Friday, October 29, 2010

सूचना के अधिकार पर बारम्बार पूछे जाने वाले प्रश्न

सूचना के अधिकार पर बारम्बार पूछे जाने वाले प्रश्न
सूचना का अधिकार क्या है?

संविधान के अनुच्छेद 19(1) के तहत सूचना का अधिकार मौलिक अधिकारों का एक भाग है. अनुच्छेद 19(1) के अनुसार प्रत्येक नागरिक को बोलने व अभिव्यक्ति का अधिकार है. 1976 में सर्वोच्च न्यायालय ने "राज नारायण विरुद्ध उत्तर प्रदेश सरकार" मामले में कहा है कि लोग कह और अभिव्यक्त नहीं कर सकते जब तक कि वो न जानें. इसी कारण सूचना का अधिकार अनुच्छेद 19 में छुपा है. इसी मामले में, सर्वोच्च न्यायालय ने आगे कहा कि भारत एक लोकतंत्र है. लोग मालिक हैं. इसलिए लोगों को यह जानने का अधिकार है कि सरकारें जो उनकी सेवा के लिए हैं, क्या कर रहीं हैं? व प्रत्येक नागरिक कर/ टैक्स देता है. यहाँ तक कि एक गली में भीख मांगने वाला भिखारी भी टैक्स देता है जब वो बाज़ार से साबुन खरीदता है.(बिक्री कर, उत्पाद शुल्क आदि के रूप में). नागरिकों के पास इस प्रकार यह जानने का अधिकार है कि उनका धन किस प्रकार खर्च हो रहा है. इन तीन सिद्धांतों को सर्वोच्च न्यायालय ने रखा कि सूचना का अधिकार हमारे मौलिक अधिकारों का एक हिस्सा हैं.
यदि आरटीआई एक मौलिक अधिकार है, तो हमें यह अधिकार देने के लिए एक कानून की आवश्यकता क्यों है?

ऐसा इसलिए है क्योंकि यदि आप किसी सरकारी विभाग में जाकर किसी अधिकारी से कहते हैं, "आरटीआई मेरा मौलिक अधिकार है, और मैं इस देश का मालिक हूँ. इसलिए मुझे आप कृपया अपनी फाइलें दिखायिए", वह ऐसा नहीं करेगा. व संभवतः वह आपको अपने कमरे से निकाल देगा. इसलिए हमें एक ऐसे तंत्र या प्रक्रिया की आवश्यकता है जिसके तहत हम अपने इस अधिकार का प्रयोग कर सकें. सूचना का अधिकार 2005, जो 13 अक्टूबर 2005 को लागू हुआ हमें वह तंत्र प्रदान करता है. इस प्रकार सूचना का अधिकार हमें कोई नया अधिकार नहीं देता. यह केवल उस प्रक्रिया का उल्लेख करता है कि हम कैसे सूचना मांगें, कहाँ से मांगे, कितना शुल्क दें आदि.
सूचना का अधिकार कब लागू हुआ?

केंद्रीय सूचना का अधिकार 12 अक्टूबर 2005 को लागू हुआ. हालांकि 9 राज्य सरकारें पहले ही राज्य कानून पारित कर चुकीं थीं. ये थीं: जम्मू कश्मीर, दिल्ली, राजस्थान, मध्य प्रदेश, महाराष्ट्र, कर्नाटक, तमिलनाडु, असम और गोवा.
सूचना के अधिकार के अर्न्तगत कौन से अधिकार आते हैं?

सूचना का अधिकार 2005 प्रत्येक नागरिक को शक्ति प्रदान करता है कि वो:
सरकार से कुछ भी पूछे या कोई भी सूचना मांगे.
किसी भी सरकारी निर्णय की प्रति ले.
किसी भी सरकारी दस्तावेज का निरीक्षण करे.
किसी भी सरकारी कार्य का निरीक्षण करे.
किसी भी सरकारी कार्य के पदार्थों के नमूने ले.
सूचना के अधिकार के अर्न्तगत कौन से अधिकार आते हैं?

केन्द्रीय कानून जम्मू कश्मीर राज्य के अतिरिक्त पूरे देश पर लागू होता है. सभी इकाइयां जो संविधान, या अन्य कानून या किसी सरकारी अधिसूचना के अधीन बनी हैं या सभी इकाइयां जिनमें गैर सरकारी संगठन शामिल हैं जो सरकार के हों, सरकार द्वारा नियंत्रित या वित्त- पोषित किये जाते हों.
"वित्त पोषित" क्या है?

इसकी परिभाषा न ही सूचना का अधिकार कानून और न ही किसी अन्य कानून में दी गयी है. इसलिए यह मुद्दा समय के साथ शायद किसी न्यायालय के आदेश द्वारा ही सुलझ जायेगा.
क्या निजी इकाइयां सूचना के अधिकार के अर्न्तगत आती हैं?

सभी निजी इकाइयां, जोकि सरकार की हैं, सरकार द्वारा नियंत्रित या वित्त- पोषित की जाती हैं सीधे ही इसके अर्न्तगत आती हैं. अन्य अप्रत्यक्ष रूप से इसके अर्न्तगत आती हैं. अर्थात, यदि कोई सरकारी विभाग किसी निजी इकाई से किसी अन्य कानून के तहत सूचना ले सकता हो तो वह सूचना कोई नागरिक सूचना के अधिकार के अर्न्तगत उस सरकारी विभाग से ले सकता है.
क्या सरकारी दस्तावेज गोपनीयता कानून 1923 सूचना के अधिकार में बाधा नहीं है?

नहीं, सूचना का अधिकार अधिनियम 2005 के अनुच्छेद 22 के अनुसार सूचना का अधिकार कानून सभी मौजूदा कानूनों का स्थान ले लेगा.

