LexThe IT ACT 2000
Tripura · state statute
Open in Lexace · Ask the AI about this act
MINISTRY OF LAW, JUSTICE AND COMPANY
AFFAIRS (Legislative Department)
New Delhi, the 9th June, 2000/Jyaistha 19, 1922 (Saka)
The following Act of Parliament received the assent of the President on the 9th
June, 2000, and is hereby published for general information:—
THE INFORMATION TECHNOLOGY ACT, 2000
(No. 21 OF 2000)
[9th June, 2000]
An Act to provide legal recognition for transactions carried out by means of electronic
data interchange and other means of electronic communication, commonly
referred to as "electronic commerce", which involve the use of alternatives to
paper-based methods of communication and storage of information, to facilitate
electronic filing of documents with the Government agencies and further to
amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books
Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters
connected therewith or incidental thereto.
WHEREAS the General Assembly of the United Nations by resolution
A/RES/51/162, dated the 30th January, 1997 has adopted the Model Law on Electronic
Commerce adopted by the United Nations Commission on International Trade Law;
AND WHEREAS the said resolution recommends inter alia that all States give
favourable consideration to the said Model Law when they enact or revise their laws, in
view of the need for uniformity of the law applicable to alternatives to paper-cased
methods of communication and storage of information;
AND WHEREAS it is considered necessary to give effect to the said resolution and
to promote efficient delivery of Government services by means of reliable electronic
records.
BE it enacted by Parliament in the Fifty-first Year of the Republic of India as
follows:—
CHAPTER I
PRELIMINARY
1. Short title, extent, commencement and application
(1) This Act may be called the Information Technology Act, 2000.
(2) It shall extend to the whole of India and, save as otherwise provided in this
Act, it applies also to any offence or contravention thereunder committed outside
India by any person.
(3) It shall come into force on such date as the Central Government may, by notification,
appoint and different dates may be appointed for different provisions of this Act and any reference
in any such provision to the commencement of this Act shall be construed as a reference to the
commencement of that provision.
(4) Nothing in this Act shall apply to, —
(a) a negotiable instrument as defined in section 13 of the Negotiable Instruments Act,
1881;
(b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
(c) a trust as defined in section 3 of the Indian Trusts Act, 1882;
(d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925
including any other testamentary disposition by whatever name called;
(e) any contract for the sale or conveyance of immovable property or any interest in
such property;
(f) any such class of documents or transactions as may be notified by the Central
Government in the Official Gazette.
2. Definitions
(1) In this Act, unless the context otherwise requires, —
(a) "access" with its grammatical variations and cognate expressions means gaining
entry into, instructing or communicating with the logical, arithmetical, or memory function
resources of a computer, computer system or computer network;
(b) "addressee" means a person who is intended by the originator to receive the
electronic record but does not include any intermediary;
(c) "adjudicating officer" means an adjudicating officer appointed under subsection (1)
of section 46;
(d) "affixing digital signature" with its grammatical variations and cognate expressions
means adoption of any methodology or procedure by a person for the purpose of authenticating
an electronic record by means of digital signature;
(e) "appropriate Government" means as respects any matter,—
(i) Enumerated in List II of the Seventh Schedule to the Constitution;
(ii) relating to any State law enacted under List III of the Seventh Schedule to the
Constitution,
the State Government and in any other case, the Central Government;
(f) "asymmetric crypto system" means a system of a secure key pair consisting of a
private key for creating a digital signature and a public key to verify the digital signature;
(g) "Certifying Authority" means a person who has been granted a licence to issue a
Digital Signature Certificate under section 24;
(h) "certification practice statement" means a statement issued by a Certifying Authority
to specify the practices that the Certifying Authority employs in issuing Digital Signature
Certificates;
(i) "computer" means any electronic magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulses, and includes all input, output,
processing, storage, computer software, or communication facilities which are connected or
related to the computer in a computer system or computer network;
(j) "computer network" means the interconnection of one or more computers through—
(i) the use of satellite, microwave, terrestrial line or other communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers whether
or not the interconnection is continuously maintained;
