18. Processing of sensitive personal data based on explicit consent. —
(1) Sensitive personal data may be processed on the basis of explicit consent.
(2) For the purposes of sub-section (1), consent shall be considered explicit only if it is valid as per section 12 and is additionally:
(a) informed, having regard to whether the attention of the data principal has been drawn to purposes of or operations in processing that may have significant consequences for the data principal;
(b) clear, having regard to whether it is meaningful without recourse to inference from conduct in a context; and
(c) specific, having regard to whether the data principal is given the choice of separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.
19. Processing of sensitive personal data for certain functions of the State. —
Sensitive personal data may be processed if such processing is strictly necessary for:
(a) any function of Parliament or any State Legislature.
(b) the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal.
20. Processing of sensitive personal data in compliance with law or any order of any court or tribunal. —
Sensitive personal data may be processed if such processing is—
(a) explicitly mandated under any law made by Parliament or any State Legislature; or
(b) necessary for compliance with any order or judgment of any Court or Tribunal in India.
21. Processing of certain categories of sensitive personal data for prompt action. —
Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary—
(a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal;
(b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or
(c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.
22. Further categories of sensitive personal data.—
(1) Such further categories of personal data as may be specified by the Authority shall be sensitive personal data and, where such categories of personal data have been specified, the Authority may also specify any further grounds on which such specified categories of personal data may be processed.
(2) The Authority shall specify categories of personal data under sub-section (1) having regard to—
(a) the risk of significant harm that may be caused to the data principal by the processing of such category of personal data;
(b) the expectation of confidentiality attached to such category of personal data;
(c) whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of personal data; and
(d) the adequacy of protection afforded by ordinary provisions applicable to personal data.
(3) The Authority may also specify categories of personal data, which require additional safeguards or restrictions where repeated, continuous or systematic collection for the purposes of profiling takes place and, where such categories of personal data have been specified, the Authority may also specify such additional safeguards or restrictions applicable to such processing.