Cyber Crimes & Cyber Law - the Indian perspective

Cyber Crimes & Cyber Law - the Indian perspective
Information is a resource which has no value until it is extracted, processed and utilized. Information technology deals with information system, data storage, access, retrieval, analysis and intelligent decision making. Information technology refers to the creation, gathering, processing, storage, presentation and dissemination of information and also the processes and devices that enable all this to be done.
Information technology is affecting us as individual and as a society. Information technology stands firmly on hardware and software of a computer and tele-communication infrastructure. But this is only one facet of the information Technology, today the other facets are the challenges for the whole world like cyber crimes and more over cyber terrorism. When Internet was first developed, the founding fathers hardly had any inkling that internet could transform itself into an all pervading revolution which could be misused for criminal activities and which required regulations. With the emergence of the technology the misuse of the technology has also expanded to its optimum level the examples of it are:
- Cyber stalking
- Cyber harassment
- Cyber fraud
- Cyber defamation
- Spam
- Hacking
- Trafficking
- Distribution
- Posting and dissemination of obscene material including pornography,
- Indecent exposure and child pornography etc.
The misuse of the technology has created the need of the enactment and implementation of the cyber laws but whether this cyber laws are capable to control the cyber crime activities, the question requires the at most attention.
Cyber Crimes and Cyber terrorism: “Is the Internet the new “Wild Wild West?”
There can be no one exhaustive definition about Cybercrime. However, any activities which basically offend human sensibilities, can also be included in its ambit. Child Pornography on the Internet constitutes one serious Cybercrime. Similarly, online pedophiles, using internet to induce minor children into sex, are as much Cyber criminals as any other.
“Cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against property, government and people at large.”
In the era of globalization: the use of steganography[1] as a means for communicating the terrorist design online – Red Fort case, E-mail threats in Taj Mahal Case, Supreme Court E mail Threat Case. The use of internet to plan and carry out the terrorists’ acts of September 11th – World Trade Center attack, reflects the present condition and provides the answer to the question that “Is the internet the new Wild Wild West?”
Forms of Cyber Terrorism:[2]
(I) Privacy violation:
The law of privacy is the recognition of the individual's right to be let alone and to have his personal space inviolate. The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized. In recent times, however, this right has acquired a constitutional status, the violation of which attracts both civil as well as criminal consequences under the respective laws. The intensity and complexity of life have rendered necessary some retreat from the world. Man under the refining influence of culture, has become sensitive to publicity, so that solitude and privacy have become essential to the individual. Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology the traditional concept of right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge recourse of Information Technology Act, 2000 can be taken.
The various provisions of the Act aptly protect the online privacy rights of the citizens. Certain acts have been categorized as offences and contraventions, which have tendency to intrude with the privacy rights of the citizens.
(II) Secret information appropriation and data theft:
The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defense and other top secrets, which the Government will not wish to share otherwise. The same can be targeted by the terrorists to facilitate their activities, including destruction of property. It must be noted that the definition of property is not restricted to moveables or immoveables alone.
In R.K. Dalmia v Delhi Administration the Supreme Court held that the word "property" is used in the I.P.C in a much wider sense than the expression "movable property". There is no good reason to restrict the meaning of the word "property" to moveable property only, when it is used without any qualification. Whether the offence defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word "property" but on the fact whether that particular kind of property can be subject to the acts covered by that section.
(III) Demolition of e-governance base:
The aim of e-governance is to make the interaction of the citizens with the government offices hassle free and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. In a democracy, people govern themselves and they cannot govern themselves properly unless they are aware of social, political, economic and other issues confronting them. To enable them to make a proper judgment on those issues, they must have the benefit of a range of opinions on those issues. Right to receive and impart information is implicit in free speech. This, right to receive information is, however, not absolute but is subject to reasonable restrictions which may be imposed by the Government in public interest.
(IV) Distributed denial of services attack:
The cyber terrorists may also use the method of distributed denial of services (DDOS) to overburden the Government and its agencies electronic bases. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. Once control is obtained, they can be manipulated from any locality by the terrorists. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses. Further, due to this unnecessary Internet traffic the legitimate traffic is prohibited from reaching the Government or its agencies computers. This results in immense pecuniary and strategic loss to the government and its agencies.
It must be noted that thousands of compromised computers can be used to simultaneously attack a single host, thus making its electronic existence invisible to the genuine and legitimate citizens and end users. The law in this regard is crystal clear.
(V) Network damage and disruptions:
The main aim of cyber terrorist activities is to cause networks damage and their disruptions. This activity may divert the attention of the security agencies for the time being thus giving the terrorists extra time and makes their task comparatively easier. This process may involve a combination of computer tampering, virus attacks, hacking, etc.
Information Technology Act, 2000 deals with the cyber crime problems. It has some positive as well as negative aspects.
Positive Aspects of the IT Act, 2000[3]
1. Prior to the enactment of the IT Act, 2000 even an e-mail was not accepted under the prevailing statutes of India as an accepted legal form of communication and as evidence in a court of law. But the IT Act, 2000 changed this scenario by legal recognition of the electronic format. Indeed, the IT Act, 2000 is a step forward.
2. From the perspective of the corporate sector, companies shall be able to carry out electronic commerce using the legal infrastructure provided by the IT Act, 2000. Till the coming into effect of the Indian Cyber law, the growth of electronic commerce was impeded in our country basically because there was no legal infrastructure to regulate commercial transactions online.
3. Corporate will now be able to use digital signatures to carry out their transactions online. These digital signatures have been given legal validity and sanction under the IT Act, 2000.
4. In today’s scenario, information is stored by the companies on their respective computer system, apart from maintaining a back up. Under the IT Act, 2000, it shall now be possible for corporate to have a statutory remedy if any one breaks into their computer systems or networks and causes damages or copies data. The remedy provided by the IT Act, 2000 is in the form of monetary damages, by the way of compensation, not exceeding Rs. 1, 00, 00,000.
5. IT Act, 2000 has defined various cyber crimes which includes hacking and damage to the computer code. Prior to the coming into effect of the Indian Cyber law, the corporate were helpless as there was no legal redress for such issues. But the IT Act, 2000 changes the scene altogether.
The Grey Areas of the IT Act, 2000[4]:
1. The IT Act, 2000 is likely to cause a conflict of jurisdiction.
2. Electronic commerce is based on the system of domain names. The IT Act, 2000 does not even touch the issues relating to domain names. Even domain names have not been defined and the rights and liabilities of domain name owners do not find any mention in the law.
3. The IT Act, 2000 does not deal with any issues concerning the protection of Intellectual Property Rights I the context of the online environment. Contentious yet very important issues concerning online copyrights, trademarks and patents have been left untouched by the law, thereby leaving many loopholes.
4. As the cyber law is growing, so are the new forms and manifestations of cyber crimes. The offences defined in the IT Act, 2000 are by no means exhaustive. However, the drafting of the relevant provisions of the IT Act, 2000 makes it appear as if the offences detailed therein are the only cyber offences possible and existing. The IT Act, 2000 does not cove various kinds of cyber crimes and Internet related crimes. These Include:-
a) Theft of Internet hours
b) Cyber theft
c) Cyber stalking
d) Cyber harassment
e) Cyber defamation
f) Cyber fraud
g) Misuse of credit card numbers
h) Chat room abuse
5. The IT Act, 2000 has not tackled several vital issues pertaining to e-commerce sphere like privacy and content regulation to name a few. Privacy issues have not been touched at all.
6. Another grey area of the IT Act is that the same does not touch upon any anti- trust issues.
7. The most serious concern about the Indian Cyber law relates to its implementation. The IT Act, 2000 does not lay down parameters for its implementation. Also, when internet penetration in India is extremely low and government and police officials, in general are not very computer savvy, the new Indian cyber law raises more questions than it answers. It seems that the Parliament would be required to amend the IT Act, 2000 to remove the grey areas mentioned above.
Conclusion:
The new legislation which can cover all the aspects of the Cyber Crimes should be passed so the grey areas of the law can be removed. The recent blasts in Ahmedabad, Bangalore and Delhi reflects the threat to the mankind by the cyber space activities against this I personally believes that only the technology and its wide expansion can give strong fight to the problems. The software’s are easily available for download should be restricted by the Government by appropriate actions. New amendment should be including to the IT Act, 2000 to make it efficient and active against the crimes. The training and public awareness programs should be organized in the Companies as well as in common sectors. The number of the cyber cops in India should be increased. The jurisdiction problem is there in the implementation part which should be removed because the cyber criminals does not have any jurisdiction limit then why do the laws have, after all they laws are there, to punish the criminal but present scenario gives them the chance to escape.

