TMCnet News

Not sharing client data, says NPCI [India Business] [Times of India]
[August 09, 2014]

Not sharing client data, says NPCI [India Business] [Times of India]


(Times of India Via Acquire Media NewsEdge) MUMBAI: National Payments Corporation of India - Reserve Bank of India's brainchild which manages the backbone of the country's payments systems - has been asked to pay a token fine of Rs 10,000 to the Maharashtra treasury for passing on highly sensitive personal data to processing companies without a non-disclosure agreement. NPCI has contested the order by the state government's principal secretary (information technology) denying both charges - of compromising individual personal data and of not having non-disclosure agreements. The adjudicating officer's order was in an intellectual property rights tussle between two companies that processed card transactions for banks. CredenTek Software, an IT company, had complained against In Solutions Global (ISG), which specialized in processing card transactions for banks. NPCI came into the picture as it emerged that it was one of ISG's major clients. "We had filed a case against In-Solutions Global for source code violation and as part of our evidence we had submitted CDs containing sensitive personal data of bank customers which was handed to our clients by ISG," said Prashant Mali, Cyber Law & Cyber Security Expert from Mumbai who represented CredenTek for this case. Hearing both sides, the adjudicating officer - Rajesh Aggarwal, principal secretary (information technology) - said in his order that no case is made out of data theft or source code stealing under the IT Act and it is a dispute regarding contracted services not being rendered rather than a copyright issue. While he dismissed the source code, he said that during the course of hearings, "a more sinister crime of negligence under the IT Act came to light" and expressed shock that real data of bank customer transactions was passed on as sample data for testing software rather than simulated data. When contacted, NPCI said it does not share any confidential information with any party and has strong privacy policy based on international standard and its and has been awarded certificate for this. NPCI said its electronic clearing and settlement system was "safe and highly secure". and was compliant with Payment Card Industry Data Security Standards. NPCI said it has entered into a non-disclosure agreement with In-solutions Group, which has been filed with the application before the IT secretary of the Maharashtra government - the plea has not been disposed of so far. "The order passed by the IT secretary against NPCI was without jurisdiction and ultra vires and beyond the powers. There was no proceeding initiated by the IT secretary, government of Maharashtra, against NPCI under any law. Even no notice was issued by IT Secretary before issuing order for payment of penalty. NPCI has already challenged his order as soon as it came to knowledge of NPCI by filing an application for review application," it said in a statement. NPCI, which manages the ATM switch, Rupay and other payment networks such as IMPS that allow electronic funds transfers between banks, has been upset at the strong remarks made by the adjudicating officer without being heard. In the order, the adjudicating offer had said what was "more worrisome" was that NPCI is also running the Aadhaar Payment Bridge System, which includes Aadhaar number (UID) of the customers. Now, UID number is perhaps the most sensitive data of an Indian citizen, which needs to be protected even more than the Social Security Number (SSN) of USA, as it has linkage to biometrics (fingerprints and Iris). Obviously, UID number cannot be published on any website by any government department, and should be used for any Analytics or any other purpose, only with proper precautions as per Rules 6 and 7 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011." (c) 2014 Bennett, Coleman & Company Limited



[ Back To TMCnet.com's Homepage ]