Which OS is most beneficial for using digilocker?
The Information Technology (Controller of
Digital Locker) Rules, 2016 In exercise of the powers conferred by clause (x)
of sub-section (2) of section 87 read with sections 67C and section 6A of the
Information Technology Act, 2000 (21 of 2000), the central Government hereby
makes the following rules regulating the applications and other guidelines for
DigiLocker service providers, namely: 1. Short Title and Commencement: (1)
These rules may be called the Information Technology (Controller of Digital
Locker) Rules, 2016. (2) They shall come into force on the date of their
publication in the Official Gazette. 2. Definitions: (1) In these rules, unless
the context otherwise requires, - a) “Act” means the Information Technology
Act, 2000 (21 of 2000); b) “access gateway” means licensed system to provide
access to repositories under Digital Locker System; c) “application program
interface (API)”, means a set of routines, protocols, and tools for building
software applications; d) “appropriate government” means appropriate government
as defined in clause (e) of sub-section (1) of section 2 of the Act; e) “body
corporate” means any company and includes a firm, Limited Liability
Partnership, sole proprietorship or other association of individuals engaged in
commercial or professional activities; f) “controller of digital locker” means
the officer of the Government notified as the Controller of Digital Locker; g)
“DeitY” means Department of Electronics & Information Technology,
Government of India. The Information Technology (Controller of Digital Locker)
Rules, 2016
_______________________________________________________________________________________________________“digital locker”, means a service of preservation, retention
and delivery of electronic records to the user; i) “DigiLocker Practise
Statement” means a statement by the DigiLocker service provider describing the
services and flow of the services being offered by the provider. j) “DigiLocker
service provider” means an agency including a body corporate or an Agency of
the Government, licensed by the Controller of Digital Locker, to establish and
manage digital locker system electronically, in accordance with these rules; k)
“document Uniform Resource Identifier (URI)”, means documents or records issued
complying with prescribed technical specifications; l) “Government” means the
Government of India; m) “Issuer” means any department or agency of the appropriate
Government issuing digitally signed or equivalently authenticated electronic
records to the subscriber under Digital Locker System; n) “License” means
binding agreement between/among the Controller of Digital Locker and any
service provider; o) “Digital Locker Portal” means a web and mobile based
system to provide access to documents under Digital Locker System; p) “National
Digital Locker Portal” means DeitY owned and operated webbased hosting Digital
Locker System; q) “repository” means an electronic repository of digitally
signed as well as digitised electronic records, maintained by any DigiLocker
service provider for the purpose of accessing such records and delivering them
to the users. r) “Requester” means any department or agency of the appropriate
Government requesting access to subscribers digitally signed or equivalently
authenticated electronic records preserved and retained in the repository
created and managed under Digital Locker System; The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________ “subscriber” means subscriber to a digital locker under the
Digital Locker Portal; t) “user” means a subscriber, issuer or requester of the
Digital Locker System. (2) Words and expressions used and not defined in these
rules but defined in the Act and Rules shall have the same meanings assigned to
them in the Act and the Rules made thereunder. 3. Digital Locker System: (1)
For the purpose of providing preservation and retention of machine readable,
printable, shareable, verifiable and secure appropriate Government and private
agency issued electronic records, the Government and other service providers to
provide a digital locker system of limited electronic storage to all users.