Cyber Terrorism & Various Legal Compliances

Cyber Terrorism & Various Legal Compliances
What is Terrorism?
By Federal Bureau of Investigation
The unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political and social objectives.
• Using force to intimidate or coerce government or civilians to further an agenda.
• Cyber-terrorism therefore defined as the use of computing resources to intimidate or coerce others.
• It makes more sense to classify Microsoft, the MPAA, RIAA, and the DMCA as cyber-terrorists rather than any al Qaeda cracker.
USC Title 22, Ch. 38, Sec. 2656 (f) d:
Terrorism is defined as premeditated, politically motivated violence perpetrated against noncombatant targets by sub national groups or clandestine agents, usually intended to influence an audience. The United States has employed this definition of terrorism for statistical and analytical purposes since 1983. U.S. Department of State, 2002, Patterns of Global Terrorism, 2003
What is Cyber Terrorism?
Security expert Dorothy Denning defines cyber terrorism as “... politically motivated hacking operations intended to cause grave harm such as loss of life or severe economic damage.
The Federal Emergency Management Agency (FEMA)
Unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.
The U.S. National Infrastructure Protection Center:
A criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to particular political, social or ideological agenda.
Forms of Cyber Terrorism
Cyber terrorism as mentioned is a very serious issue and it covers vide range of attacks.
Here, the kind indulgence is asked toward the definition of Cyber Crime.
“Cyber Crime” is crime that is enabled by, or that targets computers. Cyber Crime can involve theft of intellectual property, a violation of patent, trade secret, or copyright laws. However, cyber crime also includes attacks against computers to deliberately disrupt processing, or may include espionage to make unauthorized copies of classified data.
Some of the major tools of cyber crime may be- Botnets, Estonia, 2007, Malicious Code Hosted on Websites, Cyber Espionage etc.
It is pertinent to mark here that there are other forms which could be covered under the heading of Cyber Crime & simultaneously is also an important tools for terrorist activities. Discussing these criminal activities one by one:
Attacks via Internet:
Unauthorized access & Hacking:- Access means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network. Unauthorized access would therefore mean any kind of access without the permission of either the rightful owner or the person in charge of a computer, computer system or computer network
Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money.
By hacking web server taking control on another person’s website called as web hijacking.
Trojan Attack:- 
The program that act like something useful but do the things that are quiet damping. The programs of this kind are called as Trojans.
The name Trojan Horse is popular. Trojans come in two parts, a Client part and a Server part. When the victim (unknowingly) runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan. TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as well.
Virus and Worm attack:- 
A program that has capability to infect other programs and make copies of itself and spread into other programs is called virus.
Programs that multiply like viruses but spread from computer to computer are called as worms. The latest in these attacks is “Michael Jackson e-mail virus-Remembering Michael Jackson”. Once it infects the computer it automatically spread the worm into other internet users.
E-mail & IRC related crimes:-
Email spoofing
Email spoofing refers to email that appears to have been originated from one source when it was actually sent from another source.
Email Spamming 
Email "spamming" refers to sending email to thousands and thousands of users - similar to a chain letter.
Sending malicious codes through email 
E-mails are used to send viruses, Trojans etc through emails as an attachment or by sending a link of website which on visiting downloads malicious code.
Email bombing 
E-mail "bombing" is characterized by abusers repeatedly sending an identical email message to a particular address.
5. Sending threatening emails
6. Defamatory emails
7. Email frauds
8. IRC related
Attack on Infrastructure:
Our banks and financial institutions; air, sea, rail and highway transportation systems; telecommunications; electric power grids; oil and natural gas supply lines—all are operated, controlled and facilitated by advanced computers, networks and software. Typically, the control centers and major nodes in these systems are more vulnerable to cyber than physical attack, presenting considerable opportunity for cyber terrorists.
There, could be other losses to infrastructure too as Kevin Coleman in his article on cyber-terrorism offered a scenario of possible consequences of a cyber-terrorism act against an infrastructure or business, with a division of costs into direct and indirect implications:
Direct Cost Implications
- Loss of sales during the disruption
- Staff time, network delays, intermittent access for business users
- Increased insurance costs due to litigation
- Loss of intellectual property - research, pricing, etc.
- Costs of forensics for recovery and litigation
- Loss of critical communications in time of emergency
Indirect Cost Implications
- Loss of confidence and credibility in our financial systems
- Tarnished relationships and public image globally
- Strained business partner relationships - domestic and internationally
- Loss of future customer revenues for an individual or group of companies
- Loss of trust in the government and computer industry.
Attacks on Human Life
Examples:-
• In case of an air traffic system that is mainly computerized and is set to establish the flight routes for the airplanes, calculating the flight courses for all the planes in the air to follow. Also, plane pilots have to check the course as well as the other planes being around using the onboard radar systems that are not connected to external networks, therefore it can be attacked by the cyber-terrorist.
• A different example would be the act of cyber-terrorism agains a highly-automated factory or plant production of any kind of product: food, equipment, vehicles etc. In case this organisation is highly reliant on the technological control, including a human control only in the end of production, not on the checkpoint stages, then any malfunction would be extremely hard to point out, fix and as a result to spot out a cyber-crime being committed
Privacy violation:
The law of privacy is the recognition of the individual's right to be let alone and to have his personal space inviolate. The right to privacy as an independent and distinctive concept originated in the field of Tort law. In recent times, however, this right has acquired a constitutional status [Rajagopal Vs State of TN [(1994) 6 SCC 632], the violation of which attracts both civil as well as criminal consequences under the respective laws. Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology the traditional concept of right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge recourse of Information Technology Act, 2000 can be taken. The various provisions of the Act protect the online privacy rights of the net users. These rights are available against private individuals as well as against cyber terrorists. Section 1 (2) read with Section 75 of the Act provides for an extra-territorial application of the provisions of the Act. Thus, if a person (including a foreign national) contravenes the privacy of an individual by means of computer, computer system or computer network located in India, he would be liable under the provisions of the Act. This makes it clear that the long arm jurisdiction is equally available against a cyber terrorist, whose act has resulted in the damage of the property, whether tangible or intangible.
Secret information appropriation and data theft:
The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defence and other top secrets, which the Government will not wish to share otherwise. The same can be targeted by the terrorists to facilitate their activities, including destruction of property. It must be noted that the definition of property is not restricted to moveable or immoveable alone. In R.K. Dalmia v Delhi Administration the Supreme Court held that the word "property" is used in the I.P.C in a much wider sense than the expression "movable property". There is no good reason to restrict the meaning of the word "property" to moveable property only, when it is used without any qualification. Whether the offence defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word "property" but on the fact whether that particular kind of property can be subject to the acts covered by that section.
(III) Demolition of e-governance base:
The aim of e-governance is to make the interaction of the citizens with the government offices hassle free and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. In P.U.C.L. V U.O.I the Supreme Court specified the grounds on which the government can withhold information relating to various matters, including trade secrets. The Supreme Court observed: " Every right- legal or moral- carries with it a corresponding objection. It is subject to several exemptions/ exceptions indicated in broad terms.
Laws in Various Countries on Cyber Terrorism
Singapore
New laws allowing Singapore to launch pre-emptive strikes against computer hackers have raised fears that Internet controls are being tightened and privacy compromised in the name of fighting terrorism The city-state's parliament has approved tough new legislation aimed at stopping "cyber terrorism," referring to computer crimes that are endanger national security, foreign relations, banking and essential public services. Security agencies can now patrol the Internet and swoop down on hackers suspected of plotting to use computer keyboards as weapons of mass disruption. Violators of the Computer Misuse Act such as website hackers can be jailed up to three years or fined up to S$10,000 ($5,800).
