INFORMATION TECHNOLOGY ACT, 2000

India is a country to have legal framework for all the ‘e’ (electronic) promulgated as the IT Act, 2000.
The Act, also, effected the consequential amendments in the Indian Penal Code, The Evidence Act,
1872, and The RBI Act, 1934, bringing all of them in line as per the requirements of the digital
transactions.

Ever gave a thought, what if all the data that is being provided by the citizens to the government
gets leak or is used for some other purpose ? Such issues are dealt by the IT Act so as to not shaken
the trust and confidentiality that a common person places in the government.

(1) Section 4 – Legal recognition of electronic records:

Whenever any law provides that information or any other matter shall be written, typewritten or in
printed form, information in electronic form would also be considered in the same. Such information
will also be accessible for subsequent references.

(2) Section 5 – Legal recognition of digital signature:

Wherever a person’s signature is required to authenticate a document or information, it can also be

authenticated by the digital signature, in the manner prescribed by the government.

(3) Section 6 – Use of electronic records and signature in government and it’s agencies:

If a citizen needs to file a form, application or a document with government owned or controlled
office, agency, body or authority or grant or issue any license, sanction, permit or approval or
receive or pay money, it can also be done in an electronic form in the government-approved format.

(4) Section 7 – Retention of electronic record:

Whereever, a law requires the retention of certain records, documents or information for a specific
period, such retention can also be made in the electronic form, provided that, such information is
accessible, usable for subsequent reference, format of electronic record must be original and
represent the original information and the electronic record contains the necessary details as stated
by the law.
(5) Section 8 – Publication of rule, regulation, etc., in Electronic Gazette:

Official regulation, rule, by-law, notification or any other matter in the Official Gazette can be
published either in Official Gazette or Electronic Gazette. The date of publication will be the date of
the Gazette first published in any form – Official or Electronic.

(6) Section 43 – Penalty and compensation for damage to computer:

Though there are systems like cryptography, passwords, to ensure the security of the document, but
this still pose threat to the Government due to other measures adopted by hackers. This section
provides protection against unauthorized access of the computer system by imposing heavy penalty.

(7) Section 69 – Power to issue directions for interception or monitoring or decryption of any
information through any computer resource:

In the Case of PUCL v. UOI it was held that the procedure is inadequate as the Controller has been
given discretionary power and there is no mention of consultation with the accused before
punishing him. Therefore proper guidelines needs to be provided in this regard for maintaining the
balance between the right to privacy of the citizens and the provision of the search and seizure
under the Act.

(8) Section 72 – Penalty for breach of confidentiality and privacy:

This section is targeted only towards the officials who are empowered to collect the data under the
Act but the scope only extends to the Adjudicating officers, members of the Cyber Regulations
Appellate Tribunal (CRAT) or certifying Authorities under the Act if they commit breach of
confidentiality or privacy of any data accessible by them.

https://lawbhoomi.com/a-brief-overview-on-electronic-governance/

Digital Signature Certificates (DSC)

A digital certificate is an electronic document issued by a Certificate Authority (CA). Are the digital
equivalent (that is electronic format) of physical or paper certificates. It contains the public key for a
digital signature and specifies the identity associated with the key, such as the name of an
organization. The certificate is used to confirm that the public key belongs to the specific
organization. Few Examples of physical certificates are drivers' licenses, passports or membership
cards.

Certification Agencies:
Certification Agencies are appointed by the office of the Controller of Certification Agencies (CCA)
under the provisions of IT Act, 2000. There are a total of eight Certification Agencies authorised by
the CCA to issue Digital Signature Certificates (DSCs). The details of these Certification Agencies are
available on the portal of the Ministry

Validity of Digital Signatures:

The DSCs are typically issued with one year validity and two year validity. These are renewable on
expiry of the period of initial issue. https://www.mca.gov.in/MinistryV2/acquiredsc.html

Electronic signature and digital signature are often used interchangeably but the truth is that these
two concepts are different. The main difference between the two is that digital signature is mainly
used to secure documents and is authorized by certification authorities while electronic signature is
often associated with a contract where the signer has got the intention to do so.

