Compliance related to Grievance Officer appointment under IT Act, 2000

Compliance In Relation To Appointment of Grievance Officer Under Provisions of The Information Technology (IT) Act, 2000

Introduction:

There have been swift improvements in the Information Technology sector which have revolutionised our work and personal lives. Technology has entered every sphere of life such as banks, offices, social networks, stock markets, shopping etc., resulting in sharing of one’s personal information with numerous machine one comes across daily. The onset of liberalization of Indian economy resulted in manifold increase in e-transactions. Due to this, personal information is made available on a single click, the flipside being that our personal data is at risk. Consequently, the need to bring technology under legislation was felt and the Information Technology Act, 2000 (“IT Act”) came into being, with data protection as one of its key objectives.

This article aims to bring to light certain salient features of the IT Act and rules thereunder, which focus on protection of data and various mechanisms for the same.

1. What does personal information means?

As per Rule 2(i) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 personal information means any information that relates to a natural person which, either or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

2. What does Sensitive personal data or information means?

As per Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Sensitive personal data or information of a person means such personal information which consists of information relating to:

1. password;

2. financial information such as Bank account or credit card or debit card or other payment instrument details ;

3. physical, physiological and mental health condition;

4. sexual orientation;

5. medical records and history;

6. Biometric information;

7. any detail relating to the above clauses as provided to body corporate for providing service; and

8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

3. Who all are classified under the definition of Intermediaries?

As per provision of section 2(w) of the IT Act, 2000, Intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.

The definition of “intermediary” is intended to cover both professional and non-professional intermediaries, i.e. any person (other than the originator and the addressee) who performs any of the functions of an intermediary. The main functions of an intermediary are receiving, transmitting or storing data messages on behalf of another person. Additional “value-added services” may be performed by network operators and other intermediaries, such as formatting, translating, recording, authenticating, certifying and preserving data messages and providing security services for electronic transactions. However, Intermediary under the Model Law is defined not as a generic category but with respect to each data message, thus recognizing that the same person could be the originator or addressee of one data message and an intermediary with respect to another data message.

Further, the type of companies which will fall under this chain are as follows:

• Internet Service Providers (ISP) – ISPs like Airtel and MTNL help users to get connected to the internet by means of wired or wireless connections.

• Search engines – These are web sites like Google and Bing that help users to search for specific information on the web and provide links to web-sites having content relevant to the search terms given by the user.

• DNS providers – These service providers translate the domain names (eg. www.sflc.in) to addresses (eg. 64.202.189.170) that can be understood by computers.

• Web hosts – These are service providers like Godaddy.com that provide space on server computers to place files for various web sites so that these sites can be accessed by users.

• Interactive websites: This includes social media sites like Facebook and Twitter that act as platforms to store and retrieve content, auction sites like eBay, and payment gateways like PayPal. The pictorial representation gives an overview of the intermediaries involved in a common internet transaction.

• Cyber Cafes – It means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public. The Information Technology Act, 2000 includes cyber cafes also under the ambit of the definition of intermediaries

4. What does the originator and the addressee means?

(i) Addressee: As per provision of section 2(b) of IT Act, 2000, addressee means a person who is intended by the originator to receive the electronic record but does not include any intermediary.

(ii) Originator:  As per provision of section 2(za) of IT Act, 2000, a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary.

5. What are the requisite compliances with regards to intermediaries under the IT Act, 2000?

• As per Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, The body corporate or any person who on behalf of the body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall have and also publish on its website the privacy policy for handling such personal data including sensitive personal data.

• As per Rule 5 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 , the body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data regarding purpose of usage before collection of such information.

• Further the body corporate must ensure that the person from whom the information is collected must have the knowledge of the fact that for what purpose the information is collected. The sensitive personal information can be collected for any lawful purpose only and shall not be retained for longer period than the purpose for which it was collected.

• The information collected by the body corporate or any other person shall be kept secured as per Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

• Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details (i.e. phone no. and email Id.) on its website.

6. What shall be the procedure for appointing a Grievance Officer?

The IT Act, 2000 and Rule 3(11) of Information Technology (Intermediaries guidelines) Rules, 2011(Intermediaries Rules, 2011) are silent on the mode of appointment and qualification of the Grievance Officer. Further, as per observance of the principle of Natural Justice and due process of the law the company can follow the below procedure for appointing a Grievance Officer:

1. The Board of Directors of the Company can select a candidates who has virtuous knowledge in field of Information Technology and who can help in resolving the grievances quicker.

2. The list of selected candidates shall be placed before the Board of Directors in the duly convened Board Meeting as per the provisions of Companies Act, 2013 or any amendment thereof.

3. The Company by passing a Board Resolution shall appoint a Grievance Officer of the Company.

4. Further, once the Grievance Officer is appointed then his details as mentioned in point 5(v) shall be complied with.

7. Responsibility of a Grievance Officer?

When any Complaint is received by the intermediary regarding any breach of personal information or sensitive personal information, then the grievance officer of the said intermediary is responsible to comply with following:

1. On receipt of the Complaint, the Grievance Officer is required to acknowledge the aggrieved party the receipt of the Complaint within 36 hours.