New York
A bill sponsored by state Sen. Michael Balboni, R-East Williston, that makes cyber terrorism a felony was approved by the legislative body earlier this month and sent to the State Assembly. Under the legislation, cyber terrorism, using computers to disrupt, terrorize or kill, would become a class B felony, carrying a prison term of up to 25 years.
Malaysia 
Malaysia is to establish an international centre to fight cyber-terrorism, providing an emergency response to high-tech attacks on economies and trading systems around the globe, reports said. Prime Minister Abdullah Ahmad Badawi said during a visit to the United States that the facility, sited at the high-tech hub of Cyberjaya outside Kuala Lumpur, would be funded and supported by governments and the private sector.
The New Straits Times said the centre would be modelled on the Centre for Disease Control in Atlanta, which helps handle outbreaks of disease around the world.
Abdullah -- who announced the initiative at the close of the World Congress on Information Technology in Austin, Texas -- said the threat of cyber-terrorism was too serious for governments to ignore.
The Interpol, with its 178 member countries, is doing a great job in fighting against cyber terrorism. They are helping all the member countries and training their personnel. The Council of Europe Convention on Cyber Crime, which is the first international treaty for fighting against computer crime, is the result of 4 years work by experts from the 45 member and non-member countries including Japan, USA, and Canada. This treaty has already enforced after its ratification by Lithuania on 21st of March 2004.
The Association of South East Asia Nations (ASEAN) has set plans for sharing information on computer security. They are going to create a regional cyber-crime unit by the year 2005.
United Kingdom
United Kingdom adopted Terrorism Act, 2000, which gives the definition of terrorism and also gives various provisions for Cyber terrorism.
Pakistan
Whoever commits the offence of cyber terrorism and causes death of any person shall be punishable with death or imprisonment for life,” according to the ordinance, which was published by the state-run APP news agency. The Prevention of Electronic Crimes law will be applicable to anyone who commits a crime detrimental to national security through the use of a computer or any other electronic device, the government said in the ordinance. It listed several definitions of a “terrorist act” including stealing or copying, or attempting to steal or copy, classified information necessary to manufacture any form of chemical, biological or nuclear weapon.
In India
Although the term “cyber terrorism” is absent from the terminology of the Indian law, Section 69 of the Information Technology Act is a strong legislative measure to counter the use of encryption by terrorists. This section authorizes the Controller of Certifying Authorities (CCA) to direct any Government agency to intercept any information transmitted through any computer resource.
Constitution of India
Any person who fails to assist the Government agency in decrypting the information sought to be intercepted is liable for imprisonment up to 7 years.
Article 300A of Constitution of India states that all persons have a right to hold and enjoy their properties. In a specific case of Bhavnagar University v Palitana Sugar Mills Pvt. Ltd. Supreme Court applied the constitutional clause with the interpretation that anyone can enjoy his or her property rights in any manner preferred. This also includes property rights to information stored on computers or in any electronic format.
Articles 301 to 305 refer to the right for free trade. As long as an individual carries out a business in accordance with law, it cannot be interfered. Besides, free trade and any commercial activities cannot be visualized without technological rights, which mean that any distortion of those is illegal. In India these provisions have been effectively used to protect individual property rights against the actions of cyber-criminals.
Penal Code
A big deal of protection is also provided by Indian Penal Code. Section 22 of it gives a definition of a “movable property” stating that it also includes all corporal properties. It means that any information stored on a computer can be conveniently regarded as a movable property as it can definetely be moved from one place to another and is not attached.
Section 29A of the Code with Section 2(1)(t) of the Information Technology Act provides that “electronic record means data, record, or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer generated microfiche”.
Cyber-terrorism and Human Rights.
Universal Declaration of Human Rights in its Preamble talks about a “freedom from fear and want”. Freedom from fear is mostly a term of psychological nature, however, it is being used very widely nowadays especially in cases of terrorism. Article 3 of the Declaration sets the right to “security of person”. As we know, term “person” also includes an environment (s)he exists in, different from the term “individual” which under one of the concepts imagines it as something abstract, apart from any other surrounding conditions. So protecting a personal security would also mean protecting his (her) social, economical and other connections, “threads” established with the environment. As long as in modern reality these are sometimes predominantly based on technology, computers or internet, cyber-terrorism protection also deals with “security of person”. Here I would also add Article 5 with it’s protection against “degrading treatment”. Personal harm is also a part of degradation and treating a person in a current way is something that may be provided by cyber-criminal act as it was proven above.
One important provision that I would like to pay special attention to is Article 12 of the Declaration. It states: “No one shall be subjected to arbitrary interference with his privacy, nor to attacks upon his honour or reputation”. “Privacy” is defined as “the quality or state of being apart from company or observation” which in combination with another definition of “freedom from unauthorized intrusion” given by the same source, also includes the privacy of computer-stored data and a right to enjoy it’s private state of non-interference without personal will of the possessor.
Article 17 sets a right to property and a restriction to deprive anyone from possessed property. Property is defined as “anything that is owned by a person or entity” , including two types of it: “real property” and “personal property”. Personal property or “personality” includes “movable assets which are not real property, money, or investments.
Article 19, however, plays a different role in this topic and is mostly associated with internet use by terrorists in general.
Judicial response:
The judiciary can play its role by adopting a stringent approach towards the menace of cyber terrorism. It must, however, first tackle the jurisdiction problem because before invoking its judicial powers the courts are required to satisfy themselves that they possess the requisite jurisdiction to deal with the situation. Since the Internet "is a cooperative venture not owned by a single entity or government, there are no centralized rules or laws governing its use. The absence of geographical boundaries may give rise to a situation where the act legal in one country where it is done may violate the laws of another country. This process further made complicated due to the absence of a uniform and harmonised law governing the jurisdictional aspects of disputes arising by the use of Internet. It must be noted that, generally, the scholars point towards the following "theories" under which a country may claim prescriptive jurisdiction:
(a) a country may claim jurisdiction based on "objective territoriality" when an activity takes place within the country,
(b) a "subjective territoriality" may attach when an activity takes place outside a nation's borders but the "primary effect" of the action is within the nation's borders,
(c) a country may assert jurisdiction based on the nationality of either the actor or the victim,
(d) in exceptional circumstances, providing the right to protect the nation's sovereignty when faced with threats recognised as particularly serious in the international community.
In addition to establishing a connecting nexus, traditional international doctrine also calls for a "reasonable" connection between the offender and the forum. Depending on the factual context, courts look to such factors, as whether the activity of individual has a "substantial and foreseeable effect" on the territory, whether a "genuine link" exists between the actor and the forum, the character of the activity and the importance of the regulation giving rise to the controversy, the extent to which exceptions are harmed by the regulation, and the importance of the regulation in the international community. The traditional jurisdictional paradigms may provide a framework to guide analysis for cases arising in cyberspace [Dawson Cherie; “Creating Borders on the Internet- Free Speech, the United States and International Jurisdiction”, Virginia Journal of International Law, V-44, No-2 (Winter, 2004).]. It must be noted that by virtue of section 1(2) read with section 75 of the Information Technology Act, 2000 the courts in India have “long arm jurisdiction” to deal with cyber terrorism.
Conclusion
Therefore, cyber terrorism is becoming major tool for terrorists and thus it is getting more essential to frame policies to counter these attacks.

