The central government has made a significant decision to enhance the security of citizens’ data. The government has blocked all websites that expose Aadhaar and PAN details. Additionally, state IT secretaries have been granted the authority to address complaints and compensation related to data privacy violations.
Government’s Commitment to Data Security
The Government of India is committed to providing an open, secure, trustworthy, and accountable internet. The Ministry of Electronics and Information Technology has become aware that certain websites are disclosing sensitive personal identifiable information, including the Aadhaar and PAN details of Indian citizens. This issue has been taken seriously as the government prioritizes secure cybersecurity practices and the protection of personal data. Accordingly, action has been taken to block these websites.
UIDAI Files a Complaint
The Unique Identification Authority of India (UIDAI) has filed a complaint with the relevant police authorities for violating Section 29(4) of the Aadhaar Act, 2016, which prohibits the public display of Aadhaar information.
Analysis by the Indian Computer Emergency Response Team (CERT-In) revealed that these websites have some security vulnerabilities. The website owners have been guided on actions they need to take to strengthen their ICT infrastructure and address these vulnerabilities. CERT-In has also issued guidelines for secure application design, development, implementation, and operation for all entities using IT applications. Furthermore, it has provided guidelines related to information security practices, procedures, prevention, response, and reporting of cyber incidents under the Information Technology Act, 2000 (IT Act).
Powers Granted to State IT Secretaries
The Ministry of Electronics and Information Technology (MeitY) has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which provides for the non-publication and non-disclosure of sensitive personal data. Any adversely affected party can contact the adjudicating officer under Section 46 of the IT Act to file a complaint and seek compensation. State IT secretaries have been granted the authority to act as adjudicating officers under the IT Act.
Additionally, the Digital Personal Data Protection Act, 2023, has already come into effect, and the draft rules under this Act are in the final stages. The government has also initiated an awareness program to educate stakeholders—industry, government, and citizens—about its impact. This initiative aims to create nationwide awareness and understanding among various stakeholders regarding responsible usage and proactive measures, thereby reducing the unnecessary exposure of personal data by different entities.