The Ministry of Electronics and Information Technology, Government of India, (MeitY) notified in a gazette on Monday that home secretaries must delete records of interception, monitoring, and decryption within six months.
As per the notification, the Union home secretary and the state/Union Territory home secretaries must now destroy these records, including orders, within six months under the Information Technology Act, 2000.
“In the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, in rule 23, in sub-rule (1), for the words ‘security agency’, the words ‘competent authority and the security agency’ shall be substituted,” the operational part of the gazette notification said.
Rule 23 deals with destruction of records of interception, monitoring or decryption of information.
“Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the security agency in every six months except in a case where such information is required, or likely to be required for functional requirements,” rule 23(1) says.
This amendment adds the Union/State/UT home secretaries to the ten agencies previously notified by the MHA (Ministry of Home Affairs) in 2018.
The MHA, through an order on December 20, 2018, had authorised ten security and intelligence agencies to intercept, monitor and decrypt information under Section 69 of the IT Act, and consequently required them to destroy such records within six months as per the 2009 Rules. These ten agencies are: Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Research and Analysis Wing/Cabinet Secretariat, Directorate of Signal Intelligence (only for service areas of Jammu and Kashmir, North-East and Assam), and the Delhi Police Commissioner.
Intermediaries, under rule 23(2), are required to destroy records of directions to intercept within two months of ceasing to intercept, monitor or decrypt while maintaining “extreme secrecy”.
‘Critical Information Infrastructure’
MeitY also notified that all computer resources used by the National Investigation Agency (NIA) for its information and office management system must be protected as “critical information infrastructure” under Section 70 of the Information Technology Act, 2000. This means that the cybersecurity of the NIA will be the responsibility of the National Critical Information Infrastructure Protection Centre (NCIIPC), a unit of the National technical Research Organisation (NTRO) which is under the Prime Minister’s Office (PMO).
Hacking into NIA’s systems, or accessing them without authorised access, is now punishable with a jail term of up to ten years and a fine.
Only three types of individuals who have been authorised in writing by the NIA will have access to NIA’s computer systems: designated employees of the NIA, team members of contractors or third party vendors “for need-based access”, and any consultant, regulator, government official, auditor and stakeholder on “case to case basis”.
Also Read: Illegal Lion Shows Surge in Gir National Park, Govt Calls Them ‘Stray Incidents’