Data Protection Law In India-Needs And Position

Data Protection Law In India-Needs And Position
The age of Internet has taken on India to new heights of excellence in education, medicine, communication, public services and almost all walks of governance. In the IT sector, Indian professionals have built for themselves an enviable global reputation through hard work, dedication and commitment. Development in one sphere also has an impact over other spheres of life. This follows that with the increasing use of internet, need for changes in law is inevitable. Internet has in store a huge amount of data for different kind of people with different requirements. It has proved to be a boon in as much as it being used for the purpose of growth and development. The growing use of internet can be witnessed in e-Commerce. The problem that arises in e-Commerce is that the Internet is in itself global. In order to protect the misuse of data and information, data protection laws become very important.
At the outset it is needful to discuss briefly about Data Protection. Data Protection relates to issues relating to the collection, storage, accuracy and use of data provided by net users in the use of the World Wide Web. Visitors to any website want their privacy rights to be respected when they engage in e-Commerce. It is part of the confidence-creating role that successful e-Commerce businesses have to convey to the consumer. If industry doesn't make sure it's guarding the privacy of the data it collects, it will be the responsibility of the government and it's their obligation to enact legislation.
Any transaction between two or more parties involves an exchange of essential information between the parties. Technological developments have enabled transactions by electronic means. Any such information/data collected by the parties should be used only for the specific purposes for which they were collected. The need arose, to create rights for those who have their data stored and create responsibilities for those who collect, store and process such data. The law relating to the creation of such rights and responsibilities may be referred to as ‘data protection’ law.
The world’s first computer specific statute was enacted in the form of a Data Protection Act, in the German state of Hesse, in 1970.[1] The misuse of records under the Nazi regime had raised concerns among the public about the use of computers to store and process large amounts of personal data.[2] The Data Protection Act sought to heal such memories of misuse of information. A different rationale for the introduction of data protection legislation can be seen in the case of Sweden which introduced the first national statute in 1973.[3] Here, data protection was seen as fitting naturally into a two hundred year old system of freedom of information with the concept of subject access (such a right allows an individual to find out what information is held about him) being identified as one of the most important aspects of the legislation.[4] In 1995, the European Union adopted its Directive (95/46/EC) of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the Directive), establishing a detailed privacy regulatory structure.[5] The Directive is specific on the requirements for the transfer of data. It sets down the principles regarding the transfer of data to third countries and states that personal data of EU nationals cannot be sent to countries that do not meet the EU “adequacy” standards with respect to privacy.[6] In order to meet the EU “adequacy” standards, US developed a ‘Safe Harbour’[7] framework, according to which the US Department of Commerce would maintain a list of US companies that have self-certified to the safe harbor framework. An EU organization can ensure that it is sending information to a U.S. organization participating in the safe harbor by viewing the public list of safe harbor organizations posted on the official website.
Data protection has emerged as an important reaction to the development of information technology. In India data protection is covered under the Information Technology Act, 2000 (hereinafter, the Act). The Act defines ‘data’ as, “‘data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer”.[8] Protection of such data and privacy are covered under specific provisions in the Act.[9] In the recent past, the need for data protection laws has been felt to cater to various needs. The following analyses the position of data protection law with respect to some of the needs.
Data Protection Law In Respect Of Information Technology Enabled Services (ITES)
Significance of ITES:-
India started liberalizing its economy in the 1990’s and since then a huge upsurge in the IT business process outsourcing may be witnessed. Financial, educational, legal, marketing, healthcare, telecommunication, banking etc are only some of the services being outsourced into India. This upsurge of outsourcing of ITES into India in the recent past may be attributed to the large English-speaking unemployed populace, cheap labour, enterprising and hardworking nature of the people etc. Statistics have shown that the outsourcing industry is one of the biggest sources of employment. In a span of four years, the number of people working in call centers in the country supporting international industries has risen from 42,000 to 3,50,000.[10] Exports were worth $5.2 billion in 2004-2005 and are expected to grow over 40% this fiscal year.[11] US is currently the biggest investor in Indian ITES, taking advantage of cheap labour costs. Statistics indicate that software engineers with two-years experience in India are being paid about 1/5th of an equivalent US employee.[12]
Concerns about adequacy of law
BPO Frauds
With globalization and increasing BPO industry in India, protection of data warrants legislation. There are reasons for this. Every individual consumer of the BPO Industry would expect different levels of privacy from the employees who handle personal data. But there have been situations in the recent past where employees or systems have given away the personal information of customers to third parties without prior consent. So other countries providing BPO business to India expect the Indian government and BPO organizations to take measures for data protection. Countries with data protection law have guidelines that call for data protection law in the country with whom they are transacting. For instance, in, the European Union countries according to the latest guidelines, they will cease to part with data, which are considered the subject matter of protection to any third country unless such other country has a similar law on data protection. One of the essential features of any data protection law would be to prevent the flow of data to non-complying countries and such a provision when implemented may result in a loss of "Data Processing" business to some of the Indian companies.
In the recent past, concerns have been raised both within the country as well as by customers abroad regarding the adequacy of data protection and privacy laws in the country.[13] A few incidents have questioned the Indian data protection and privacy standards and have left the outsourcing industry embarrassed. In June 2005, ‘The Sun’ newspaper claimed that one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each.[14] Earlier BPO frauds in India include New York-based Citibank accounts being looted from a BPO in Pune and a call-center employee in Bangalore peddling credit card information to fraudsters who stole US$398,000 from British bank accounts.[15] UK's Channel 4 TV station ran broadcast footage of a sting operation exposing middlemen hawking the financial data of 200,000 UK citizens. The documentary has prompted Britain's Information Commissioner's Office to examine the security of personal financial data at Indian call centers.[16]
In the absence of data protection laws, the kind of work that would be outsourced to India in the future would be limited. The effect of this can be very well seen in the health-care BPO business, which is estimated to be worth close to $45 billion. Lack of data protection laws have left Indian BPO outfits still stagnating in the lower end of the value chain, doing work like billing, insurance claims processing and of course transcription. Besides healthcare, players in the retail financial sector are also affected. Financial offshoring from banks is limited because of statutory compliance requirements and data privacy laws protecting sensitive financial information in accounts. In the Human Resource (HR) domain, there are many restrictions on sharing of personal information. In the medical domain, patient history needs to be protected. In credit card transactions, identity theft could be an issue and needs to be protected. Companies in the banking, financial services and insurance (BFSI) sector and healthcare have excluded applications/processes which use sensitive information from their portfolio for offshoring till they are comfortable about the data protection laws prevalent in the supplier country.
Since there is lack of data protection laws in India, Indian BPO outfits are trying to deal with the issue by attempting to adhere to major US and European regulations. MNCs have to comply with foreign Regulations so that they don’t lose on their international partners. There are problems involved in this. Efforts by individual companies may not count for much if companies rule out India as a BPO destination in the first place in the absence of data protection law.
Today, the largest portion of BPO work coming to India is low-end call centre and data processing work. If India has to exploit the full potential of the outsourcing opportunity, then we have to move up the value chain. Outsourced work in Intellectual Property Rights (IPR)-intensive areas such as clinical research, engineering design and legal research is the way ahead for Indian BPO companies. The move up the value chain cannot happen without stringent laws. Further, weak laws would act as deterrents for FDI, global business and the establishment of research and development parks in the pharmaceutical industry.
Looking to the above scenario, we can say that for India to achieve heights in BPO industry stringent laws for data protection and intellectual property rights have to be made. . Thus, a law on data protection on India must address the following Constitutional issues on a "priority basis" before any statutory enactment procedure is set into motion:
(1) Privacy rights of interested persons in real space and cyber space.
(2) Mandates of freedom of information U/A 19 (1) (a).
(3) Mandates of right to know of people at large U/A 21.
Once the data protection rules are enforced in India, companies outsourcing to India are unlikely to dismantle the systems they have in place straightaway, and move data more freely to India. Hence ,the need for data protection laws would win over the confidence of international business partners; protect abuse of information; protection of privacy and personal rights of individuals would be ensured; there would be more FDI inflows, global business and the establishment of research and development parks in the pharmaceutical industry & impetus to the sector of e-Commerce at national and international levels would be provided.
Data protection law in India (Present status):-
Data Protection law in India is included in the Act[17] under specific provisions. Both civil and criminal liabilities are imposed for violation of data protection.
(1) Section 43 deals with penalties for damage to computer, computer system etc.

(2) Section 65 deals with tampering with computer source documents.

(3) Section 66 deals with hacking with computer system.