(k) "computer resource" means computer, computer system, computer network,
data,computer data base or software;
(l) "computer system" means a device or collection of devices, including input and output
support devices and excluding calculators which are not programmable and capable of being
used in conjunction with external files, which contain computer programmes, electronic
instructions, input data and output data, that performs logic, arithmetic, data storage and
retrieval, communication control and other functions;
(m) "Controller" means the Controller of Certifying Authorities appointed under sub-section
(l) of section 17;
(n) "Cyber Appellate Tribunal" means the Cyber Regulations Appellate Tribunal established
under sub-section (1) of section 48;
(o) "data" means a representation of information, knowledge, facts, concepts or instructions
which are being prepared or have been prepared in a formalised manner, and is intended to be
processed, is being processed or has been processed in a computer system or computer
network, and may be in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory of the computer;
(p) "digital signature" means authentication of any electronic record by a subscriber by
means of an electronic method or procedure in accordance with the provisions of section 3;
(q) "Digital Signature Certificate" means a Digital Signature Certificate issued under sub-
section (4) of section 35;
(r) "electronic form" with reference to information means any information generated, sent,
received or stored in media, magnetic, optical, computer memory, micro film, computer
generated micro fiche or similar device;
(s) "Electronic Gazette" means the Official Gazette published in the electronic form;
(t) "electronic record" means data, record or data generated, image or sound stored, r eceived
or sent in an electronic form or micro film or computer generated micro fiche;
(u) "function", in relation to a computer, includes logic, control arithmetical process,
deletion, storage and retrieval and communication or telecommunication from or within a
computer;
(v) "information" includes data, text, images, sound, voice, codes, computer programmes,
software and databases or micro film or computer generated micro fiche:
(w) "intermediary" with respect to any particular electronic message means any person who
on behalf of another person receives, stores or transmits that message or provides any service
with respect to that message;
(x) "key pair", in an asymmetric crypto system, means a private key and its mathematically
related public key, which are so related that the public key can verify a digital signature
created by the private key;
(y) "law" includes any Act of Parliament or of a State Legislature, Ordinances
promulgated by the President or a Governor, as the case may be. Regulations made by
the President under article 240, Bills enacted as President's Act under sub-clause (a)
of clause (1) of article 357 of the Constitution and includes rules, regulations, bye-
laws and orders issued or made thereunder;
(z) "licence" means a licence granted to a Certifying Authority under section 24;
(za) "originator" means a person who sends, generates, stores or transmits any
electronic message or causes any electronic message to be sent, generated, stored or
transmitted to any other person but does not include an intermediary;
(zb) "prescribed" means prescribed by rules made under this Act;
(zc) "private key" means the key of a key pair used to create a digital signature;
(zd) "public key" means the key of a key pair used to verify a digital signature
and listed in the Digital Signature Certificate;
(ze) "secure system" means computer hardware, software, and procedure that—
(a) are reasonably secure from unauthorised access and misuse;
(b) provide a reasonable level of reliability and correct operation;
(c) are reasonably suited to performing the intended functions; and
(d) adhere to generally accepted security procedures;
(zf) "security procedure" means the security procedure prescribed under section
16 by the Central Government;
(zg) "subscriber" means a person in whose name the Digital Signature Certificate
is issued;
(zh) "verify" in relation to a digital signature, electronic record or public key,
with its grammatical variations and cognate expressions means to determine
whether—
(a) the initial electronic record was affixed with the digital signature by the use
of private key corresponding to the public key of the subscriber;
(b) the initial electronic record is retained intact or has been altered since such
electronic record was so affixed with the digital signature.
(2) Any reference in this Act to any enactment or any provision thereof shall, in
relation to an area in which such enactment or such provision is not in force, be construed
as a reference to the corresponding law or the relevant provision of the corresponding law,
if any, in force in that area.
CHAPTER II
DIGITAL SIGNATURE
3. Authentication of electronic records.
(1) Subject to the provisions of this section any subscriber may authenticate an
electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record.
