. The place of birth, parentage and the demographic particulars becomes an important attribute of one’s personality. When all this information is available in one place, in the form of Aadhaar card, it not only becomes unique, it would also qualify as a document of empowerment. Added with this feature, when an individual knows that no other person can clone her, it assumes greater significance. Consequently, it becomes necessary to protect this information. Further, the court discussed informational privacy being one of the essential aspects of fundamental right to privacy. The informational privacy deals with person’s mind i.e. it protects a person by giving the control over the dissemination of material that is personal to him/her and disallowing unauthorised use of such information by the State.
Prior to the Aadhaar judgment, banks and NBFCs were compulsorily collecting their customer’s Aadhaar number for KYC verification, however, the Supreme Court struck off various provisions of the Act as unconstitutional. The court disallowed private entities from using Aadhaar numbers for the purpose of authentication, on the basis of a contract with the concerned individual, since the court was of the view that the same would lead to commercial exploitation of an individual’s biometric and demographic information by private entities, and consequently, be a breach of privacy.
The existing provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 also lay down various restrictions as regards information sharing. The relevant provisions are discussed below:
- Section 29(1) of the Act specifically prohibits sharing of core biometric information, such as finger print, Iris scan, or such other biological attribute of an individual as specified in the regulations, to any person or entity.
- Section 29(3) of the Act states that no identity information (including an individual’s Aadhaar number, his biometric information and his demographic information) available with a requesting entity will be used for any purpose other than specified to the individual at the time of submitting any identity information for authentication. It further states that such information will not be disclosed further except with the prior consent of the individual to whom such information relates.
Again, speaking of sharing of information, it is also pertinent to refer to the provisions of Aadhaar (Sharing of Information) Regulations, 2016. The relevant provisions are as follows:
- Regulation 3 deals with sharing of identity information by the authority. It states as follows:
“(1) Core biometric information collected by the Authority under the Act shall not be shared with anyone for any reason whatsoever.
(2) The demographic information and photograph of an individual collected by the Authority under the Act may be shared by the Authority with a requesting entity in response to an authentication request for e-KYC data pertaining to such individual, upon the requesting entity obtaining consent from the Aadhaar number holder for the authentication process, in accordance with the provisions of the Act and the Aadhaar (Authentication) Regulations, 2016”.
- Regulation 4 places restrictions on the requesting entities on storing of core biometric information. It further prohibits the requesting entities from sharing the identity information available to them for any purpose other than that specified to the Aadhaar number holder at the time of submitting such information for authentication, and without prior consent of the Aadhaar holder.
- Regulation 5 mandates that the requesting entity should take the consent of the Aadhaar card holder for collection, storage and usage of his Aadhaar number. In addition to it, the requesting entities must inform the Aadhaar number holder the purpose for which such information is required and give alternatives to submission of Aadhaar number, if any.
- Regulation 6 put restrictions on sharing, circulating or publishing of the Aadhaar number. Clause 1 of said regulation states that the Aadhaar number of an individual will not be published, displayed or posted publicly by any person or entity or agency. Further, Clause 3 states that no entity including a requesting entity will make public any database or record containing the Aadhaar numbers of individuals unless the Aadhaar numbers have been blacked out through appropriate means both in print and electronic form.
Some Common Exceptions to Secrecy Obligations
Having discussed the restrictions on usage and shareability of various information, it is relevant to understand the circumstances wherein disclosure can be made. Below we provide a few instances wherein disclosure of information will be deemed to be in accordance with law.
1. Reasonable and Proper Occasions for Disclosure:
The question that may arise is what is regarded as a reasonable and a proper occasion? One such instance of proper occasion for disclosure is where disclosure is warranted under law.
2. Common Courtesy:
Bankers have, of course, always acted honourably upon the principle of treating their customers’ affairs in confidence and only disclosing them in exceptional and justifiable circumstances. All the same there is a well- recognised practice among bankers themselves, generally described as “a common courtesy” whereby a bank, desiring information enquires of another bank. Information given in response to such enquiries is given confidentially and is worded with scrupulous care, so as to disclose no more than the general position of the customer. Such cases are, it is presumed, supported as permissible by reason of the implied consent of the customer, derived from evidence of a well- known practice among bankers and the circumstances giving rise to the enquiry.
However, in this case, one has to see the reasonability of the disclosure and the banker should limit the information (to be read as: nature or type of information) disclosed.
3. Disclosure with Express Consent of Customer:
After analysing the rules and regulations governing the disclosure of information, it is understood that bankers are allowed to share customer information with third parties only after taking the express consent from the information provider. Considering the various RBI notifications, as discussed above, the consent of the information provider is mandatory for the disclosing or sharing of personal information such as account number, financial information etc. The Aadhaar judgment also specifies that any identity information, consisting of Aadhaar number, as well as demographic and biometric information, collected by an entity cannot be shared unless an express approval is taken by the Aadhaar card holder.
As we understand from the above, the basic principle is that an individual’s data is his private property, and that he may waive off his right to privacy by voluntarily agreeing to share data, however, the following points should be kept in mind:
- Customer has given his consent by applying his mind, by understanding the choices that he has and the consequences of sharing or not sharing the data. The bankers sometime entice the customer into data sharing by providing certain add- on services, in such case also, it is the customer’s discretion, based on the comparative analysis- (i) What does he gain/lose by agreeing; (ii) What does he gain/lose by not agreeing.
- Free consent has a meaning only if the customer is made aware that he has a right not to agree. The consent should not be buried in a heap of words, and it is advisable the consent is specifically obtained.
- Consent should not be obtained by trickery or by not providing the customer the option to withhold consent.
A banker and his subordinates are, in this respect, in the same position as any other member of the community. In addition to the liability to the customer on account of unjustifiable disclosure of his account, the banker may make himself liable to the party to whom the information is given, to compensate him for the loss which the latter may suffer on account of having relied upon the information; provided it is proved that the banker gave the information knowing it to be false, or without having justifiable reason to believe it to be true. Therefore, the following points are also of relevance in case the banker decides to give information regarding the state of his customer’s account:
- The banker should ensure that he adheres to facts only, and as disclosed by the account, so as to avoid any liability as to any claim for fraudulent misrepresentation;
- Information should only be given to a fellow banker, or to a person authorised by the customer to receive such information, in confidence and without prejudice; and
- Information should be shared only on need to know basis.
 (1924) 1 KB 461
 Tannan’s Banking Law and Practice in India, by Vinod Kothari, 26th Edition, 2017, pages 355- 356