(4) Section 72 deals with penalty for breach of confidentiality and privacy. Call centers can be included in the definition of ‘intermediary’[18] and a ‘network service provider’ and can be penalized under this section.
These developments have put the Indian government under pressure to enact more stringent data protection laws in the country in order to protect the lucrative Indian outsourcing industry. In order to use IT as a tool for socio-economic development, employment generation and to consolidate India’s position as a major player in the IT sector,[19] amendments to the IT Act, 2000 have been approved by the cabinet[20] and are due to be tabled in the winter session of the Parliament.[21]
Proposed amendments:-
The amendments relate to the following[22]:
(i) Proposal at Sec. 43 (2) related to handling of sensitive personal data or information with reasonable security practices and procedures.
(ii) Gradation of severity of computer related offences under Section 66, committed dishonestly or fraudulently and punishment thereof.
(iii) Proposed additional Section 72 (2) for breach of confidentiality with intent to cause injury to a subscriber.
It is hoped that these amendments will strengthen the law to suffice the need.
Data Protection Laws In Order To Invite ‘Data Controllers’.[23]
There has been a strong opinion that if India strengthens its data protection law, it can attract multi-national corporations to India. India can be home to such corporations than a mere supplier of services.
In fact, there is an argument that the EU’s data protection law is sufficient to protect the privacy of its people and thus lack of strong protection under Indian law is not a hindrance to the outsourcing industry. To enumerate, consider a company established in EU (called the ‘data controller’) and the supplier of call center services (‘data processor’) in India. If the data processor makes any mistake in the processing of personal data or there are instances of data theft, then the data controller in the EU can be made liable for the consequences. The Indian data processor is not in control of personal data and can only process data under the instructions of the data controller. Thus if a person in EU wants to exercise rights of access and retrieve personal data, the data controller has to retrieve it from the data processor, irrespective of where the data processor is located. Thus a strong data protection law is needed not only to reinforce the image of the Indian outsourcing industry but also to invite multi-national corporations to establish their corporate offices here.
Data Protection And Telemarketing
India is faced with a new phenomenon-telemarketing. This is facilitated, to a large extent, by the widespread use of mobile telephones. Telemarketing executives, now said to be available for as low as US $70 per month,[24] process information about individuals for direct marketing. This interrupts the peace of an individual and conduct of work. There is a violation of privacy caused by such calls who, on behalf of banks, mobile phone companies, financial institutions etc. offer various schemes. The right to privacy has been read into Article 21, Constitution of India, but this has not afforded enough protection. A PIL against several banks and mobile phone service providers is pending before the Supreme Court alleging inter alia that the right to privacy[25] has been infringed.
The EC Directive confers certain rights on the people and this includes the right to prevent processing for direct marketing.[26] Thus, a data controller is required not to process information about individuals for direct marketing if an individual asks them not to. So individuals have the right to stop unwanted marketing offers. It would be highly beneficial that data protection law in India also includes such a right to prevent unsolicited marketing offers and protect the privacy of the people.
Data Protection With Regard To Governance And People
The Preamble to the Act specifies that, the IT Act 2000, inter alia, will facilitate electronic filing of documents with the Government agencies. It seeks to promote efficient delivery of Government services by means of reliable electronic records. Stringent data protection laws will thus help the Government to protect the interests of its people.
Data protection law is necessary to provide protection to the privacy rights of people and to hold cyber criminals responsible for their wrongful acts. Data protection law is not about keeping personal information secret. It is about creating a trusted framework for collection, exchange and use of personal data in commercial and governmental contexts. It is to permit and facilitate the commercial and governmental use of personal data.
Conclusion:-
The stringency of data protection law, whether the prevailing law will suffice such needs, whether the proposed amendments are a welcome measure, whether India needs a separate legislation for data protection etc are questions which require an in-depth analysis of the prevailing circumstances and a comparative study with laws of other countries. There is no consensus among the experts regarding these issues. These issues are not in the purview of this write-up. But there can be no doubt about the importance of data protection law in the contemporary IT scenario and are not disputable.
--------------------------------------------------------------------------------
[1] See Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), available at http://www.iuscomp.org/gla/statutes/BDSG.htm
[2] Parag Diwan and Shammi Kapoor, Cyber and e-commerce laws, 2nd ed., [2000], p.4
[3] See Freedom of Speech, The EU Data Protection Directive and the Swedish Personal Data Act, available at www.dsv.su.se/jpalme/society/eu-data-directive-freedom.html
[4] Parag Diwan and Shammi Kapoor, Cyber and e-commerce laws, 2nd ed., [2000], p.4.
[5]See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT
[6] See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Art. 25(2), available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT
[7] See Safe Harbor Overview, available at http://www.export.gov/safeharbor/index.html
[8] See The Information Technology Act, 2000, Sec. 2(1)(o)
[9] See The Information Technology Act, 2000, Sec. 43, Sec. 65, Sec. 66, Sec. 72
[10] See How secure are India’s call centers- Soutik Biswas, available at http://news.bbc.co.uk/2/hi/south_asia/4619859.stm
[11] <ùáৡ>Id.
[12] See Data protection and offshoring to India, available at http://www.out-law.com/page-3608
[13] See India tightens Data Protection law available at http://www.atimes.com/atimes/South_Asia/HJ20Df01.html
[14] See How secure are India’s call centers- Soutik Biswas, available at http://news.bbc.co.uk/2/hi/south_asia/4619859.stm
[15] See India tightens Data Protection law available at http://www.atimes.com/atimes/South_Asia/HJ20Df01.html
[16] Id.
[17] See The Information Technology Act, 2000.
[18] See The Information Technology Act, 2000, Sec. 2(1)(w).
[19] See Press Information Bureau, Government of India, Expert Committee on Amendments to IT Act, 2000 submits its report, August 29th, 2005, available athttp://www.mit.gov.in/itact2000/PressRelease.doc[20] See Tougher IT law for Data Protection Soon, available at <http://content.msn.co.in/Technology/technologyIANS_171006_155.htm,>
[21] See India to amend IT Act for data protection, available at http://timesofindia.indiatimes.com/articleshow/2177219.cms
[22] See Report of the Expert Committee, Proposed Amendments to Information Technology Act 2000, Summary, August 2005, available athttp://www.mit.gov.in/itact2000/Summary-final.doc
[23] See Data protection and offshoring to India, available at http://www.out-law.com/page-5013
[24] See Does India need a separate data protection law?, available at http://www.knspartners.com/files/BNA%20Article-180106.pdf
[25] See Mr. X v. Hospital Z, (1998) 8 SCC 296. “The right to privacy is enshrined in Article 21 of the Constitution of India”.
[26] See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Art. 14.