Read more: Difference Between Digital Signature and Electronic Signature | Difference Between
http://www.differencebetween.net/technology/difference-between-digital-signature-and-
electronic-signature/#ixzz7ojvj2mns

Key features of Digital Signature

A digital signature is characterized by a unique feature that is in digital form like fingerprint that is
embedded in a document. The signer is required to have a digital certificate so that he or she can be
linked to the document. Digital signature is often authorized by certification authorities that are
responsible for providing digital certificates that can be compared to licenses or passports. A digital
certificate is used to validate the document to ascertain its authenticity if it has not been forged. This
plays a pivotal role in verifying the identity of the original person with the signature.

The other key feature of a digital signature is that it is used to secure digital documents. There are
some people who have a tendency of tempering with digital documents obtained online but with a
digital signature, this can be impossible. The document is secured and can only be accessed by the
authorized person for any alterations or amendments.

When a digital signature is applied to a certain document, the digital certificate is bound to the data
being signed into one unique fingerprint. These two components of the digital signature are unique
and this makes it more viable than wet signatures since its origins can be authenticated. This
cryptographic operation helps to perform the following functions:

Electronic Signature
The electronic signature or e- signature is equal to that of a handwritten Signature under the
Information Technology Act, 2000. Though there are few exceptions to it. The act permits signing
any document using e-signature. An e-signature must meet certain conditions and it needs to be
studied before it is used by any individual.

Prove the authenticity of the document and its source

Make sure that the document has not been tempered with

Personal identity has been verified.

The other notable aspect about digital signature is that it is comprised of different types that are
supported by mainly two document processing platforms that are adobe and Microsoft.

A certified signature indicates the real author of the document and it displays a blue ribbon on top
of it showing the name of author and issuer of certificate for authentication.

Approval signature on the other hand captures the approval made by the signer such as physical
signature and other relevant details.

Digital Signature Certificate

A digital signature certificate (DSC) is equal to a physical or paper certificate. DSC is a procedure to
show the authenticity of electronic documents. It is needed to be presented electronically to show
the identity, access information, or sign document digitally. The Central Government has appointed
the Controller of Certifying Authority that will grant a license to the Certifying Authorities to issue
DSC to the user.

Types of Digital Signature Certificate

There are 3 types of digital signatures based on security level i.e. class 1, class 2, and class 3
certificate.

Class 1 certificate: It is not legally recognized. It is based on confirmation of valid email and not
direct verification.

Class 2 certificate: This is based on the identification of the person that is required to be verified
against a reliable pre-verified database.

Class 3 certificate: is a person in the presence of the Registration Authority proves his identity.

Disadvantages of Digital Signature

EXPIRE
Just like any other electronic device or technology it’s based and dependent on the technology. In
times of rapid growth of sophisticated technology, many such products have a short life.

SOFTWARE

The sender and the recipient have to purchase the verification software for the working of digital
signature.

Documents on Which Digital Signature is Valid

Certain documents need a notarial process or the documents are required to be a physical signature.
Some documents are also required to be registered by the Registrar or sub-registrar to be legally
enforceable.

Negotiable instrument such as promissory note or bill of exchange other than cheque.

Trust deeds

Power of attorney

A Will and testamentary deposition

Real estate contract (lease/ sales agreement)

Creation of Digital Signature.- To sign an electronic record or any other item of information, the
signer shall first apply the hash function in the signer’s software; the hash function shall compute a
hash result of standard length which is unique (for all practical purposes) to the electronic record;
the signer’s software transforming the hash result into a Digital Signature using signer’s private key;
the resulting Digital Signature shall be unique to both electronic record and private key used to
create it; and the Digital Signature shall be attached to its electronic record and stored or
transmitted with its electronic record.

Verification of Digital Signature.- The verification of a Digital Signature shall be accomplished by

computing a new hash result of the original electronic record by means of the hash function used to
create a Digital Signature and by using the public key and the new hash result, the verifier shall
check- (i) if the Digital Signature was created using the corresponding private key; and (ii) if the
newly computed hash result matches the original result which was transformed into Digital
Signature during the signing process.

