The whole country is in shock after more than Rs 11,000 crores PNB scam. This also leads us to question the safety of the information shared with the credit institutions in India. What legal mechanism is in force to ensure the protection of such information? Whether any statute prescribes punishments for data breach of credit information?
Fortunately, we have a number of legislative provisions to ensure the security of different kinds of information. The Official Secrets Act, 1923; The Census Act, 1948; The Registration of Births and Deaths Act, 1969; Public Records Act, 1993 etc. are some of the examples. Section 3 , Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 provides that a public financial institution shall not divulge any information relating to, or to the affairs of, its constituents except in circumstances in which it is, in accordance with the law or practice and usage, customary among bankers, necessary or appropriate for the public financial institution to divulge such information. Information Technology Act,2000 read with its numerous allied rules accord protection to electronic information.
Credit Information Companies (Regulation) Act, 2005 provides for regulation of credit information companies and to facilitate efficient distribution of credit. Section 37 empowers The Reserve Bank to make regulations consistent with the provisions of this Act and the rules made thereunder to carry out the purposes of this Act. The Credit Information Companies Regulations, 2006 have been made by Reserve Bank under the said provision. Together, they ensure protection regarding the credit information.
What is included in Credit Information?
Section 2(d) provides “credit information” means any information relating to –
(i) the amounts and the nature of loans or advances amounts outstanding under credit cards and other credit facilities granted or to be granted, by a credit institution to any borrower;
(ii) the nature of security taken or proposed to be taken by a credit institution from any borrower for credit facilities granted or proposed to be granted to him;
(iii) the guarantee furnished or any other non-fund based facility granted or proposed to be granted by a credit institution for any of its borrowers;
(iv) the creditworthiness of any borrower of a credit institution;
(v) any other matter which the Reserve Bank may consider necessary for inclusion in the credit
information to be collected and maintained by credit information companies, and, specify, by
notification, in this behalf.
Credit Information Company and Credit Institution
Section 2(e) defines “credit information company” as a company formed and registered under the Companies Act, 1956 and which has been granted a certificate of registration under Section 5(2).
Section 2(f) defines “credit institution” as a banking company and includes –
- a corresponding new bank, the State Bank of India, a subsidiary bank, a co-operative bank, the National Bank and regional rural bank;
- a non-banking financial company as defined under Section 45-I (f) of the Reserve Bank of India Act, 1934 ;
- a public financial institution referred to in Section 4-A of the Companies Act, 1956;
- the financial corporation established by a State under Section 3 of the State Financial Corporation Act, 1951 ;
- the housing finance institution referred to Section 2(d) of the National Housing Bank Act, 1987;
- the companies engaged in the business of credit cards and other similar cards and companies dealing with the distribution of credit in any other manner;
- any other institution which the Reserve Bank may specify, from time to time, for the purposes of this clause.
Provisions under Credit Information Companies (Regulation) Act, 2005
(a) Chapter VI –
- Duty to requisite steps to ensure Accuracy and security of credit information under Section 19 –
Section 19 casts an obligation upon a credit information company or credit institution or specified user, as the case may be, in possession or control of credit information, to take such steps (including security safeguards) as may be prescribed, to ensure that the data relating to the credit information maintained by them is accurate, complete, duly protected against any loss or unauthorised access or use or unauthorised disclosure thereof.
- Duty to adopt Privacy principles under Section 20 –
Every credit information company, credit institution, and specified user, shall adopt the following privacy principles in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information.
Ø The principles—
(i) which may be followed by every credit institution for collection of information from its borrowers and clients and by every credit information company, for collection of information from its member credit institutions or credit information companies, for processing, recording, protecting the data relating to credit information furnished by, or obtained from, their member credit institutions or credit information companies, as the case may be, and sharing of such data with specified users;
(ii) which may be adopted by every specified user for processing, recording, preserving and protecting the data relating to credit information furnished, or received, as the case may be, by it;
Ø which may be adopted by every credit information company for allowing access to records containing credit information of borrowers and clients and alteration of such records in case of need to do so; the purpose for which the credit information may be used, restriction on such use and disclosure thereof;
Ø the extent of obligation to check accuracy of credit information before furnishing of such information to credit information companies or credit institutions or specified users, as the case may be;
Ø Preservation of credit information maintained by every credit information company, credit institution, and specified user as the case may be (including the period for which such information may be maintained, manner of deletion of such information and maintenance of records of credit information);
Ø networking of credit information companies, credit institutions and specified users through electronic mode;
Ø any other principles and procedures relating to credit information which the Reserve Bank may consider necessary and appropriate and may be specified by regulations.
- Prohibition on Unauthorised access to credit information under Section 22 –
No person shall have access to credit information in the possession or control of a credit information company or a credit institution or a specified user unless the access is authorised by this Act or any other law for the time being in force or directed to do so by any court or tribunal and any such access to credit information without such authorisation or direction shall be considered as an unauthorised access to credit information.
(b) Chapter VII
- Obligations as to fidelity and secrecy under Section 29
Every credit information company shall observe, except as otherwise required by law, the practices and usages customary among credit information companies and it shall not divulge any information relating to, or to the affairs of, its members or specified users. Every chairperson, director, member, auditor, adviser, officer or other employees of a credit information company shall, before entering upon his duties, make a declaration of fidelity and secrecy in the form, as may be prescribed in this regard.
Table 1 – Data Protection Principles with regard to Credit Information
|Data Protection Principle||Provision under Credit Information Companies (Regulation) Act, 2005||Credit Information Companies Regulations, 2006|
|Accuracy and security of credit information||Section 19||Regulation 9.6.1|
|Purpose principle||Section 20||Regulations 9.5, 9.4.2,9.7.3|
|Right to Access and Right to Rectification||Section 21||Regulation 9.3|
|Data Collection||–||Regulation 9.4.1|
Table 2- Punishments under Credit Information Companies (Regulation) Act, 2005
|1||Obtaining unauthorised access to credit information as referred to in Section 21 (1)||Section 21(2)||Shall be punishable with fine which may extend to one lakh rupees in respect of each offence and if he continues to have such unauthorised access, with further fine which may extend to ten thousand rupees for every day on which the default continues|
|2.||Wilfully making a statement which is false in any material particular, knowing it to be false, or wilfully omitting to make a material statement in any return or other document or in any information required or furnished by, or under, or for the purposes of, any provision of this Act||Section 23(1)||Shall be punishable with imprisonment for a term which may extend to one year and shall also be liable to fine|
|3.||Wilfully, performing any act or engaging in any practice, in breach of any of the principles referred to in Section 20 by every credit information company or a credit institution or any specified user||Section 23(2)||Shall be punishable with fine not exceeding one crore rupees|
|4.||Wilfully providing credit information which is false in any material particular, knowing it to be false, or wilfully omitting to make a material statement by any credit information company or credit institution or specified user to any other credit information company or credit institution or specified user or borrower or client, as the case may be||Section 23(3)||Shall be punishable with fine which may extend to one crore rupees|
|5.||Contravention of any provision of this Act or of any rule or order made thereunder, or obstruction in the lawful exercise of any power conferred by or under this Act, or making default in complying with any requirement of this Act or of any rule or order made or direction issued thereunder||Section 23(4)||Shall be punishable with fine which may extend to one lakh rupees and where a contravention or default is a continuing one, with a further fine which may extend to five thousand rupees for every day during which the contravention or default continues|
Section 26 empowers a Court imposing any fine under this Act to direct that the whole or any part thereof shall be applied in or towards payment of the costs of the proceedings, or for such purposes as may be directed by the court.
Image from here.