Data Retention Policies- An Emerging Requirement & Various Compliances

Data Retention Policies- An Emerging Requirement & Various Compliances
Document retention, especially the retention of electronic data has become a hot topic in the legal industry. In the 21st century business world, companies are creating and storing the electronic document and information at light speed. Electronic documents are not only found on desktops and laptops but also stored on the phones like Blackberry’s etc. But for modern business organizations storing all this business information can be expensive not only because of the cost of physical storage of tapes but also because of the potential liability of keeping sometimes seemingly useless information for too long.
What is Data Retention Policies?
A document retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A document retention policy will identify documents that need to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.
What documents must be protected?
Temporary Records
Temporary records include all business documents that have not been completed. Such include, but are not limited to written memoranda and dictation to be typed in the future, reminders, to-do lists, report, case study, and calculation drafts, interoffice correspondence regarding a client or business transaction, and running logs.
Final Records
Final records include all business documents that are not superseded by modification or addition. Such include, but are not limited to: documents given (or sent via electronic form) to any third party not employed by Organization, or government agency; final memoranda and reports; correspondence; handwritten telephone memoranda not further transcribed; minutes; design/plan specifications; journal entries; cost estimates; etc. All accounting records shall be deemed final.
Permanent Records
Permanent records include all business documents that define Organization’s scope of work, expressions of professional opinions, research and reference materials. Such include, but are not limited to contracts, proposals, materials referencing expert opinions, annual financial statements, federal tax returns, payroll registers, copyright registrations, patents, etc. Except as provided for in the Document Retention Schedule (Appendix “A”), all permanent documents are to be retained indefinitely.
Accounting and Corporate Tax Records
Accounting and corporate tax records include, but are not limited to: financial statements; ledgers; audit records; invoices and expense records; federal, state, and property tax returns; payroll; accounting procedures; gross receipts; customer records; purchases; etc.
Workplace Records
Workplace records include, but are not limited to Articles of Incorporation, bylaws, meeting minutes, deeds and titles, leases, policy statements, contracts and agreements, patents and trademark records, etc
Employment, Employee, and Payroll Records
Employment records include, but are not limited to job announcements and advertisements; employment applications, background investigations, resumes, and letters of recommendation of persons not hired; etc. Unless otherwise specified in the DRS, such records should be retained for the minimum of one (1) year. Employee records include, but are not limited to employment applications, background investigations, resumes, and letters of recommendation of current and past employees, records relating to current and past employee’s performance reviews and complaints, etc. Unless otherwise specified in the DRS, such records should be retained for the minimum of three (3) years following unemployment with Organization. Payroll records include, but are not limited to wage rate tables; salary history; current rate of pay; payroll deductions; time cards; W-2 and W-4 forms; bonuses; etc.
Bank Records
Bank records include, but are not limited to bank deposits; check copies; stop payment orders; bank statements; check signature authorizations; bank reconciliations; etc.
Legal Records
Legal records include, but are not limited to all contracts, legal records, statements, and correspondence, trademark and copyright registrations, patents, personal injury records and statements, press releases, public findings, etc.
Historical Records
Historical records are those that are no longer of use to Organization, but by virtue of their age or research value may be of historical interest or significance to Organization.
How long to retain data?
Only for so long as the law requires or for as long as you actually have use for them, and not a moment longer.” There is no bright line number. In typical lawyerly fashion, my real answer is that “it depends.” Any records management program must ensure that legally required documents are kept for at least the minimum prescribed time periods. But, are there circumstances under which they should be kept for a longer period of time? In my view there are two answers to that question. First, there may be records you think are critical to preserving historical continuity, for example, minutes of strategic planning meetings or of policy development sessions. Board members come and go, and these records may help their successors understand the intent behind certain policies and standards, hopefully preventing repetitive “wheel inventing” exercises. More importantly, they may help prevent inconsistent decision making. These calls are tough to make, but the executive director is the person most likely to have the long-term perspective or “corporate memory” needed to make that decision. The second reason may be litigation or governmental investigations and enforcement actions. As I will discuss next, these latter circumstances will almost always out trump your retention and disposition schedule.
Why to have Data Retention Policies? (Purpose)
In today’s business world, information is created and stored electronically on the computer. Therefore, the importance of creating and implementing a Document Retention Policy becomes more complicated, but extremely important in order to protect against cases of future litigation. A document retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A document retention policy will identify documents that need to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.
The policy is also helpful to:
• provide a system for complying with document retention laws;
• ensure that valuable documents are available when needed;
• save money, space and time;
• protect against allegations of selective document destruction; and
• provide for the routine destruction of non-business, superfluous and outdated documents.
The six most important reasons why an organization should implement a document retention policy are: 
1) To comply with legal duties and requirements, either statutory or regulatory;
2) To avoid liability through “spoliation,” the improper destruction or alteration of documents in a litigation situation;
3) To support or oppose a position in an investigation or litigation;
4) To protect from unnecessary expense and time during discovery;
5) To maintain control over discovery and e-discovery, and
6) To keep documents confidential and avoid leakage to attackers or competitors.
Document retention policy is important in various aspects; First, adhering to the policy may limit liability in long run. Many a case has been damaged due to suffering of unfavorable emails or documents kept too long and taken out of context. In many of those case if document retention policies been in place and enforced, that information would no longer be available.
Second, if a document retention policy limits how long the information is kept, companies will have less information to search and review if served with a document request.
Finally, under Federal Rules of Civil Procedure (FRCP) only electronic information that is “reasonably accessible due to undue burden of cost” is discoverable. Thus a good document retention policy will make company in control of what is available and discoverable under the Federal Rules.
Laws Related to Data Retention Policy:
In India:
In India there is no Central Act which laid down the provisions related to Data Retention Laws. But there are different policies incorporated by various agencies and which maintain and follows their policies. Example: Government of India Central Vigilance Commission by their wide notification no. No.17/09/2006-Admn. Gives the provisions related to Retention period/destruction schedule of recorded files, available at http://cvc.nic.in/retention.pdf; similarly the Ministry of Finance- Financial intelligence Unit has its own policy. Notification No. 9/2005 - gives the “rules for Record Keeping and Reporting”.
{Rule 6. Retention of records - The records referred to in rule 3 shall be maintained for a period of ten years from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be."}.
Thus, it may be noted that organization has its own Data retention Policies and certain rules for retention of such records. However, there is no such established law wherein it is binding for the organizations to prepare such policies.
Laws in Different Countries: 
Currently, Article 15(1) of the Privacy Directive provides EU member states a national security and crime prevention exception to EU data protection requirements. However, at least nine EU member countries (Belgium, Denmark, Finland, France, Ireland, Italy, Spain, Switzerland and the United Kingdom) have adopted various national laws mandating data retention. The EU Commission’s draft Directive on Data Retention would require communications companies to retain all fixed and mobile telephony data and location data for one year, and IP-based communications data for six months.1 This draft was introduced by the Justice Ministries of France, Ireland, Sweden and the United Kingdom on 28 April 2004 and seeks to harmonize the rules on communications data retention among member states in order to facilitate judicial cooperation in the criminal area. The storing of location data of mobile phones includes lists of websites visited, all details of phone calls made (including the identity, at least by number, of the caller and recipient), and details of any e-mails and text messages sent. In addition, companies that temporarily retain individual customer information for billing and related business purposes would be required to keep it in a form accessible to law enforcement and other government agencies for one to three years.
United State of America:
The United States government has a number of requirements for retaining various types of records. In the state of Texas for example, disability and sick benefit records must be retained for 6 years and claims of employee inventions must be retained for 25 years. Depending on the nature of your business, there may be other agencies that have their own special requirements. For instance, OSHA requires that certain industrial hygiene records and medical records be retained for 30 years. Information pertaining to the Department of Defense has additional rules that must be strictly followed. Remember that you must examine requirements at the local, state, federal and possibly the international level. The Internet knows no boundaries.
United Kingdom:
The Data Retention (EC) Regulations were approved by the House of Lords on Tuesday and signed into law by Home Secretary Jacqui Smith on Wednesday. The Regulations transpose into UK law most of the European Union's Data Retention Directive.
The new law is intended to ensure that security services have a reliable log of mobile and fixed-line phone calls to be used in investigations, and relates not to the content of calls but only to records of their occurrence.
Though all telecoms firms keep data for a period, the Regulations are designed to ensure a uniform approach across the industry.
"Communications data, such as mobile phone billing data, have a proven track record in supporting law enforcement and intelligence agency investigations and are a vital investigative tool," said Lord Bassam of Brighton, who proposed the adoption of the Regulations this week in the House of Lords. "They provide evidence of associations between individuals and can place them in a particular location. They also provide evidence of innocence."
"Without this data, the ability of the police and the Security Service painstakingly to investigate the associations between those involved in terrorist attacks and those who may have directed or financed their activity would be limited," said Bassam. "The police and the Security Service’s ability to investigate terrorist plots and serious crime must not be allowed to depend on the business practice that happens to be employed by the public communications provider that a particular suspect, victim or witness used. These draft regulations will ensure that, regardless of which public communication provider supplies the service, the communications data will be available."
The Regulations will come into force on 1st October, two weeks after the deadline set by the EU, but they will not apply to internet traffic data.
The Home Office conducted a consultation on the Regulations with the public and industry and said that the telecoms industry told it that the collection of internet data was too complicated to be include in the current rules.
In fact the Internet Service Providers' Association (ISPA) told the Home Office that it believed the current Regulations could never be used for ordering the retention of internet data.