The verification software will confirm the Digital Signature as verified if:- (a) the signer’s private key
was used to digitally sign the electronic record, which is known to be the case if the signer’s public
key was used to verify the signature because the signer’s public key will verify only a Digital
Signature created with the signer’s private key; and (b) the electronic record was unaltered, which is
known to be the case if the hash result computed by the verifier is identical to the hash result
extracted from the Digital Signature during the verification process.

Digital Signature Certificate Standard.- All Digital Signature Certificates issued by

the Certifying Authorities shall conform to ITU X.509 version 3 standard as per rule 6 and
shall inter alia contain the following data, namely:-

(a) Serial Number (assigning of serial number to the Digital Signature

Certificate by Certifying Authority to distinguish it from other certificate);

(b) Signature Algorithm Identifier (which identifies the algorithm used by

Certifying Authority to sign the Digital Signature Certificate);

(c) Issuer Name (name of the Certifying Authority who issued the Digital

Signature Certificate);

(d) Validity period of the Digital Signature Certificate;

(e) Name of the subscriber (whose public key the Certificate identifies);

and

(f) Public Key information of the subscriber

Licensing of Certifying Authorities.- (1) The following persons may apply for grant of a licence to
issue Digital Signature Certificates, namely :- (a) an individual, being a citizen of India and having a
capital of five crores of rupees or more in his business or profession; (b) a company having – (i) paid
up capital of not less than five crores of rupees; and (ii) net worth of not less than fifty crores of
rupees: Provided that no company in which the equity share capital held in aggregate by the Non-
resident Indians, Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of
its capital, shall be eligible for grant of licence:

Generation of Digital Signature Certificate.- The generation of the Digital Signature Certificate shall
involve: (a) receipt of an approved and verified Digital Signature Certificate request; (b) creating a
new Digital Signature Certificate; (c) binding the key pair associated with the Digital Signature
Certificate to a Digital Signature Certificate owner; (d) issuing the Digital Signature Certificate and
the associated public key for operational use; (e) a distinguished name associated with the Digital
Signature Certificate owner; and (f) a recognized and relevant policy as defined in Certification
Practice Statement. 25. Issue of Digital Signature Certificate.- Before the issue of the Digital
Signature Certificate, the Certifying Authority shall:- (i) confirm that the user’s name does not appear
in its list of compromised users; (ii) comply with the procedure as defined in his Certification Practice
Statement including verification of identification and/or employment; (iii) comply with all privacy
requirements; (iv) obtain a consent of the person requesting the Digital Signature Certificate, that
the details of such Digital Signature Certificate can be published on a directory service.

Certificate Lifetime.- (1) A Digital Signature Certificate,- (a) shall be issued with a designated expiry
date; (b) which is suspended shall return to the operational use, if the suspension is withdrawn in
accordance with the provisions of section 37 of the Act; (c) shall expire automatically upon reaching
the designated expiry date at which time the Digital Signature Certificate shall be archived; (d) on
expiry, shall not be re-used. (2) The period for which a Digital Signature Certificate has been issued
shall not be extended, but a new Digital Signature Certificate may be issued after the expiry of such
period.

https://www.meity.gov.in/writereaddata/files/act2000_0.pdf
Electronic Record & Governance

Introduction

As we all know, each government department has lots and lots of work, be it paper work or physical.
Such huge amount of work when man-handled had more chances of errors which raised the demand
of technology in the government sector. This demand of technology lead to the development of e-
governance so as to save on cost and time and at the same time, reduce the probability of errors in
the work.

Electronic governance or e-governance can be defined as the application of information and

communication technology (ICT) for providing government services, exchange of information,
transactions, integration of previously existing services and information portals.

https://lawbhoomi.com/a-brief-overview-on-electronic-governance/

Legal Recognition of Electronic Records (Mentioned in Section 4 of the Act)

For any important point to become a law, it is needed to be written, printed, or typewritten. It can
also be considered to be a law if the information is provided in an electronic form. However, the
electronic form must be accessible all the time for subsequent referencing.

