The Hoot

Free Speech Tracker

List of Incidents in -> -> 2011

IT rules: government access to personal information

2011-05-10 | New Delhi, Delhi

Ref: http://www.thehindu.com/sci-tech/technology/article2004533.ece

New Delhi,

New IT rules give Big Brother free access to sensitive personal information
Sandeep Joshi

The government can now obtain passwords and financial information without a warrant or person's consent

While cyber activists, bloggers and legal experts have criticised the new rules under the IT Amendment Act, 2008, for gagging free speech,
what has gone unnoticed is the fact that the new regulations also give the government the power to obtain sensitive personal information
about individuals from companies without a warrant or the concerned person's consent.

The sensitive personal data or information of a person covers passwords, financial information such as bank accounts or credit card details, his or her physiological and mental health condition, medical records and history, their sexual orientation, and biometric information, says the Information Technology (Reasonable security practices and procedures and sensitive personal data or information)Rules, 2011, which came into force in April this year.

Though the rules provide for keeping this information confidentialfrom third parties except with the individual's prior consent, they
explicitly state that all sensitive personal details ï¿½shall be shared,without obtaining prior consent from the provider of information, with
government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of
verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.ï¿½

Criticising the government for giving itself the ï¿½master keyï¿½ to access the sensitive personal information of individuals, including
their medical records, Delhi-based PRS Legislative Research, which works with MPs to provide research support on legislative and policy issues, has noted that ï¿½there are no checks on this power [with the government] except that the request for information be made in writing, and stating clearly the reason for seeking the information.ï¿½

Pointing out that ï¿½information requests [made by government agencies]usually have certain inbuilt checks,ï¿½ PRS Legislative Research said that for example, search warrants in criminal cases were issued by a court. Similarly, tapping of telephones or interception of electronic
communication can only be authorised by the Union or State Home Secretary after following a prescribed process.

The new bill for the Unique Identification Number (UID) also permits such use only by the order of a court or for national security (by an
order of an authorised officer of at least Joint Secretary rank in the Central Government).

However, the new rules under the amended IT Act have no such checks and balances ï¿½ a government agency just needs to send a request in writing to the company possessing the sensitive personal data or information stating clearly the purpose of seeking such information.

The rules also state that a company can transfer sensitive personaldata or information to any company or individual in India or abroad that ï¿½ensures the same level of data protectionï¿½ that is adhered to by that company as per the new rules.