Explanation.— For the purposes of this sub-section, "hash function" means an
algorithm mapping or translation of one sequence of bits into another, generally smaller,
set known'as "hash result" such that an electronic record yields the same hash result every
time the algorithm is executed with the same electronic record as its input making it
computationally infeasible—
(a) to derive or reconstruct the original electronic record from the hash result
produced by the algorithm;
(b) that two electronic records can produce the same hash result using the
algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic
record.
(4) The private key and the public key are unique to the subscriber and constitute a
functioning key pair.
CHAPTER III
ELECTRONIC GOVERNANCE
4. Legal recognition of electronic records.
Where any law provides that information or any other matter shall be in writing or
in the typewritten or printed form, then, notwithstanding anything contained in such law,
such requirement shall be deemed to have been satisfied if such information or matter
is—
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference.
5. Legal recognition of digital signatures.
Where any law provides that information or any other matter shall be authenticated
by affixing the signature or any document shall be signed or bear the signature of any
person (hen, notwithstanding anything contained in such law, such requirement shall be
deemed to have been satisfied, if such information or matter is authenticated by means of
digital signature affixed in such manner as may be prescribed by the Central Government.
Explanation.— For the purposes of this section, "signed", with its grammatical
variations and cognate expressions, shall, with reference to a person, mean affixing of his
hand written signature or any mark on any document and the expression "signature" shall
be construed accordingly.
6. Use of electronic records and digital signatures in Government and its agencies.
(1) Where any law provides for—
(a) the filing of any form. application or any other document with any office,
authority, body or agency owned or controlled by the appropriate Government in a
particular manner;
(b) the issue or grant of any licence, permit, sanction or approval by whatever
name called in a particular manner;
(c) the receipt or payment of money in a particular manner,
then, notwithstanding anything contained in any other law for the time being in force, such
requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or
payment, as the case may be, is effected by means of such electronic form as may be
prescribed by the appropriate Government.
(2) The appropriate Government may, for the purposes of sub-section (1), by rules,
prescribe—
(a) the manner and format in which such electronic records shall be filed,
created or issued;
(b) the manner or method of payment of any fee or charges for filing, creation
or issue any electronic record under clause (a).
7. Retention of electronic records.
(1) Where any law provides that documents, records or information shall be retained
for any specific period, then, that requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the electronic form, if—
(a) the information contained therein remains accessible so as to be usable for a
subsequent reference;
(b) the electronic record is retained in the format in which it was originally
generated, sent or received or in a format which can be demonstrated to represent
accurately the information originally generated, sent or received;
(c) the details which will facilitate the identification of the origin, destination,
date and time of despatch or receipt of such electronic record are available in the
electronic record:
Provided that this clause does not apply to any information which is
automatically generated solely for the purpose of enabling an electronic record to be
despatched or received.
(2) Nothing in this section shall apply to any law that expressly provides for the
retention of documents, records or information in the form of electronic records.
8. Publication of rule, regulation, etc., in Electronic Gazette.
Where any law provides that any rule, regulation, order, bye-law, notification or
any other matter shall be published in the Official Gazette, then, such requirement shall
be deemed to have been satisfied if such rule, regulation, order, bye-law, notification or
any other matter is published in the Official Gazette or Electronic Gazette:
Provided that where any rule, regulation, order, bye-law, notification or any other
matter is published in the Official Gazette or Electronic Gazette, the date of publication
shall be deemed to be the date of the Gazette which was first published in any form.
9. Sections 6,7 and 8 not to confer right to insist document should be accepted
in electronic form.
Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to
insist that any Ministry or Department of the Central Government or the State
Government or any authority or body established by or under any law or controlled or
funded by the Central or State Government should accept, issue, create, retain and
preserve any document in the form of electronic records or effect any monetary
transaction in the electronic form.
