In a bid to ensure open, safe, trusted and accountable internet, the Government of India has issued a statement saying it will take strict action against websites displaying private details of citizens such as Aadhaar and PAN numbers. The Indian Government said that it was in its highest priority to ensure safe cyber security practices and protect personal data of citizens. The statement has been issued after the Ministry of Electronics and Information Technology (MeitY) received a complaint that certain websites were exposing sensitive personal identifiable information including Aadhaar and PAN Card details of Indian citizens.
The Unique Identification Authority of India (UIDAI) lodged a complaint with the police for violation of the prohibition under section 29(4) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 on public display of Aadhaar information. MeitY promptly addressed the issue and blocked the websites in question, said a statement from the Government.
The Indian Computer Emergency Response Team (CERT-In) also analysed the website in question, which apparently had “security flaws” that led to the leaking of sensitive details. CERT-In has issued “Guidelines for Secure Application Design, Development, Implementation & Operations” for all entities using IT applications. CERT-In has also given directions under the Information Technology Act, 2000, (“IT Act”) relating to information security practices, procedure, prevention, response and reporting of cyber incidents.
The Indian Government is also expected to formalise the already enacted Digital Personal Data Protection Law, 2023, which was passed in the monsoon session last year. The law includes various clauses that hold any entity responsible for leaking personal information of citizens. Organizations found liable for such breaches are also subject to a hefty fine of Rs 250 crores or more. Indian Government says that the Rules under DPDP Act are in the advanced stage of drafting.
Furthermore, MeitY has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which mandate non-publication and non-disclosure of sensitive personal data. As per these rules, citizens who are adversely affected by the breach of personal information can approach the Adjudicating Officer under section 46 of the IT Act for filing a complaint and seeking compensation. Meity states that IT Secretaries of the States have been appointed as Adjudicating Officers under the IT Act.