In the landmark case _______________ the Honourable Supreme Court of India reaffirmed the
status of Right to Privacy as a Fundamental Right under Part III of the constitution.
C
Explanation:
The landmark judgment in “Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India And Ors”
delivered on August 24, 2017, reaffirmed that:
"The Right to Privacy is protected as an intrinsic part of the Right to Life and Personal Liberty under
Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."
This case is foundational to the development of privacy jurisprudence in India and has guided the
formulation of the Indian Data Protection law.
Which of the following wasn't prescribed as a privacy principle under the OECD Privacy Guidelines,
1980?
C
Explanation:
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)
defined eight core privacy principles:
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
“Data Minimization” was not part of the original 1980 OECD principles. While it is a common privacy
principle today and included in modern frameworks like GDPR and DSCI's DPF, it was not part of the
original OECD set.
Which of the following provisions of Information Technology (Amendment) Act, 2008 deal with
protection of PI or SPDI of Individuals?
A
Explanation:
The Information Technology (Amendment) Act, 2008 introduced critical provisions for data
protection:
Section 43A: Mandates compensation for failure to protect personal data by a body corporate
handling sensitive personal data or information (SPDI).
Section 72A: Imposes penalties for disclosure of information in breach of lawful contracts.
These two sections form the legal basis for protection of personal data under the IT Act in India.
How are privacy and data protection related to each other?
A
Explanation:
According to DSCI Privacy Framework and aligned literature, data protection primarily deals with the
operational and technical safeguards to ensure the confidentiality, integrity, and availability of
personal data. Privacy is a broader concept encompassing the right of individuals to control their
personal information, including legal, social, and ethical dimensions.
Thus, data protection is considered a subset or enabler of the broader right to privacy, supporting its
implementation by managing risks related to data handling and security.
Arrange the following techniques in decreasing order of the risk of re-identification:
I) Pseudonymization
II) De-identification
III) Anonymization
A
Explanation:
According to the DSCI Assessment Framework for Privacy (DAF-P©), the techniques for reducing
identifiability differ in their effectiveness:
Pseudonymization replaces identifiable fields within a data record with artificial identifiers. However,
if additional information (mapping or lookup tables) exists, re-identification is possible.
De-identification removes or masks identifiers, but residual or quasi-identifiers may still allow re-
identification under certain conditions.
Anonymization aims to irreversibly remove any link between the data and the identity of the subject,
thus presenting the least risk of re-identification.
Therefore, when arranged in decreasing order of re-identification risk:
Pseudonymization (highest risk)
De-identification
Anonymization (lowest risk)
This validates option A. I, II as correct.
Which among the following would not be characteristic of a good privacy notice?
C
Explanation:
A good privacy notice, as guided by the DSCI Privacy Framework and other global frameworks,
should be:
Easy to understand
Clear and concise
Accessible in multiple languages where appropriate
While being comprehensive is essential, overwhelming users with exhaustive and overly detailed
information is discouraged. Overly lengthy notices may obscure important information and reduce
usability. The objective is to balance completeness with clarity and brevity.
Thus, Option C, by suggesting excessive length, does not align with the characteristics of a good
privacy notice.
Which of the following mechanisms can be used to transfer personal data outside of a country?
D
Explanation:
All the mechanisms listed—Binding Corporate Rules (BCRs), Adequacy Decisions, and Standard
Contractual Clauses (SCCs)—are recognized tools for lawful cross-border data transfers under global
privacy regulations like the GDPR and are incorporated by reference into Indian privacy practices.
BCRs are internal rules adopted by multinational groups.
Adequacy Decisions are determinations that another jurisdiction provides an adequate level of data
protection.
SCCs are pre-approved contract templates for data transfers.
These approaches ensure continued protection of personal data outside of national borders.
______________ is used to identify and reduce privacy risks by analyzing what is processed by the
entity and the policies in place to protect the data.
A
Explanation:
A Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA) is a formal process
used to evaluate the risks to privacy in the collection and use of personal data.
As per global frameworks (including GDPR, and referenced in DPF/DAF-P), a PIA helps determine:
What personal data is processed
The necessity and proportionality of processing
Risks to individual rights
Safeguards and mitigation strategies
Thus, the correct answer is A.
Which of the following is not in line with the modern definition of Consent?
C
Explanation:
The modern definition of consent, as defined under the DSCI Privacy Framework and GDPR, includes
the following criteria:
It must be freely given, specific, informed, and unambiguous
It must be indicated by a clear affirmative action
Individuals must be able to withdraw consent at any time
It must not be bundled or forced (e.g., acceptance of multiple processing purposes without choice)
Bundled consent—where the individual must consent to multiple unrelated data processing
purposes together—is not aligned with the requirement of specific and informed consent. Hence,
Option C is incorrect.
Which of the following best describes ‘Processing’?
D
Explanation:
According to the DSCI Privacy Framework and international standards like GDPR and APEC:
“Processing” refers to any operation or set of operations performed on personal data, whether or not
by automated means. This includes:
Collection, recording, organization, structuring
Storage, adaptation or alteration
Retrieval, consultation, use
Disclosure by transmission, dissemination
Alignment, combination, restriction, erasure or destruction
Hence, “processing” is indeed a blanket term encompassing a broad spectrum of actions involving
personal data.