10. Power to make rules by Central Government in respect of digital signature.
The Central Government may, for the purposes of this Act, by rules, prescribe—
(a) the type of digital signature;
(b) the manner and format in which the digital signature shall be affixed;
(c) the manner or procedure which facilitates identification of the person
affixing the digital signature;
(d) control processes and procedures to ensure adequate integrity, security and
confidentiality of electronic records or payments; and
(e) any other matter which is necessary to give legal effect to digital signatures.
CHAPTER IV
ATTRIBUTION, ACKNOWLEDGMENT AND DESPATCH OF ELECTRONIC RECORDS
11. Attribution of electronic records.
An electronic record shall be attributed to the originator—
(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the originator in
respect of that electronic record; or
(c) by an information system programmed by or on behalf of the originator to
operate automatically.
12. Acknowledgment of receipt.
(1) Where the originator has not agreed with the addressee that the acknowledg-
ment of receipt of electronic record be given in a particular form or by a particular
method, an acknowledgment may be given by—
(a) any communication by the addressee, automated or otherwise; or
(b) any conduct of the addressee, sufficient to indicate to the originator that
the electronic record has been received.
(2) Where the originator has stipulated that the electronic record shall be binding
only on receipt of an acknowledgment of such electronic record by him, then unless
acknowledgment has been so received, the electronic record shall be deemed to have
been never sent by the originator.
(3) Where the originator has not stipulated that the electronic record shall be
binding only on receipt of such acknowledgment, and the acknowledgment has not been
received by the originator within the time specified or agreed or, if no time has been
specified or agreed to within a reasonable time, then the originator may give notice to the
addressee stating that no acknowledgment has been received by him and specifying a
reasonable time by which the acknowledgment must be received by him and if no
acknowledgment is received within the aforesaid time limit he may after giving notice to
the addressee, treat the electronic record as though it has never been sent.
13. Time and place of despatch and receipt of electronic record.
(1) Save as otherwise agreed to between the originator and the addressee, the dispatch of an
electronic record occurs when it enters a computer resource outside the control of the originator.
(2) Save as otherwise agreed between the originator and the addressee, the time of receipt of
an electronic record shall be determined as follows, namely :—
(a) if the addressee has designated a computer resource for the purpose of receiving
electronic records,—
(i) receipt occurs at the time when the electronic, record enters the designated
computer resource; or
(ii) if the electronic record is sent to a computer resource of the addressee that is
not the designated computer resource, receipt occurs at the time when the electronic
record is retrieved by the addressee;
(b) if the addressee has not designated a computer resource along with specified
timings, if any, receipt occurs when the electronic record enters the computer resource of the
addressee.
(3) Save as otherwise agreed to between the originator and the addressee, an electronic
record is deemed to be dispatched at the place where the originator has his place of business, and is
deemed to be received at the place where the addressee has his place of business.
(4) The provisions of sub-section (2) shall apply notwithstanding that the place where the
computer resource is located may be different from the place where the electronic record is
deemed to have been received under sub-section (3).
(5) For the purposes of this section, —
(a) if the originator or the addressee has more than one place of business, the
principal place of business, shall be the place of business;
(b) if the originator or the addressee does not have a place of business, his usual
place of residence shall be deemed to be the place of business;
(c) "usual place of residence", in relation to a body corporate, means the place
where it is registered.
CHAPTER V
SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURES
14. Secure electronic record.
Where any security procedure has been applied to an electronic record at a specific
point of time. then such record shall be deemed to be a secure electronic record from such
point of time to the time of verification.
15. Secure digital signature.
If, by application of a security procedure agreed to by the parties concerned, it can
be verified that a digital signature, at the time it was affixed, was—
(a) unique to the subscriber affixing it;
(b) capable of identifying such subscriber;
(c) created in a manner or using a means under the exclusive control of the
subscriber and is linked to the electronic record to which it relates in such a manner
that if the electronic record was altered the digital signature would be invalidated,
then such digital signature shall be deemed to be a secure digital signature.
16. Security procedure.
The Central Government shall for the purposes of this Act prescribe the security
procedure having regard to commercial circumstances prevailing at the time when the
procedure was used, including—
(a) the nature of the transaction;
(b) the level of sophistication of the parties with reference to their
technological capacity;
(c) the volume of similar transactions engaged in by other parties;
(a) the availability of alternatives offered to but rejected by any party;
(e) the cost of alternative procedures; and
(f) the procedures in general use for similar types of transactions or
communications.