Publications of rules and regulations in Electronic Gazette (mentioned in Section 8 of the Act)

If the law requires to publish any official rule, regulation, notification, by-law and related matters in
the Official Gazette, then it can also do so in the Electronic Gazette. The publication date of such
rules and regulations will be the same as its first published date in any form of the Gazette.

Section 6, 7, and 8 does not Provide the Right to insist Acceptance of an Electronic Form of the
Document (Mentioned in Section 9 of the Act)

The previous sections 6, 7, and 8 do not grant the right to any person to insist on the issuance,
acceptance, retention, or creation of any document or monetary transactions directly from the
central or the state government, ministry of the department, or associated agencies

https://www.vedantu.com/commerce/cyber-laws-electronic-record-and-e-governance

Elements of E-Governance

The 3 most basic and common groups that are involved with the process of governance are:

(1) Citizens / General Public

(2) Government’s own organs or departments

(3) Business groups / Investors

Types of E-Governance

(1) GOVERNMENT-TO-CITIZEN (G2C): Maximum number of government services come under the
head of G2C services which are been acquired by the familiar or most common group of people.
These services help the common people to minimise their time and cost spend in carrying out a
transaction. A citizen can avail the facility 24*7 from around the world.

Various G2C services of both central and state government have been integrated on the Digital Seva
Portal which are accessible by the citizens in the rural and remote areas of the country.

Some of the day-to-day examples of the G2C services can be: (a) Bharat BillPay (b) FASTag (c)
Passport services (d) PAN Card / Aadhar Card facility (e) Swacch Bharat Abhiyan and so on.

(2) GOVERNMENT-TO-GOVERNMENT (G2G): The need for active and quick interaction between the
different government departments, firms and agencies called for the G2G services so as to increase
the efficiency of the government working. These services enable the government departments to
work together and share the same database using online communication.

G2G services take place at both local or domestic level as well as international level. At the local
level, these services facilitate different departments to access the same information from any corner
of the country whereas with the international perspective, such services tend to improve
international discretion and relations.

Some of the examples of G2G services are: (a) Smart Gov. initiative by Andra Pradesh government.
(b) Khajane Project undertaken by the Karnataka government to manage the treasury related
activities. (c) Northeast Gang Information System (NEGIS)

(3) GOVERNMENT-TO-BUSINESS (G2B): Interchange of services between government and business

entities is what comprises of G2B services. Such services provides timely information about the
businesses in the area to the government whereas at the same time, business organisation can have
easy, timeless, placeless, online access to the government agencies and their working which
increases the transparency in return.

Some of the areas where G2B services have been provided are: (a) Online GST facility (b) MSME
Samadhaan (c) Government e-marketplace (d) MCA e-forms

(4) GOVERNMENT-TO-EMPLOYEE (G2E): Provides online facilities to the employees to bring them
together and improvise knowledge sharing. In this type of case, government is major employer and
it has to interact with its employees on a regular basis. Such services improve the day-to-day
functioning of the bureaucracy and at the same time, deals with the employees.
Examples of G2E services can be: (a) Online salary payment (b) Applying for leave online (c) Online
insurance or health care facility provided bt the employer (d) Checking the balance of holidays

The IT Act provides for the Controller of Certifying Authorities(CCA) to license and regulate the
working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates
for electronic authentication of users.

The Controller of Certifying Authorities (CCA) has been appointed by the Central Government under
section 17 of the Act for purposes of the IT Act. The Office of the CCA came into existence on
November 1, 2000. It aims at promoting the growth of E-Commerce and E- Governance through the
wide use of digital signatures.

The Controller of Certifying Authorities (CCA) has established the Root Certifying Authority (RCAI) of
India under section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CA) in
the country. The RCAI is operated as per the standards laid down under the Act.

