Let's Build a Responsible Cyber Society




Rules to be Framed under ITA 2008 by Central Government

ITA 2008 has designated  "Appropriate Government" to make suitable rules and regulations under different sections. It has also indicated under Sections 87 and 90 specific powers of the Central and State Governments to frame rules. Under ITA 2000 there are already certain rules which automatically get carried over to ITA 2008 regime. Some may need changes and some may have to be drafted for the first time.

Presently, the Central Government is in the process of consulting industry bodies to take their views before framing rules under Sections 43A, 67C and Section 79.

This note tries to focus attention on some of the rules that are required to be framed by Central Government.

Following are the sections under which new rules require to be made.

Section Description Jurisdiction Comments
3(3) Electronic Signature- identification of the person, reliable authentication technique and procedure for affixing Central Government Required only when a system of Electronic Signature is under consideration.
6 E-Governance-filing, creation or issue an electronic record Appropriate Government Existing rules may suffice.
6A E-Governance-authorization of service providers Appropriate Government Some State Governments Governments already have rules. This needs to be re-notified. Others need to develop.
10 Electronic Signature Central Government Required only when a system of Electronic Signature is under consideration.
16 Security Procedures for Secure Electronic Record and Secure Electronic Signature Central Government Existing rules may suffice
43A Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Central  Government Required to be notified
48-64 Cyber Appellate Tribunal-Various issues of operation Central Government Required to be notified
67C Data Preservation and Retention by Intermediaries Central Government Required to be notified
69 Interception, monitoring or decryption of information-Procedures and Safeguards Central or State Government Required to be notified
69A Blocking Access to websites,  Information-Procedures and Safeguards Central Government Required to be notified
69B Monitoring and Collecting Traffic Data-Procedures and Safeguards Central Government Required to be notified
70 Protected System-notification and procedures for access Appropriate Government Required to be notified. Many of the earlier notifications from State Governments will be irrelevant since the section now is restricted to Critical Information Infrastructure.
70A National Nodal Agency-designation Central Government Required to be notified
70 B Indian Computer Emergency Team-designation, procedures etc Central Government Required to be notified
79 Guidelines for Intermediaries Central Government Required to be notified
79A Digital Evidence Examiner Central Government Required to be notified


Out of the above the provisions regarding "Electronic Signatures" other than "Digital Signatures" become relevent only when technology players suggest some possible alternatives to Digital Signatures.

Provisions regarding 6A has to be reviewed by each State Government. Some State Governments such as Karnataka have already formulated rules in this regard. They may however need to be re-notified under Section 6A.

Requirements under Sections 70,70A and 70B are of concern to the Central Government particularly to the Ministry of Communications and IT.

The regulations regarding Cyber Appellate Tribunal  needs to determined by the MCIT if necessary in consultation with the Presiding Officer already appointed.

While the Government has made its moves for consultation with NASSCOM and its associates regarding rules to be formed under Sections 43A, 67C and 79, there appears to be no move made regarding the procedures and safeguards required under Sections 69,69A and 69B.

A Consultation paper is now under circulation regarding the collection of views on Sections 43A, 67C and 79. The consultation paper indicates the following four issues on which views have been sought.

Issue 1:

(a) Should it be proposed that there should be a set of practices to be followed by all?.

(i) If so, should they be based on a combination of ISO 27001 (or ISF), OECD Security Principles for design and operations of ISMS as per the needs of an organization, based on information assets and risk assessment; coupled with security assessments based on CobIT?
(ii) If so, should an organization be required to declare the standard it is following, apply the same with vigour and create a mechanism for assessing security controls?. It will outline its size and type of business and create a written document stating the standard and the controls selected by it and how are they deployed. (Should it be a short document in case of small organizations that provides minimum services and collects minimum personal data?).

(b) Could this approach be construed to constitute “reasonable security practices” ? Will failure to implement the same be construed to be negligence on the part of the organization?

(c) Should the rule categorize body corporates into small, medium, large size and prescribe standards?

Issue 2:

Should personal information be defined as information relating to an identified or identifiable natural person.?
(An identifiable person is one who can be identified directly or indirectly in particular by reference to an identification number or to  one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.)

Should sensitive personal information be defined to include data such as that pertaining to racial or ethnic origins political or religious beliefs or health or sex life?

Issue 3:

Should an Intermediary be required to store traffic data that identifies a subscriber or a user relating to a transaction or communication conducted by him, for a period of 6 months following the time of transaction, in a secure way and make it available to authorized persons within a reasonable time?

-If so what should constitute a reasonable time?
- Should the content be required to be stored?
-If so then the question of the format and duration need to be addressed.

Issue 4:

Should the guidelines u/s 79/2 prescribe that an intermediary be required to declare its privacy policy, security policy, and the
operations policy and process with respect to handling of third party cntent and expect its subscribers to read and agree with the same?
-Should the intermediary be required to give an undertaking to cooperate with and work under the direction of officers designated by the government under various sections of the IT Amendment Act 2008?
-Should it undertake to act within 24-72 hours of receiving any orders for removing any offensive content?
-Should it be obliged to take any action on any offensive content hosted by it on its infrastructure from any person other than the
designated government officers?

Any member of the public who wants to send his comment for publication at Naavi.org is invited to send his comments. If received in time, we would also forward the same to the relevant authorities.

For the sake of being a thought starter, some of the comments are provided here. More will be added in the follow up article.



March 21, 2009

Related Articles:

Comments on the consultative Paper on Making Rules under ITAA 2008

Suggested Information Security Framework for ITA 2008 Compliance

Concern for Privacy Rights Vs National Security-

Application of IISF-309 for Share Broking firms