Explanation. – It is hereby clarified that the present rules provide for the
administration of digital locker system by Controller of Digital Locker through
DigiLocker Service Providers in accordance with the technical standards as laid
down by controller from time to time. (2) Subject to the sub-rule (1), the
digital locker system shall act as web and mobile based portal, to be a Digital
Locker Portal for appropriate Government and private agency issued electronic
records maintained in a prescribed format. 4. Operation of Digital Locker
System: (1) Any individual who is resident of India shall be able to open and
gain access to digital locker after submitting duly prescribed application form
to the Controller of Digital Locker after due authentication manner prescribed
by the Controller of Digital Locker. (2) Subject to the sub-rule (1), citizen
may obtain the services of the licensed DigiLocker Service Providers for the
purpose of access The Information Technology (Controller of Digital Locker)
Rules, 2016
_______________________________________________________________________________________________________ Locker, gateways and repository services using web or mobile based
Digital Locker Portal. (3) Digital Locker Portal shall provide access to
repositories and access gateway for issuers to issue and requesters to access
digitally signed or equivalently authenticated electronic records respectively
in a uniform way in real-time by making available Digital Locker Directory to
the users. (4) Digital Locker Directory shall provide following details: (a)
issuer ID (name, ID, registration date), Requester ID (name, URL, date of
empanelment, contact details), Gateway ID (name, URL, date of empanelment,
contact details) and empanelled repositories (name, URL, date of empanelment,
contact details); (b) repository and gateway empanelment guidelines, standards,
application form, and other particulars; (c) electronic workflow to request,
approve, and publish new ID for new issuers, gateways & repositories, as
the case may be; and (d) any other information as prescribed by the Controller
of Digital Locker. 5. DigiLocker Standards: Standards for DigiLocker eco system
will be notified by the Department of Electronics & Information Technology
(DeitY), Government of India. 6. Appointment of Controller and other officers:
1) The Central Government may, by notification in the Official Gazette, appoint
a Controller of Digital Locker for the purposes of this Act and may also by the
same or subsequent notification appoint such number of Deputy Controllers and
Assistant Controllers, other officers and employees as it deems fit. The
Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________
Page 5 of 62 2) The Controller shall discharge his functions under this Act
subject to the general control and directions of DeitY. 3) The Deputy
Controllers and Assistant Controllers shall perform the functions assigned to
them by the Controller under the general superintendence and control of the
Controller. 4) The qualifications, experience and terms and conditions of
service of Controller, Deputy Controllers and Assistant Controllers other
officers and employees shall be such as may be prescribed by the Central
Government. 5) The Head Office and Branch Office of the Office of the
Controller shall be at such places as DeitY may specify, and these may be
established at such places as DeitY may think fit. 6) There shall be a seal of
the Office of the Controller. 7. The Controller may perform all or any of the
following functions, namely: 1) Grant licenses to DigiLocker service providers;
2) exercising supervision over the activities of the DigiLocker Service
Providers; 3) specifying the conditions subject to which the DigiLocker Service
Providers shall conduct their business; 4) specify the conditions under which
documents from issuers are made available to DigiLocker service providers. 5)
specify the conditions under which documents accessed by requesters are made
available to DigiLocker service providers 6) specifying the content of written,
printed or visual material and advertisements that may be distributed or used in
respect of DigiLocker Services; The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 6 of 62 7) specifying the form and manner in which accounts shall be
maintained by the DigiLocker service provider; 8) specifying the terms and
conditions subject to which auditors may be appointed and the remuneration to
be paid to them; 9) facilitating the establishment of any electronic system by
a Service Provider either solely or jointly with other Service Providers and
regulation of such systems; 10)specifying the manner in which the Service
Providers shall conduct their dealings with the subscribers; 11)resolving any
conflict of interests between the Service Providers and the subscribers;
12)laying down the duties of the Service Providers; 13) maintaining a data-base
containing the disclosure record of every DigiLocker Service Providers
containing such particulars as may be specified by regulations, which shall be
accessible to public. 8. Licensing of DigiLocker Service Providers: (1) The
following may apply for grant of a licence to become a DigiLocker Service
Provider, namely:- (a) an individual , being a citizen of India and having a
capital of five crores of rupees or more in his business or profession. (b) a
company having– i. paid up capital of not less than five crores of rupees; and
ii. net worth of not less than fifty crores of rupees: Provided that no company
in which the equity share capital held in aggregate by the Nonresident Indians,