The CCA certifies the public keys of CAs using its own private key, which enables users in the
cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates,
the Root Certifying Authority of India(RCAI). The CCA also maintains the Repository of Digital
Certificates, which contains all the certificates issued to the CAs in the country.

https://cca.gov.in/about.html#:~:text=The%20Controller%20of%20Certifying%20Authorities%20(CC
A)%20has%20been%20appointed%20by,wide%20use%20of%20digital%20signatures.

Cybercrime & Penalties under IT Act

https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

Imprisonment up to three years, or/and

65 Tampering with computer source documents
with fine up to ₹200,000

Imprisonment up to three years, or/and

66 Hacking with computer system
with fine up to ₹500,000

Receiving stolen computer or communication Imprisonment up to three years, or/and

66B
device with fine up to ₹100,000

Imprisonment up to three years, or/and

66C Using password of another person
with fine up to ₹100,000

Imprisonment up to three years, or/and

66D Cheating using computer resource
with fine up to ₹100,000
 Imprisonment up to three years, or/and
66E Publishing private images of others
with fine up to ₹200,000

66F Acts of cyberterrorism Imprisonment up to life.

Publishing information which is obscene in Imprisonment up to five years, or/and

67
electronic form. with fine up to ₹1,000,000

Imprisonment up to seven years, or/and

67A Publishing images containing sexual acts
with fine up to ₹1,000,000

Imprisonment up to three years, or/and

67C Failure to maintain records
with fine.

Imprisonment up to 2 years, or/and with

68 Failure/refusal to comply with orders
fine up to ₹100,000

Imprisonment up to seven years and

69 Failure/refusal to decrypt data
possible fine.

Securing access or attempting to secure Imprisonment up to ten years, or/and

70
access to a protected system with fine.

Imprisonment up to 2 years, or/and with

71 Misrepresentation
fine up to ₹100,000

Imprisonment up to 2 years, or/and with

72 Breach of confidentiality and privacy
fine up to ₹100,000

Disclosure of information in breach of lawful Imprisonment up to 3 years, or/and with

72A
contract fine up to ₹500,000

Publishing electronic signature certificate Imprisonment up to 2 years, or/and with

73
false in certain particulars fine up to ₹100,000
 Imprisonment up to 2 years, or/and with
74 Publication for fraudulent purpose
fine up to ₹100,00

The Right to Information

Historical Background

The right to information is a fundamental right under Article 19 (1) of the Indian Constitution. In
1976, in the Raj Narain vs the State of Uttar Pradesh case, the Supreme Court ruled that Right to
information will be treated as a fundamental right under article 19. The Supreme Court held that in
Indian democracy, people are the masters and they have the right to know about the working of the
government.

Information relating to internal security, relations with foreign countries, intellectual property rights
(IPR), cabinet discussions are exempted from RTI.

RTI is an act which sets out the rules and procedures regarding citizens’ right to seek information.
Under the Act any citizen of India may request information from a “public authority" which is
required to reply expeditiously within thirty days.

Nature of the RTI Act

Empower citizens to question the government.

The act promotes transparency and accountability in the working of the government.

The act also helps in containing corruption in the government and work for the people in a better
way.

The act envisages building better-informed citizens who would keep necessary vigil about the
functioning of the government machinery.

The RTI Act, 2005 empowers the citizen to question the secrecy and abuse of power practised in
governance.

It is through the information commissions at the central and state levels that access to such
information is provided

WHAT IS THE SCOPE OF RTI ACT?

The Act covers all the constitutional authorities, including Executive, Legislature and Judiciary; any
institution or body established or constituted by an act of Parliament or a state legislature. Citizen
can inspect any government documents, inspect any government works etc.