CHAPTER VI
REGULATION OF CERTIFYING AUTHORITIES
17. Appointment of Controller and other officers.
(1) The Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purposes of this Act and may also by the same
or subsequent notification appoint such number of Deputy Controllers and Assistant
Controllers as it deems fit.
(2) The Controller shall discharge his functions under this Act subject to the general
control and directions of the Central Government.
(3) The Deputy Controllers and Assistant Controllers shall perform the functions
assigned to them by the Controller under the general superintendence and control of the
Controller.
(4) The qualifications, experience and terms and conditions of service of Controller,
Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the
Central Government.
(5) The Head Office and Branch Office of the office of the Controller shall be at
such places as the Central Government may specify, and these may be established at such
places as the Central Government may think fit.
(6) There shall be a seal of the Office of the Controller.
18. Functions of Controller.
The Controller may perform all or any of the following functions, namely:—
(a) exercising supervision over the activities of the Certifying Authorities;
(b) certifying public keys of the Certifying Authorities;
(c) laying down the standards to be maintained by the Certifying Authorities;
(d) specifying the qualifications and experience which employees of the
Certifying Authorities should possess;
(e) specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
(f) specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a Digital Signature
Certificate and the public key;
(g) specifying the form and content of a Digital Signature Certificate and the
key,
(h) specifying the form and manner in which accounts shall be maintained by
the Certifying Authorities;
(i) specifying the terms and conditions subject to which auditors may be
appointed and the remuneration to be paid to them;
(j) facilitating the establishment of any electronic system by a Certifying
Authority either solely or jointly with other Certifying Authorities and regulation of
such systems;
(k) specifying the manner in which the Certifying Authorities shall conduct their
dealings with the subscribers;
(l) resolving any conflict of interests between the Certifying Authorities and the
subscribers;
(m) laying down the duties of the Certifying Authorities;
(n) maintaining a data base containing the disclosure record of every Certifying
Authority containing such particulars as may be specified by regulations, which shall
be accessible to public.
19. Recognition of foreign Certifying Authorities.
(1) Subject to such conditions and restrictions as may be specified by regulations, the
Controller may with the previous approval of the Central Government, and by notification in
the Official Gazette, recognise any foreign Certifying Authority as a Certifying Authority for
the purposes of this Act.
(2) Where any Certifying Authority is recognised under sub-section (1), the Digital
Signature Certificate issued by such Certifying Authority shall be valid for the purposes of
this Act.
(3) The Controller may, if he is satisfied that any Certifying Authority has contravened
any of the conditions and restrictions subject to which it was granted recognition under sub-
section (1) he may, for reasons to be recorded in writing, by notification in the Official
Gazette, revoke such recognition.
20. Controller to act as repository.
(1) The Controller shall be the repository of all Digital Signature Certificates issued under
this Act.
(2) The Controller shall—
(a) make use of hardware, software and procedures that are secure .iJm
intrusion and misuse;
(b) observe such other standards as may be prescribed by the Central
Government,
to ensure that the secrecy and security of the digital signatures are assured.
(3) The Controller shall maintain a computerised data base of all public keys in such a
manner that such data base and the public keys are available to any member of the public.
21. Licence to issue Digital Signature Certificates.
(1) Subject to the provisions of sub-section (2), any person may make an application, to the
Controller, for a licence to issue Digital Signature Certificates.
(2) No licence shall be issued under sub-section (1), unless the applicant fulfills such
requirements with respect to qualification, expertise, manpower, financial resources and
other infrastructure facilities, which are necessary to issue Digital Signature Certificates as
may be prescribed by the Central Government
(3) A licence granted under this section shall—
(a) be valid for such period as may be prescribed by the Central Government;
(b) not be transferable or heritable;
(c) be subject to such terms and conditions as may be specified by the
regulations.
