Compliance In Relation To Appointment of Grievance Officer Under Provisions of The Information Technology (IT) Act, 2000
There have been swift improvements in the Information Technology sector which have revolutionised our work and personal lives. Technology has entered every sphere of life such as banks, offices, social networks, stock markets, shopping etc., resulting in sharing of one’s personal information with numerous machine one comes across daily. The onset of liberalization of Indian economy resulted in manifold increase in e-transactions. Due to this, personal information is made available on a single click, the flipside being that our personal data is at risk. Consequently, the need to bring technology under legislation was felt and the Information Technology Act, 2000 (“IT Act”) came into being, with data protection as one of its key objectives.
This article aims to bring to light certain salient features of the IT Act and rules thereunder, which focus on protection of data and various mechanisms for the same.
1. What does personal information means?
As per Rule 2(i) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 personal information means any information that relates to a natural person which, either or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
2. What does Sensitive personal data or information means?
As per Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Sensitive personal data or information of a person means such personal information which consists of information relating to:
2. financial information such as Bank account or credit card or debit card or other payment instrument details ;
3. physical, physiological and mental health condition;
4. sexual orientation;
5. medical records and history;
6. Biometric information;
7. any detail relating to the above clauses as provided to body corporate for providing service; and
8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
3. Who all are classified under the definition of Intermediaries?
As per provision of section 2(w) of the IT Act, 2000, Intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.
The definition of “intermediary” is intended to cover both professional and non-professional intermediaries, i.e. any person (other than the originator and the addressee) who performs any of the functions of an intermediary. The main functions of an intermediary are receiving, transmitting or storing data messages on behalf of another person. Additional “value-added services” may be performed by network operators and other intermediaries, such as formatting, translating, recording, authenticating, certifying and preserving data messages and providing security services for electronic transactions. However, Intermediary under the Model Law is defined not as a generic category but with respect to each data message, thus recognizing that the same person could be the originator or addressee of one data message and an intermediary with respect to another data message.
Further, the type of companies which will fall under this chain are as follows:
4. What does the originator and the addressee means?
(i) Addressee: As per provision of section 2(b) of IT Act, 2000, addressee means a person who is intended by the originator to receive the electronic record but does not include any intermediary.
(ii) Originator: As per provision of section 2(za) of IT Act, 2000, a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary.
5. What are the requisite compliances with regards to intermediaries under the IT Act, 2000?
6. What shall be the procedure for appointing a Grievance Officer?
The IT Act, 2000 and Rule 3(11) of Information Technology (Intermediaries guidelines) Rules, 2011(Intermediaries Rules, 2011) are silent on the mode of appointment and qualification of the Grievance Officer. Further, as per observance of the principle of Natural Justice and due process of the law the company can follow the below procedure for appointing a Grievance Officer:
1. The Board of Directors of the Company can select a candidates who has virtuous knowledge in field of Information Technology and who can help in resolving the grievances quicker.
2. The list of selected candidates shall be placed before the Board of Directors in the duly convened Board Meeting as per the provisions of Companies Act, 2013 or any amendment thereof.
3. The Company by passing a Board Resolution shall appoint a Grievance Officer of the Company.
4. Further, once the Grievance Officer is appointed then his details as mentioned in point 5(v) shall be complied with.
7. Responsibility of a Grievance Officer?
When any Complaint is received by the intermediary regarding any breach of personal information or sensitive personal information, then the grievance officer of the said intermediary is responsible to comply with following:
1. On receipt of the Complaint, the Grievance Officer is required to acknowledge the aggrieved party the receipt of the Complaint within 36 hours.
2. Also, within 36 hours of receipt of the complaint, the Grievance Officer must ensure that the data or information against which grievance is received is removed from the website or access to that data is denied.
3. Further, within one month of receipt of the Complaint, the Grievance Officer is required to take an action on the same and resolve the matter.
8. What is the Mechanism for resolving the Complaint?
The IT Act, 2000 and Rule 3(11) of Information Technology (Intermediaries guidelines) Rules, 2011(Intermediaries Rules, 2011) state that the Company has to publish the mechanism by which the victims can communicate the violation of their personal information or sensitive personal information. However, the IT Act, 2000 and the Intermediaries Rules, 2011 are silent on the same. Further, to process all the grievances in good faith following procedure can be followed by the Company and uploaded on its website:
Step 1: Mode of Registering the Complaint by the Victim:-
Step 2: Acknowledgement of the Complaint by Grievance Officer:-
Step 3: Investigation by the Grievance officer:-
Step 4: Resolution of the Victim’s Complaint:-
9. Protection to intermediaries?
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or
(b) The intermediary does not—
(i) initiate the transmission,
(ii) Select the receiver of the transmission, and
(iii) Select or modify the information contained in the transmission;
(c) The intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.
The intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;
upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.
10. The Manner in which process for appointment of the Grievance Officer can be expedited:
A Grievance Officer is appointed with an object to redress the complaint and he is the person of absolute resort for any violation of any person’s personal information or sensitive personal information. Further, all the applicable companies are required to appoint the Grievance Officer and publish their contact details along with the mechanism in which a complaint can be forwarded to the said officer on their website. The Rules place significant emphasis on the Grievance Officer as he is acting as the judicial officer who has the authority to receive the complaints alleging an act by an intermediary which is in contravention of Rule 3 of the IT rules 2011.