The Central Government had made four sets of Rules under the Information Technology Act, 2000 (the “IT Act“) in April 2011, to further regulate information technology in India. These are as follows:
I. INFORMATION TECHNOLOGY (ELECTRONIC SERVICE DELIVERY) RULES, 2011
These Rules are for regulation of electronic services. “Electronic Service Delivery” means the delivery of public services in the form of filing receipt of forms and applications, issue or grant of any license, permit, certificate, sanction or approval and the receipt or payment of money by electronic means by following the procedure specified in the Rules.
1. Electronic Service Delivery System and Notification
The system for Electronic Service Delivery is specified in Rule 3. Public services may be delivered through cyber cafes, as defined in the IT Act or any other electronic service delivery mechanism by the government or its agency. The form and manner of Electronic Service Delivery, encrypting sensitive electronic records, authorisation to collect service charges, services that may be electronically delivered, among other things, may be specified by the government.
All authorities that issue any such approval electronically, must create, archive and maintain a repository of electronically signed electronic records of these approvals online with due timestamps of creation of these records. The government may specify the manner of creating, archiving and maintaining the repository of electronically signed electronic records referred above. The authorities may electronically sign the electronic records of such approvals for each record or as a whole for a specific duration and shall be responsible for administering them online.
2. Procedure for Making Changes
The government may order changes in a repository of electronically signed electronic records, with reasons. Any such change shall be electronically signed by the person who is authorised to make such changes along with the time stamps of original creation and modification times.
3. Responsibility of Service Provider and Authorised Agents for Financial Management and Accounting and Audit of Information Systems and Accounts
Every service provider may be directed to keep an updated and accurate account of the transactions, receipts, vouchers and specify the formats for maintaining accounts of transactions and receipt of payment in respect of the electronic services delivered and the said records shall be produced for inspection and audit before an agency or person nominated by the government.
The accounts of the service providers may be audited by audit agencies nominated by the government, at such intervals as the government deems fit.
All service providers and authorised agents are to submit a due declaration for protecting the data of every individual transaction and citizen and any unauthorised disclosure to anyone without the written consent of either the individual or the government shall be debarred from providing such a service any further.
The government may specify use of special stationery with accompanying security features for forms, and other documents as part of Electronic Service Delivery.
II. INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011
1. Meaning of Sensitive Personal Data or Information
“Sensitive personal data or information” (hereinafter “sensitive information“) in these Rules, refers to password; financial information; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to a body corporate for providing service; and any of the information received under above clauses by a body corporate for processing, stored or processed under lawful contract or otherwise.
However, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive information for the purposes of these rules.
2. Policy for Privacy and Disclosure of Information
3. Collection of Information
A body corporate must obtain written consent from the provider of the sensitive information regarding purpose of usage before collection of such information and may only collect sensitive information for a lawful purpose necessary for that purpose and connected with a function or activity of the body corporate. The person concerned must have knowledge of the fact that the information is being collected, purpose for which the information is being collected, intended recipients of information, and contact details of the agency collecting the information and the agency that will retain the information.
The body corporate shall not retain that information for longer than required for the purposes for which the information may lawfully be used or is otherwise required under law. The information collected shall be used for the purpose for which it has been collected. However, a body corporate shall not be responsible for the authenticity of the sensitive information supplied by the provider of information to such body corporate.
A body corporate shall, prior to the collection of sensitive information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought. The body corporate shall keep the information secure as provided below.
The body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ‘ from the date of receipt of grievance.
4. Disclosure of Information
Disclosure of sensitive information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.
Notwithstanding anything contained above, any sensitive Information shall be disclosed to any third party by an order under law. The body corporate shall not publish the sensitive information.
The third party receiving the sensitive information from a body corporate as above, shall not disclose it further.
5. Transfer of Information
A body corporate may transfer sensitive information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate and provider of information or where such person has consented to data transfer.
6. Reasonable Security Practices and Procedures
A body corporate shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
The body corporate which has implemented codes of best practices for data protection as approved and notified under the Rules shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out at least once a year or as and when the body corporate undertakes significant upgradation of its process and computer resource.
III. INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, 2011
“Intermediary” has the same meaning as given to it in the IT Act. These Rules lay down procedures and substantive guidelines to be followed by intermediaries.
Due Diligence to be Observed by Intermediary
(a) belongs to another person and to which the user does not have any right to;
(b) is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner;
(c) harm minors in any way;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) violates any law for the time being in force;
(f) deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
(g) impersonate another person;
(h) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
(i) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.
The intermediary shall not knowingly host or publish any information nor initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified above. Following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information specified above:
(a) temporary storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;
(b) removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;
The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge about any such information as mentioned above, shall act within 36 hours and where applicable, work with the user or owner of such information to disable such information that is in contravention of the above provisions. The intermediary shall preserve such information and associated records for at least 90 days for investigation purposes.
The intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law, on a request in writing stating the purpose of seeking such information or assistance.
The intermediary is required to take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.
The intermediary must publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which complaints may be notified against illegal access or usage. The Grievance Officer shall redress the complaints within one month of date of receipt of complaint.
IV. INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011
1. Agency for Registration of Cyber Cafe
All cyber cafes shall be registered with a unique registration number with a registration agency as notified by the government in this regard. The broad terms of registration shall include name of the establishment, address including email address, type of organisation (such as partnership or sole proprietorship or company), date of incorporation, name of owner/partner/proprietor/director, whether registered or not (if yes, then proof of registration), and type of service to be provided.
Registration of the cyber cafe may be followed up with a physical visit by an officer from the registration agency, details of registration being published on the website of the registration agency.
2. Identification of User
The cyber cafe may not allow any user to use its computer resource without his identity being established. A valid identity proof may be a school or college ID card, passport, voter’s ID or PAN Card, as listed in the Rules, which shall identify the users to the satisfaction of the cyber cafe.
In addition to the identity established by a user under the above provisions, he may be photographed by the cyber cafe. Such photographs, duly authenticated by the user and authorised representative of the cyber cafe, shall be part of the log register described below. A person accompanying a user shall be allowed to enter the cyber cafe after he has established his identity by producing a document listed above and record of same shall be kept in accordance with the above provisions.
The cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.
3. Log Register
The cyber cafe shall record and maintain required information of each user as well as accompanying person, if any, in the log register for a minimum period of one year. The cyber cafe may maintain an online version of the log register, authenticated by digital or electronic signature. The log register shall contain at least the name, address, gender, contact number, type and detail of identification document of the user, along with the date, computer terminal identification, Log in Time and Log out Time.
The cyber cafe is required to prepare a monthly report of the log register showing date-wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.
The cyber cafe owner shall be responsible for storing and maintaining backups of history of websites accessed using computer resource at the cyber cafe and logs of proxy server installed at the cyber cafe, for each access or login by any user of its computer resource for at least one year. The cyber cafe shall ensure that the log register is not altered and maintained in a secure manner.
4. Management of Physical Layout and Computer Resource
Partitions of Cubicles built or installed if any, inside the cyber cafe, shall not exceed four and half feet in height from the floor level. The screen of all computers installed other than in Partitions or Cubicles shall face the common open space of the cyber cafe. All clocks of the computer systems and servers installed in the cyber cafe shall be synchronised with Indian Standard Time.
All the computers in the cyber cafe may be equipped with the commercially available safety or filtering software so as to avoid as far as possible, access to the websites relating to pornography including child pornography or obscene information. The cyber cafe shall take sufficient precautions to ensure that their computer resources are not utilised for any illegal activity. The cyber cafe shall display a board, clearly visible to the users, prohibiting them from viewing pornographic sites as well as copying or downloading information which is prohibited under the law. The cyber cafe shall incorporate reasonable measures to prevent the user from tampering with the computer system settings.
The cyber cafe shall also maintain a record of its staff for one year.
5. Inspection of cyber cafe
An officer authorised by the registration agency is authorised to check or inspect the cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide necessary information to the inspecting officer on demand.