Romania Government:
http://www.mcti.ro/index.php?id=16&lege=383http://www.mcti.ro/index.php?id=16&lege=412
A first draft law for the implementation of the data retention directive was presented at the end of April 2007 by the Romanian Ministry of Communications and Information Technology for public consultation. The ministry also organized on 26 April a public debate on the draft law.
The first draft was achieved in cooperation with a number of public bodies including the Ministry of Justice, Ministry of Internal Affairs or the Romanian Data Protection Authority.
The text proposing a 12-month period of traffic data retention, without any explanatory reports, has received criticism from ISPs and other telecom operators that believe it puts a high financial burden on them. The draft clearly specifies that the content of the communications cannot be retained by the operators, considering the retention of the content as well as any retained data transfer without a proper judicial authorization as crimes. The retained data should be deleted at the end of the 12 month period.
Only the electronic communication providers that have notified the Regulatory Authority are subject to data retention obligations and there are no provisions for the hosting or other online service providers.
The retained data can be accessed by prosecutors only in the penal cases related to organized crime and terrorism crimes and with a proper specific judged-approved access authorization. The prosecutor can ask, through a specific ordinance, for access to the data as a provisional measure, if this is necessary due to specific circumstances that could otherwise put in danger the penal investigation. But in this case, the prosecutor's decision together with the data needs to be confirmed by a judge in 48 hours. If a judge does not confirm the prosecutor's ordinance, all the accessed data will be destroyed.
The very detailed procedure regarding access by prosecutors to the retained data is in opposition with Article 16 of the draft text that allows, "in case of a threat to the national security", the request of the retained data by "the specific bodies, as explained in the laws on national security". The vagueness of this article was criticized in the public debate, the participants considering that this could leave room for discriminatory access by the Romanian secret services.
As regards the type of data retained, the Romanian draft is only a translation of the European Directive on data retention. The public consultation will end on 10 May 2007 and the text could be approved by the Government and then sent to the Parliament for consideration.
Laws in Italy: http://www.edri.org/edrigram/number3.16/Italy
In Italy, the government passed the Decree Law on Anti-terror Measures on July 27, 2005 which mandates a data retention period for telephone data for a minimum of two years and five months, and Internet traffic data for at least six months. Article 6 of the Decree Law orders the suspension until 31 December 2007 of the implementation of any measures that order or allow the deletion of telephone or Internet based communication traffic data that allows for tracing access and services. Traffic data will include data concerning telephone calls that were not answered. In addition, before issuing a SIM card, it will be compulsory for telecommunications service providers to acquire personal data contained in an official identification document presented by a customer.2 In addition, when Italy adopted the EU Privacy Directive in 2002, immediately created an exception to the obligation to erase traffic data, and under Article 132 of the Data Protection Code, telecommunications service providers are already required to retain telephone traffic data for the purpose of detecting and preventing crime for four years (albeit without the location data).
New Zealand:
In New Zealand, the Telecommunications Information Privacy Code 20034 was enacted under the Privacy Act 19935 in order to amend the information privacy principles in the Act with regard to telecommunications agencies. The Code affects all telecommunications agencies (including telephone companies, publishers of telephone directories, Internet service providers, mobile telephone retailers and call centers) in their handling of personal customer information. The Code provides for the following: (a) ensures that subscribers need not pay to keep their details from being published in the telephone directory, (b) requires “blocking” options to be available free of charge when caller ID is offered, (c) prohibits the use of traffic data gained from interconnection for unauthorized direct marketing, (d) prohibits reverse search directories without individual consent, (e) allows telecommunications agencies discretion in processing personal information, such as allowing disclosure for purposes of preventing or investigating a threat to the telecommunications network or service security or integrity, and (f) prohibits the retention of telecommunications information for longer than is required for the purposes for which the information may be lawfully used. In addition, the Telecommunications Interception Capability Act 20046 requires public telecommunications networks to be interception-capable so as to achieve greater effectiveness in law enforcement and security.
Denmark, France, Spain, Switzerland
Based on this directive, countries such as Belgium, Denmark, France, Spain, Switzerland as well as United Kingdom have established data retention scheme. Based on the provision of the directives in Italy a law was passed which made data retention compulsory for 2 years and five months in case of telephone data and for at least 6 months in case of Internet traffic data. In case of Denmark Internet service providers must retain the data that contains senders. Internet protocol address as well as the port number. Even in Finland data retention has been made mandatory for 3 weeks in case of telephonic and mobile data. However there is no data retention requirement in case of Internet traffic data. The policies dealing with data retention are basically introduced in order to protect national security, to conduct criminal investigation and to fight against terrorism. However, many believe that such directive of mandatory data retention is a serious invasion of privacy. Compulsory recording to telephonic calls, or online behavior impinges upon freedom of expression. In fact many believe such data retention is a method of killing privacy as personal lives are becoming more and more transparent. Thus many of the opinion that data retention interferes with the right to respect for private life, and many a times harmless people are made the target. Besides this data retention is believed to erode civil rights as well.
Australia – Commonwealth Government’s Information Exchange Steering Committee (IESE); The Evidence Act 1995 ; (more than 80 Acts, regulations and rules specifying document retention requirements applicable to companies under Australian law).
Brazil - Electronic Government (e-gov) Programme; EU GMP Directive 1/356/EEC-9
China - Very little: ISO 15489
France - Model Requirements for the Management of Electronic Records (MoREQ); EU Directive 95/46/EC;
Germany - Federal Data Protection Act; Model Requirements for the Management of Electronic Records (MoREQ); EU Directive 95/46/EC; --- 62(2) Implementing Regulation of the Turnover Tax Law (UstDV);
Israel - Archives Law; Civil Service Code;
Japan - Personal Data Protection Bill;
Norway - The Accounting Act 1998; Registry of Business Enterprises Act 1985;
Russia - Very little: Russian Electronic Digital Signature Law;
Switzerland – Swiss Code of Obligations articles 957 and 962.
Implementation & Flexibility:
A document retention policy is only as good as its implementation. A policy needs to be rigorously enforced from top management down. Companies must make sure educate their employees about not only the policy, but the implication of not following it. It must be easy to follow, periodically renewed, and it must clearly lay out how often it will be audited. The policy should also address the fact that employees may store and save information in different ways (i.e., some employees may save documents to a hard drive, others to a network) and on different hardware (some emails are only saved on BlackBerry® devices and not in desktop or laptop inboxes). In addition, the policy must be flexible enough to be suspended if a litigation hold is necessary. The policy should address the litigation hold and how it is to be implemented, including any policy on email backup tapes.
Following the rulings in Zubulake email backup tapes created fro disaster recovery only are not subject to a litigation hold unless they are accessible. The Zubulake case did not define “accessibility” but under FRCP 26(b)(2)(B), a party need not provide discovery of electronic information from sources that the party identifies as not reasonably accessible because of “undue burden or cost.” On the other hand, according to the court in Zubulake IV, if the company can locate the information of the “key players” (employees likely to have relevant information to the litigation), that information should be preserved even if it exists in the form of disaster recovery backup tapes. Thus, a document retention policy should specifically address how email backup tapes are handled. In the wake of Zubulake, one could argue that backup tapes should always be used for disaster recovery only and not as an archival system. In fact, backup tapes are not adequate for storage and search of large volumes of email information. The policy should also attempt to identify who the key players in the business may be and where their information is stored.
Precedents:
Zubulake v. UBS Warburg (thrills and chills)
In July of 2004, a federal judge in New York sent thrills throughout the plaintiffs’ attorney community, and chills throughout the defense lawyer ranks, when she wrote a blistering opinion criticizing UBS Warburg and its in-house counsel for failing to personally prevent the destruction of employee e-mails.13 In that case, Judge Shira A. Scheindlin found that UBS Warburg had notice that the plaintiff, Laura Zubulake, was contemplating legal action for gender discrimination as early as April 2001 because of comments she made about filing a charge with the Equal Employment Opportunity Commission. Judge Scheindlin held that the duty to preserve relevant evidence attached at that time because litigation was (or should have been) “reasonably anticipated.” Even though UBS Warburg’s in-house attorneys issued a missive in August of 2001 instructing employees not to destroy electronic and hard copy records, nothing was said about backup tapes. When Zubulake’s lawyers later asked for e-mails stored on backup tapes it was discovered that the tapes had been routinely recycled. When the matter was brought to the judge’s attention, her Honor faulted the company, and its lawyers, for having failed both locate and monitor compliance with the litigation hold throughout the pendency of the lawsuit. Judge Scheindlin went on to find that UBS Warburg employees also continued to destroy e-mails in the face of their own lawyer’s directives. Based on the joint failures of UBS Warburg and its counsel, her Honor imposed sanctions ranging from monetary fines to the dreaded “adverse inference” jury instruction, where the jury is told they may infer that UBS Warburg was intentionally destroying evidence that would have helped Ms. Zubulake prove her case.
In New York Times, Inc. v. Tasini, 
The United States Supreme Court held that the newspaper violated freelance authors’ copyright when it reproduced their articles in an electronic database. The Court found that such a use had not been contemplated or agreed to by the authors and exceed the paper’s license whether express or implied.
Rowe Entertainment, Inc. v. William Morris Agency, Inc., 205 F.R.D. 421, 423 (S.D.N.Y. 2002).
“Information is retained not because it is expected to be used, but because there is no compelling reason to discard it.
Wachtel v. Health Net, Inc., 2006 U.S. Dist. LEXIS 88563 (D. N.J. Dec. 6, 2006)(not for publication) and Krumwiede v. Brighton Associates, LLC, 2006 U.S. Dist. LEXIS 31669 (N.D. III. May 6, 2006). That Federal Rules even contain a “safe harbor” for companies who fail to provide electronically stored information lost as a result of routine, good faith operation of an electronic information system. If a company’s policy is comprehensive and routinely audited, it can provide the court with assurance that a company has all of the information it is required to keep, and knows how to find it which can go a long way to protecting a corporation in the long run.
We haven’t heard the last word on this issue. As technology continues to change, so will the law. Lawyers who want to stay competitive will make sure they keep up-to-date on both.
Preventing Sanctions
In the end, when it comes down to litigation or a government information request, the most important reason for a company to have a workable and active document retention policy is that it can persuade a court that documents that no longer exist were purged pursuant to a policy and not willfully destroyed and spoliated. Courts do not have a lot of patience for companies that mismanage or delete documents on an inconsistent basis. See, e.g., Wachtel v. Health Net, Inc., 2006 U.S. Dist. LEXIS 88563 (D. N.J. Dec. 6, 2006)(not for publication) and Krumwiede v. Brighton Associates, LLC, 2006 U.S. Dist. LEXIS 31669 (N.D. III. May 6, 2006). That Federal Rules even contain a “safe harbor” for companies who fail to provide electronically stored information lost as a result of routine, good faith operation of an electronic information system. If a company’s policy is comprehensive and routinely audited, it can provide the court with assurance that a company has all of the information it is required to keep, and knows how to find it which can go a long way to protecting a corporation in the long run. We haven’t heard the last word on this issue. As technology continues to change, so will the law. Lawyers who want to stay competitive will make sure they keep up-to-date on both.