Rules to be Framed under ITA 2008 by Central Government
ITA 2008 has designated "Appropriate Government" to make suitable rules
and regulations under different sections. It has also indicated under
Sections 87 and 90 specific powers of the Central and State Governments to
frame rules. Under ITA 2000 there are already certain rules which
automatically get carried over to ITA 2008 regime. Some may need changes
and some may have to be drafted for the first time.
Presently, the Central Government is in the process of consulting industry
bodies to take their views before framing rules under Sections 43A, 67C and
Section 79.
This note tries to focus attention on some of the rules that are required
to be framed by Central Government.
Following are the sections under which new rules require to be made.
| Section |
Description |
Jurisdiction
|
Comments |
| 3(3) |
Electronic
Signature- identification of the person, reliable authentication
technique and procedure for affixing |
Central
Government |
Required only
when a system of Electronic Signature is under consideration. |
| 6 |
E-Governance-filing, creation or issue an electronic record |
Appropriate
Government |
Existing rules
may suffice. |
| 6A |
E-Governance-authorization of service providers |
Appropriate
Government |
Some State
Governments Governments already have rules. This needs to be
re-notified. Others need to develop. |
| 10 |
Electronic
Signature |
Central
Government |
Required only
when a system of Electronic Signature is under consideration. |
| 16 |
Security
Procedures for Secure Electronic Record and Secure Electronic Signature |
Central
Government |
Existing rules
may suffice |
| 43A |
Reasonable
Security Practices and Procedures and Sensitive Personal Data or
Information |
Central
Government |
Required to be
notified |
| 48-64 |
Cyber Appellate
Tribunal-Various issues of operation |
Central
Government |
Required to be
notified |
| 67C |
Data Preservation
and Retention by Intermediaries |
Central
Government |
Required to be
notified |
| 69 |
Interception,
monitoring or decryption of information-Procedures and Safeguards |
Central or State
Government |
Required to be
notified |
| 69A |
Blocking Access
to websites, Information-Procedures and Safeguards |
Central
Government |
Required to be
notified |
| 69B |
Monitoring and
Collecting Traffic Data-Procedures and Safeguards |
Central
Government |
Required to be
notified |
| 70 |
Protected
System-notification and procedures for access |
Appropriate
Government |
Required to be
notified. Many of the earlier notifications from State Governments will
be irrelevant since the section now is restricted to Critical
Information Infrastructure. |
| 70A |
National Nodal
Agency-designation |
Central
Government |
Required to be
notified |
| 70 B |
Indian Computer
Emergency Team-designation, procedures etc |
Central
Government |
Required to be
notified |
| 79 |
Guidelines for
Intermediaries |
Central
Government |
Required to be
notified |
| 79A |
Digital Evidence
Examiner |
Central
Government |
Required to be
notified |
Out of the above the provisions regarding "Electronic Signatures" other
than "Digital Signatures" become relevent only when technology players
suggest some possible alternatives to Digital Signatures.
Provisions regarding 6A has to be reviewed by each State Government. Some
State Governments such as Karnataka have already formulated rules in this
regard. They may however need to be re-notified under Section 6A.
Requirements under Sections 70,70A and 70B are of concern to the Central
Government particularly to the Ministry of Communications and IT.
The regulations regarding Cyber Appellate Tribunal needs to
determined by the MCIT if necessary in consultation with the Presiding
Officer already appointed.
While the Government has made its moves for consultation with NASSCOM and
its associates regarding rules to be formed under Sections 43A, 67C and 79,
there appears to be no move made regarding the procedures and safeguards
required under Sections 69,69A and 69B.
A Consultation paper is now under circulation regarding the collection of
views on Sections 43A, 67C and 79. The consultation paper indicates the
following four issues on which views have been sought.
Issue 1:
(a) Should it be proposed that there should be a set of practices to
be followed by all?.
(i) If so, should they be based on a combination of ISO 27001 (or
ISF), OECD Security Principles for design and operations of ISMS as
per the needs of an organization, based on information assets and risk
assessment; coupled with security assessments based on CobIT?
(ii) If so, should an organization be required to declare the standard
it is following, apply the same with vigour and create a mechanism for
assessing security controls?. It will outline its size and type of
business and create a written document stating the standard and the
controls selected by it and how are they deployed. (Should it be a
short document in case of small organizations that provides minimum
services and collects minimum personal data?).
(b) Could this approach be construed to constitute “reasonable
security practices” ? Will failure to implement the same be construed
to be negligence on the part of the organization?
(c) Should the rule categorize body corporates into small, medium,
large size and prescribe standards?
Issue 2:
Should personal information be defined as information
relating to an identified or identifiable natural person.?
(An identifiable person is one who can be identified directly or
indirectly in particular by reference to an identification number or
to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity.)
Should sensitive personal information be defined to include data such
as that pertaining to racial or ethnic origins political or religious
beliefs or health or sex life?
Issue 3:
Should an Intermediary be required to store traffic data that
identifies a subscriber or a user relating to a transaction or
communication conducted by him, for a period of 6 months following the
time of transaction, in a secure way and make it available to
authorized persons within a reasonable time?
-If so what should constitute a reasonable time?
- Should the content be required to be stored?
-If so then the question of the format and duration need to be addressed.
Issue 4:
Should the guidelines u/s 79/2 prescribe that an intermediary be
required to declare its privacy policy, security policy, and the
operations policy and process with respect to handling of third party
cntent and expect its subscribers to read and agree with the same?
-Should the intermediary be required to give an undertaking to
cooperate with and work under the direction of officers designated by
the government under various sections of the IT Amendment Act 2008?
-Should it undertake to act within 24-72 hours of receiving any orders
for removing any offensive content?
-Should it be obliged to take any action on any offensive content
hosted by it on its infrastructure from any person other than the
designated government officers?
Any member of the public who wants to send his comment for publication at
Naavi.org is invited to send his comments. If received in time, we would
also forward the same to the relevant authorities.
For the sake of being a thought starter,
some of the comments are provided
here. More will be added in the follow up article.
Naavi
March 21, 2009
Related Articles:
Comments on the consultative Paper on Making Rules under ITAA 2008
Suggested Information Security Framework for ITA 2008 Compliance
Concern for Privacy Rights Vs National Security-
Application of IISF-309 for Share Broking firms