22. Application for licence.
(1) Every application for issue of a licence shall be in such form as may be prescribed by
the Central Government.
(2) Every application for issue of a licence shall be accompanied by—
(a) a certification practice statement;
(b) a statement including the procedures with respect to identification of the
applicant;
(c) payment of such fees, not exceeding twenty-five thousand rupees as may
be prescribed by the Central Government;
(d) such other documents, as may be prescribed by the Central Government.
23. Renewal of licence.
An application for renewal of a licence shall be—
(a) in such form;
(b) accompanied by such fees, not exceeding five thousand rupees,
as may be prescribed by the Central Government and shall be made not less than forty-five
days before the date of expiry of the period of validity of the licence.
24. Procedure for grant or rejection of licence.
The Controller may, on receipt of an application under sub-section (1) of section 21,
after considering the documents accompanying the application and such other factors, as
he deems fit, grant the licence or reject the application:
Provided that no application shall be rejected under this section unless the applicant has
been given a reasonable opportunity of presenting his case.
25. Suspension of licence.
(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit,
that a Certifying Authority has,—
(a) made a statement in, or in relation to, the application for the issue or
renewal of the licence, which is incorrect or false in material particulars;
(b) failed to comply with the terms and conditions subject to which the licence
was granted;
(c) failed to maintain the standards specified under clause (b) of sub-section
(2) of section 20;
(d) contravened any provisions of this Act, rule, regulation or order made
thereunder,
revoke the licence:
Provided that no licence shall be revoked unless the Certifying Authority has been given a
reasonable opportunity of showing cause against the proposed revocation.
(2) The Controller may, if he has reasonable cause to believe that there is any
ground for revoking a licence under sub-section (1), by order suspend such licence
pending the completion of any inquiry ordered by him:
Provided that no licence shall be suspended for a period exceeding ten days unless
the Certifying Authority has been given a reasonable opportunity of showing cause against
the proposed suspension.
(3) No Certifying Authority whose licence has been suspended shall issue any Digital Signature
Certificate during such suspension.
26. Notice of suspension or revocation of licence.
(1) Where the licence of the Certifying Authority is suspended or revoked, the Controller
shall publish notice of such suspension or revocation, as the case may be, in the database maintained
by him.
(2) Where one or more repositories are specified, the Controller shall publish notices of such
suspension or revocation, as the case may be, in all such repositories:
Provided that the data base containing the notice of such suspension or revocation, as the case
may be, shall be made available through a web site which shall be accessible round the clock:
Provided further that the Controller may, if he considers necessary, publicise the contents of
database in such electronic or other media, as he may consider appropriate.
27. Power to delegate.
The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any
officer to exercise any of the powers of the Controller under this Chapter.
28. Power to investigate contraventions.
(1) The Controller or any officer authorised by him in this behalf shall take up for investigation
any contravention of the provisions of this Act, rules or regulations made thereunder.
(2) The Controller or any officer authorised by him in this behalf shall exercise the like powers
which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and
shall exercise such powers, subject to such limitations laid down under that Act.
29. Access to computers and data.
(1)Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any
person authorised by him shall, if he has reasonable cause to suspect that any contravention of the
provisions of this Act, rules or regulations made thereunder has been committed, have access to any
computer system, any apparatus, data or any other material connected with such system, for the
purpose of searching or causing a search to be made for obtaining any information or data contained in
or available to such computer system.
(2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by
order, direct any person incharge of, or otherwise concerned with the operation of, the computer
system, data apparatus or material, to provide him with such reasonable technical and other assistance
as he may consider necessary.
30. Certifying Authority to follow certain procedures.
Every Certifying Authority shall, —
(a) make use of hardware, software and procedures that are secure from intrusion and misuse;
(b) provide a reasonable level of reliability in its services which are reasonably suited to the
performance of intended functions;
(c) adhere to security procedures to ensure that the secrecy and privacy of the digital signatures
are assured; and
(d) observe such other standards as may be specified by regulations.