Foreign Institutional Investors, or foreign companies, exceeds forty-nine per
cent of its capital, shall be eligible for grant of licence: Provided further
that in a case where the company has been The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 7 of 62 registered under the Companies Act, 1956 (1 of 1956) during the
preceding financial year or in the financial year during which it applies for
grant of licence under the Act and whose main object is to act as DigiLocker
Service Provider, the net worth referred to in sub-clause (ii) of this clause
shall be the aggregate net worth of its majority shareholders holding at least
51% of paid equity capital, being the Hindu Undivided Family, firm or company:
Provided also that the majority shareholders referred to in the second proviso
shall not include Non-resident Indian, foreign national, Foreign Institutional
Investor and foreign company: Provided also that the majority shareholders of a
company referred to in the second proviso whose net worth has been determined
on the basis of such majority shareholders, shall not sell or transfer its
equity shares held in such company- (i) unless such a company acquires or has
its own net worth of not less than fifty crores of rupees; (ii) without prior
approval of the Controller of Digital Locker; (c) a firm having – i. capital
subscribed by all partners of not less than five crores of rupees; and ii. net
worth of not less than fifty crores of rupees: Provided that no firm, in which
the capital held in aggregate by any Non-resident Indian, and foreign national,
exceeds forty-nine per cent of its capital, shall be eligible for grant of
licence: Provided further that in a case where the firm has been registered
under the Indian Partnership Act, 1932 (9 of 1932) during the preceding
financial year or in the financial year during which it applies for grant of
licence under the Act and whose main object is to act as DigiLocker service
provider, the net worth referred to in sub-clause (ii) of this clause shall be
the aggregate net worth of all of its partners: Provided also that the partners
referred to in the second proviso shall not include Non-resident Indian and
foreign national: Provided also that the partners of a firm referred to in the
second proviso whose net worth has been determined on the basis of such
partners, shall not sell or transfer its capital held in such firm- (i) unless
such firm has acquired or has its own The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 8 of 62 net worth of not less than fifty crores of rupees; (ii) without
prior approval of the Controller; (d) Central Government or a State Government
or any of the Ministries or Departments, Agencies or Authorities of such
Governments. Explanation.- For the purpose of this rule,- i.
"company" shall have the meaning assigned to it in clause 17 of
section 2 of the Income-tax Act, 1961 (43 of 1961); ii. "firm",
"partner" and "partnership" shall have the meanings respectively
assigned to them in the Indian Partnership Act, 1932 (9 of 1932); but the
expression "partner" shall also include any person who, being a minor
has been admitted to the benefits of partnership; iii. "foreign
company" shall have the meaning assigned to it in clause (23A) of section
2 of the Income-tax Act, 1961 (43 of 1961); iv. "net worth" shall
have the meaning assigned to it in clause (ga) of subsection (1) of section 3
of the Sick Industrial Companies (Special Provisions) Act, 1985 (1 of 1986); v.
"Non-resident" shall have the meaning assigned to it as in clause 26
of section 2 of the Income-tax Act, 1961 (43 of 1961). (2) The applicant being
an individual, or a company, or a firm under sub-rule (1), shall submit a
performance bond or furnish a banker's guarantee from a scheduled bank in favour
of the Controller in such form and in such manner as may be approved by the
Controller for an amount of not less than five crores of rupees and the
performance bond or banker's guarantee shall remain valid for a period of six
years from the date of its submission: Provided that the company and firm
referred to in the second proviso to clause (b) and the second proviso to
clause (c) of sub-rule (1) shall submit a performance bond or furnish a
banker's guarantee for ten crores of rupees: Provided further that nothing in
the first proviso shall apply to the company or firm after it has acquired or
has its net worth of fifty crores of rupees. The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 9 of 62 (3) Without prejudice to any penalty which may be imposed or
prosecution may be initiated for any offence under the Act or any other law for
the time being in force, the performance bond or banker's guarantee may be
invoked– a) when the Controller has suspended the licence under sub-section (2)
of section 25 of the Act; or b) for payment of an offer of compensation made by
the Controller; or c) for payment of liabilities and rectification costs
attributed to the negligence of the DigiLocker service provider, its officers
or employees; or d) for payment of the costs incurred in the discontinuation or
transfer of operations of the licensed DigiLocker service provider, if the
DigiLocker service provider's licence or operations is discontinued; or e) any
other default made by the DigiLocker service provider in complying with the
provisions of the Act or rules made thereunder. Explanation.- "transfer of
operation" shall have the meaning assigned to it in clause (47) of section
2 of the Income-tax Act, 1961 (43 of 1961). 9. Location of the Facilities: The
