Interception and monitoring records to be deleted within 6 months: MeitY
MeitY notified that home secretaries must destroy records of interception, monitoring, and decryption within 6 months.
The Union home secretary and the state/Union Territory home secretary must now destroy records, including orders, related to interception, monitoring and decryption of information within six months under the Information Technology Act, 2000, the ministry of electronics and information technology (MeitY) notified in the gazette on Monday.
“In the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, in rule 23, in sub-rule (1), for the words ‘security agency’, the words ‘competent authority and the security agency’ shall be substituted,” the operational part of the gazette notification said.
ALSO READ- IT ministry looks to block Proton Mail on request of Tamil Nadu police
Rule 23 deals with destruction of records of interception, monitoring or decryption of information.
“Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the security agency in every six months except in a case where such information is required, or likely to be required for functional requirements,” rule 23(1) says.
“It is my understanding that this amendment would add the Union/State/UT Home Secretaries as authorities --- in addition to the ten central agencies previously notified by the MHA in 2018 --- required to destroy every record that is no longer needed to be kept for ‘functional requirements’,” Pranesh Prakash, affiliated fellow at the Yale Information Society Project, said.
On December 20, 2018, the MHA, through an order, had authorised ten security and intelligence agencies to intercept, monitor and decrypt information under Section 69 of the IT Act, and consequently required them to destroy such records within six months as per the 2009 Rules. These ten agencies are: Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Research and Analysis Wing/Cabinet Secretariat, Directorate of Signal Intelligence (only for service areas of Jammu and Kashmir, North-East and Assam), and the Delhi Police Commissioner.
Intermediaries, under rule 23(2), are required to destroy records of directions to intercept within two months of ceasing to intercept, monitor or decrypt while maintaining “extreme secrecy”.
NIA’s computers are critical information infrastructure, to be protected by NCIIPC
MeitY also notified that all computer resources used by the National Investigation Agency (NIA) for its information and office management system must be protected as “critical information infrastructure” under Section 70 of the Information Technology Act, 2000. This means that the cybersecurity of the NIA will be the responsibility of the National Critical Information Infrastructure Protection Centre (NCIIPC), a unit of the National technical Research Organisation (NTRO) which is under the Prime Minister’s Office (PMO).
ALSO READ- 373 govt websites hacked between Jan’18 and Sep’23: MeitY tells House panel
Hacking into NIA’s systems, or accessing them without authorised access, can now thus be punished with a jail term of up to ten years and a fine.
Only three types of individuals who have been authorised in writing by the NIA will have access to NIA’s computer systems: designated employees of the NIA, team members of contractors or third party vendors “for need-based access”, and any consultant, regulator, government official, auditor and stakeholder on “case to case basis”.
Under the IT Act, critical information infrastructure is defined as “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”.
The NCIIPC is responsible for the cybersecurity of entities in seven critical sectors: government, power and energy, transport, banking, financial services and insurance, telecom, strategic and public enterprises, and healthcare.