31. Certifying Authority to ensure compliance of the Act, etc.
Every Certifying Authority shall ensure that every person employed or otherwise engaged by it
complies, in the course of his employment or engagement, with the provisions of this Act, rules,
regulations and orders made thereunder.
32. Display of licence.
Every Certifying Authority shall display its licence at a conspicuous place of the premises in
which it carries on its business.
33. Surrender of licence.
(1) Every Certifying Authority whose licence is suspended or revoked shall immediately after
such suspension or revocation, surrender the licence to the Controller.
(2) Where any Certifying Authority fails to surrender a licence under sub-section (1), the
person in whose favour a licence is issued, shall be guilty of an offence and shall be punished with
imprisonment which may extend up to six months or a fine which may extend up to ten thousand
rupees or with both.
34. Disclosure.
(1) Every Certifying Authority shall disclose in the manner specified by regulations—
(a) its Digital Signature Certificate which contains the public key
corresponding to the private key used by that Certifying Authority to digitally sign
another Digital Signature Certificate;
(b) any certification practice statement relevant thereto;
(c) notice of the revocation or suspension of its Certifying Authority
certificate, if any; and
(d) any other fact that materially and adversely affects either the reliability of
a Digital Signature Certificate, which that Authority has issued, or the Authority's
ability to perform its services.
(2) Where in the opinion of the Certifying Authority any event has occurred or any
situation has arisen which may materially and adversely affect the integrity of its
computer system or the conditions subject to which a Digital Signature Certificate was
granted, then, the Certifying Authority shall—
(a) use reasonable efforts to notify any person who is likely to be affected by
that occurrence; or
(b) act in accordance with the procedure specified in its certification practice
statement to deal with such event or situation.
CHAPTER VII
DIGITAL SIGNATURE
CERTIFICATES
35. Certifying Authority to issue Digital Signature Certificate.
(1) Any person may make an application to the Certifying Authority for the issue of a
Digital Signature Certificate in such form as may be prescribed by the Central Government
(2) Every such application shall be accompanied by such fee not exceeding twenty-
five thousand rupees as may be prescribed by the Central Government, to be paid to the
Certifying Authority:
Provided that while prescribing fees under sub-section (2) different fees may be
prescribed for different classes of applicants'.
(3) Every such application shall be accompanied by a certification practice statement
or where there is no such statement, a statement containing such particulars, as may be
specified by regulations.
(4) On receipt of an application under sub-section (1), the Certifying Authority may,
after consideration of the certification practice statement or the other statement under sub-
section (3) and after making such enquiries as it may deem fit, grant the Digital Signature
Certificate or for reasons to be recorded in writing, reject the application:
Provided that no Digital Signature Certificate shall be granted unless the Certifying
Authority is satisfied that—
(a) the applicant holds the private key corresponding to the public key to be
listed in the Digital Signature Certificate;
(b) the applicant holds a private key, which is capable of creating a digital
signature;
(c) the public key to be listed in the certificate can be used to verify a digital
signature affixed by the private key held by the applicant:
Provided further that no application shall be rejected unless the applicant has
been given a reasonable opportunity of showing cause against the proposed
rejection.
36. Representations upon issuance of Digital Signature Certificate.
A Certifying Authority while issuing a Digital Signature Certificate shall certify that--
(a) it has complied with the provisions of this Act and the rules and regulations
made thereunder,
(b) it has published the Digital Signature Certificate or otherwise made it available
to such person relying on it and the subscriber has accepted it;
(c) the subscriber holds the private key corresponding to the public key, listed in the
Digital Signature Certificate;
(d) the subscriber's public key and private key constitute a functioning key pair,
(e) the information contained in the Digital Signature Certificate is accurate;
and
(f) it has no knowledge of any material fact, which if it had been included in the
Digital Signature Certificate would adversely affect the reliability of the
representations made in clauses (a) to (d).