Exclusions

https://epgp.inflibnet.ac.in/epgpdata/uploads/epgp_content/S000021LI/P001449/M016055/ET/1
520591016ModuleID-MIL-06-EText-RTIConcept,ScopeandFeatures.pdf

Central Intelligence and Security agencies specified in the Second Schedule like: 1. Assam Rifles 2.
Aviation Research Centre 3. Border Road Development Board. 4. Border Security Force (BSF) 5.
Central Economic Intelligence Bureau (CEIB) 6. Central Industrial Security Force (CISF) 7. Central
Reserve Police Force (CRPF) 8. Dadra and Nagar Haveli and Special Branch, 9. Defence Research and
Development Organisation (DRDO) 10. Directorate General of Income-tax (Investigation) 11.
Directorate of Enforcement 12. Directorate of Revenue Intelligence 13. Financial Intelligence Unit,
India. 14. R&AW, 15. Indo-Tibetan Border Police (ITBP) 16. Intelligence Bureau (IB) 17. Lakshadweep
Police 18. Narcotics Control Bureau 19. National Security Council Secretariat 20. National Security
Guards (NSG) 21. National Technical Research Organisation. 22. Research and Analysis Wing of the
Cabinet Secretariat 23. Sashastra Seema Bal 24. Special Branch (CID) 25. Special Frontier Force 26.
Special Protection Group (SPG) 27. Special Service Bureau 28. The Crime Branch-CID-CB However,
these Public Authorities have to respond to RTI Applications which pertain to subjects of Human
Rights and Corruption as per Section 5(1) of the RTI Act. Agencies specified by the State
Governments through a Notification will also be excluded. Similarly, some States within the union
has also exempted certain Public Authorities in the respective states, from the purview of the Act.

WHAT IS THE PROCEDURE TO FILE RTI?

Citizen seeking information are required to send Application to the Public Information Officer (PIO)
concerned department along with fee of Rs. 10. If a reply is not received within 30 days, the next
step is to approach Central Information Commission (CIC).

Or

Visit the official RTI portal https://rtionline.gov.in

Select Ministry or Department for which the applicant wants to file an RTI

The applicant will receive SMS alerts in case he/she provides a mobile number. The fields marked *
are mandatory while the others are optional.

BPL no fee, otherwise 10 rs.

The Central Information Commission

has been constituted with effect from 12-10-2005 under the Right to Information Act, 2005. The
jurisdiction of the Commission extends over all Central Public Authorities.
To act upon complaints from those individuals who have not been able to submit information
requests to a Central Public Information Officer or State Public Information Officer due to either
the officer not have been appointed, or because the respective Central Assistant Public
Information Officer or State Assistant Public Information Officer refused to receive the application
for information under the Right to Information Act

The State Information Commission

Are constituted by the State Government through a Gazette notification. It will have one
State Chief Information Commissioner (SCIC) and not more than 10 State Information
Commissioners (SIC) to be appointed by the Governor
It entertains complaints and appeals pertaining to offices, financial institutions, public sector
undertakings, etc., under the concerned state government.
Global Data Privacy Right

Data privacy is a fundamental right and is recognised under the Universal Declaration of Human
Rights, the International Covenant on Civil and Political Rights, and various other international
covenants.

These eight (8) rights are the right to be informed, to access, to object, to erasure or blocking, to
damages, to file a complaint, to rectify, and to data portability.

There is no legal instrument dealing with the privacy of individuals on an international scale. Rather,
there are territorial privacy laws which are applicable within certain countries or regions. These laws
provide a legal framework on how to collect, use and store the personal data of natural persons.

India has enacted a data protection bill called the Personal Data Protection bill that embeds many of
the tenets of GDPR within the country’s context. These include requirements for notice and prior
consent for the use of individual data, limitations on the purposes for which data can be processed
by companies, and restrictions to ensure that only data necessary for providing a service to the
individual in question is collected. However, in 2017, a supreme court judge ruled that it was
unconstitutional for private companies to use Aadhaar data – a platform that was unveiled in 2009
and forms a massive part of the country’s biometric identification programme. As every resident has
their own 12-digit Aadhaar number, it has become a single, universal digital identity number that
any registered entity can use to authenticate an Indian resident. Now, the Aadhar number can be
used for verification, but prevents private companies from collecting the individual’s details.

https://www.thalesgroup.com/en/markets/digital-identity-and-
security/government/magazine/beyond-gdpr-data-protection-around-world