2. Also, within 36 hours of receipt of the complaint, the Grievance Officer must ensure that the data or information against which grievance is received is removed from the website or access to that data is denied.

3. Further, within one month of receipt of the Complaint, the Grievance Officer is required to take an action on the same and resolve the matter.

8. What is the Mechanism for resolving the Complaint?

The IT Act, 2000 and Rule 3(11) of Information Technology (Intermediaries guidelines) Rules, 2011(Intermediaries Rules, 2011) state that the Company has to publish the mechanism by which the victims can communicate the violation of their personal information or sensitive personal information. However, the IT Act, 2000 and the Intermediaries Rules, 2011 are silent on the same. Further, to process all the grievances in good faith following procedure can be followed by the Company and uploaded on its website:

Step 1: Mode of Registering the Complaint by the Victim:-

• The Victim is required to register their complaint through electronic mode by sending the Complaint to the registered e-mail id of the Grievance Officer as published on the website and

• Also, send the hard copy of the same along with e-mail copy to the company at the Registered or Corporate office address of the Company.

Step 2: Acknowledgement of the Complaint by Grievance Officer:-

• The Grievance Officer on receipt of the complaint through e-mail shall acknowledge receipt of the compliant received by the victim within 36 hours of the receipt of the same.

• He must also share the Complaint Registration Number (CRN) with the Victim so that he can track the status of the complaint for future correspondence.

• Further, the grievance officer shall courier the physical copy of the acknowledgement at the victims registered address and file the one copy of the same in the physical file which will be maintained at the Companies Registered Office.

• Also, on receipt of the physical copy of the complaint couriered by the victim as mentioned in step 1, the grievance officer shall acknowledge the receipt of physical copy of the compliant by an e-mail acknowledgement to the victim and file the same in the physical file as mentioned above.

Step 3: Investigation by the Grievance officer:-

• The Grievance officer is hereby obliged to remove access to such violative content within a period of 36 hours from the time of receipt of the complaint.

• Further, the Grievance officer shall prepare a detailed report about the usage of the victims’ personal information or sensitive personal information and place within 10 days of receipt of the complaint before the Board of Directors of the Company in a duly convened Board Meeting as per the provisions of Companies Act, 2013 or any amendment thereof.

• After, conclusion of the Board Meeting, he is required to share the summary status with the victim on the registered e-mail Id of the Victim.

• Also, he is required to maintain all the documents in the physical file as mentioned above.

Step 4: Resolution of the Victim’s Complaint:-

• After sending the summary of the status of the compliant as per step 3 above, if the Victims wants any clarification on the same, then Grievance officer shall reply within 2 working days after receipt of the clarification mail from the victim.

• Further, the Grievance officer is required to resolve the matter within one month of receipt of the Complaint as per provisions of Rule 3(11) of Information Technology (Intermediaries guidelines) Rules, 2011

• He will further email the resolution of the complaint, close the complaint and shall also courier the copy of the resolution which is signed by two Directors of the Company to the registered address of the Victims and also maintain the same in the physical file as mentioned above.

9. Protection to intermediaries?

• Section 79(1) of the IT (Amendment) Act 2008deals with immunity of intermediaries. It is purported to be a safe harbour provision.

• Further, as per provision of section 79(2) of the IT (Amendment) Act 2008, the provision of Section 79(1) shall apply if following condition are satisfied:

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or

(b) The intermediary does not—

(i) initiate the transmission,

(ii) Select the receiver of the transmission, and

(iii) Select or modify the information contained in the transmission;

(c) The intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

• As per provision of section 79(3) of the IT (Amendment) Act 2008, the provision of Section 79(1) shall not apply if:

The intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;

upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

10. The Manner in which process for appointment of the Grievance Officer can be expedited:

• Thus, it is clear that the Companies who are receiving, transmitting or utilizing personal information or sensitive personal information of any person are required to appoint a grievance officer immediately to comply with the IT Act, 2000, Information Technology (Intermediaries guidelines) Rules, 2011 , Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and any amendments thereof .

• Further, if the Company has not complied by provision of Rule 3(11) Information Technology (Intermediaries guidelines) Rules, 2011, then the Company shall be liable to penalty of not exceeding Rs. 25,000/- under section 45 of the IT Act, 2000.

Conclusion:

A Grievance Officer is appointed with an object to redress the complaint and he is the person of absolute resort for any violation of any person’s personal information or sensitive personal information. Further, all the applicable companies are required to appoint the Grievance Officer and publish their contact details along with the mechanism in which a complaint can be forwarded to the said officer on their website. The Rules place significant emphasis on the Grievance Officer as he is acting as the judicial officer who has the authority to receive the complaints alleging an act by an intermediary which is in contravention of Rule 3 of the IT rules 2011.