37. Suspension of Digital Signature Certificate.
(1) Subject to the provisions of sub-section (2), the Certifying Authority which has
issued a Digital Signature Certificate may suspend such Digital Signature Certificate,—
(a) on receipt of a request to that effect from—
(i) the subscriber listed in toe Digital Signature Certificate; or
(ii) any person duly authorised to act on behalf of that subscriber,
(b) if it is of opinion that the Digital Signature Certificate should be
suspended in public interest
(2) A Digital Signature Certificate shall not be suspended for a period exceeding
fifteen days unless the subscriber has been given an opportunity of being heard in the
matter.
(3) On suspension of a Digital Signature Certificate under this section, the
Certifying Authority shall communicate the same to the subscriber.
38. Revocation of Digital Signature Certificate.
(1) A Certifying Authority may revoke a Digital Signature Certificate issued by it—
(a) where the subscriber or any other person authorised by him makes a
request to that effect; or
(b) upon the death of the subscriber, or
(c) upon the dissolution of the firm or winding up of the company where the
subscriber is a firm or a company.
(2) Subject to the provisions of sub-section (3) and without prejudice to the provisions
of sub-section (1), a CertifyingAuthority may revoke a Digital Signature Certificate
which has been issued by it at any time, if it is of opinion that—
(a) a material fact represented in the Digital Signature Certificate is false or
has been concealed;
(b) a requirement for issuance of the Digital Signature Certificate was not
satisfied;
(c) the Certifying Authority's private key or security system was
compromised in a manner materially affecting the Digital Signature Certificate's
reliability;
(d) the subscriber has been declared insolvent or dead or where a subscriber
is a firm or a company, which has been dissolved, wound-up or otherwise ceased to
exist
(3) A Digital Signature Certificate shall not be revoked unless the subscriber has been
given an opportunity of being heard in the matter.
(4) On revocation of a Digital Signature Certificate under this section, the Certifying Authority
shall communicate the same to the subscriber.
39. Notice of suspension or revocation.
(1) Where a Digital Signature Certificate is suspended or revoked under section 37 or section
38, the Certifying Authority shall publish a notice of such suspension or revocation, as the case may
be, in the repository specified in the Digital Signature Certificate for publication of such notice.
(2) Where one or more repositories are specified, the Certifying Authority shall publish
notices of such suspension or revocation, as the case may he. in all such repositories.
CHAPTER VIII
DUTIES OF SUBSCRIBERS
40. Generating key pair.
Where any Digital Signature Certificate, the public key of which corresponds to the private
key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by
a subscriber, then, the subscriber shall generate the key pair by applying the security procedure.
41. Acceptance of Digital Signature Certificate.
(1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he
publishes or authorises the publication of a Digital Signature Certificate—
(a) to one or more persons;
(b) in a repository, or otherwise demonstrates his approval of the Digital Signature
Certificate in any manner.
(2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably
rely on the information contained in the Digital Signature Certificate that—
(a) the subscriber holds the private key corresponding to the public key listed in the
Digital Signature Certificate and is entitled to hold the same;
(b) all representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certificate are true;
(c) all information in the Digital Signature Certificate that is within the knowledge of
the subscriber is true.
42. Control of private key.
(1) Every subscriber shall exercise reasonable care to retain control of the private key
corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent
its disclosure to a person not authorised to affix the digital signature of the subscriber.
(2) If the private key corresponding to the public key listed in the Digital Signature Certificate
has been compromised, then, the subscriber shall communicate the same without any delay to the
Certifying Authority in such manner as may be specified by .the regulations.
Explanation.— For the removal of doubts, it is hereby declared that the subscriber shall be
liable till he has informed the Certifying Authority that the private key has been compromised.
CHAPTER IX
PENALTIES AND ADJUD1CATION
43. Penalty for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who is incharge of a
computer, computer system or computer network, —
(a) accesses or secures access to such computer, computer system or computer network;
(b) downloads, copies or extracts any data, computer data base or information
from such computer, computer system or computer network including information or
data held or stored in any removable storage medium;
(c) i ntroduces or causes to be introduced any computer contaminant or
computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or
computer network, data, computer data base or any other programmes residing in
such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or
computer network;
(f) denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer,
computExcerpt shown. Open the full act in Lexace.