infrastructure associated with all functions of DigiLocker system as well as
maintenance of Directories containing information about the status of
DigiLocker system shall be installed at any location in India. 10. Submission
of Application: (1) Every application for a licensed DigiLocker service
provider shall be made to the Controller,- a) in the form given at Schedule-l;
and The Information Technology (Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 10 of 62 b) in such manner as the Controller may, from time to time,
determine, supported by such documents and information as the Controller may
require and it shall inter alia includei. a DigiLocker Practice Statement
(DPS); ii. a statement including the procedures with respect to identification
of the applicant; iii. a statement for the purpose and scope of DigiLocker
technology, management, or operations to be outsourced; iv. certified copies of
the business registration documents of DigiLocker service provider that intends
to be licensed; v. a description of any event, particularly current or past
insolvency, that could materially affect the applicant's ability to act as a
DigiLocker service provider; vi. an undertaking by the applicant that to its
best knowledge and belief it can and will comply with the requirements of its
DigiLocker Practice Statement; vii. an undertaking that the DigiLocker service
provider's operation would not commence until its operation and facilities
associated with the functions of generation, issue and management of DigiLocker
system are audited by the auditors and approved by the Controller in accordance
with rule 31; viii. an undertaking to submit a performance bond or banker's
guarantee in accordance with sub-rule (2) of rule 8 within one month of
Controller indicating his approval for the grant of licence to operate as a
DigiLocker service provider; c) any other information required by the
Controller. (2) Every application for issue of a license shall be accompanied
bya) a DigiLocker practice statement; The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 11 of 62 b) a statement including the procedures with respect to
identification of the applicant; c) payment of such fees, not exceeding one lac
rupees as may be prescribed by the Central Government; d) such other documents,
as may be prescribed by the Central Government. 11. Procedure for grant or
rejection of license : The Controller may, on receipt of an application under
sub-section (1) of section 4, after considering the documents accompanying the
application and such other factors, as he deems fit, grant the license or
reject the application: Provided that no application shall be rejected under
this section unless the applicant has been given a reasonable opportunity of
presenting his case. 12. Fee: (1) The application for the grant of a licence
shall be accompanied by a nonrefundable fee of one lac rupees payable by a bank
draft or by a pay order drawn in the name of the Controller. (2) The
application submitted to the Controller for renewal of DigiLocker service
provider's licence shall be accompanied by a non-refundable fee of twenty five
thousand rupees payable by a bank draft or by a pay order drawn in the name of
the Controller. (3) Fee or any part thereof shall not be refunded if the
licence is suspended or revoked during its validity period. 13. Cross
Certification: The licensed DigiLocker service provider shall have arrangement
for cross certification with other licensed DigiLocker service providers within
India which shall be submitted to the Controller before the commencement of
their The Information Technology (Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 12 of 62 operations as per rule 30: Provided that any dispute arising as a
result of any such arrangement between the DigiLocker service providers; or
between DigiLocker service providers or DigiLocker service provider and the Subscriber,
shall be referred to the Controller for arbitration or resolution. 14. Validity
of licence: (1) A licence shall be valid for a period of ten years from the
date of its issue. (2) The licence shall not be transferable or heritable. 15.
Suspension of Licence: (1) The Controller may by order suspend the licence in
accordance with the provisions contained in subrule (3). (2) The licence
granted to the persons referred to in clauses (a) to (c) of subrule (1) of rule
8 shall stand suspended when the performance bond submitted or the banker's
guarantee furnished by such persons is invoked under sub-rule (2) of that rule.
(3) The Controller may, if he/she is satisfied after making such inquiry, as
he/she may think fit, that a DigiLocker service Provider has – (a) made a
statement in, or in relation to, the application for the issue or renewal of
the license, which is incorrect or false in material particulars; (b) failed to
comply with the terms and conditions subject to which the license was granted;
(c) failed to maintain the standards specified in rule (5); (d) contravened any
provisions of this Act, rule, regulation or order made there under, revoke the
license: Provided that no license shall be revoked unless the DigiLocker
service provider has been given a The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 13 of 62 reasonable opportunity of showing cause against the proposed revocation.
(4) The Controller may, if he/she has reasonable cause to believe that there is
any ground for revoking a license under subrule (3) by order suspend such
license pending the completion of any enquiry ordered by him/her: Provided that
no license shall be suspended for a period exceeding ten days unless the
DigiLocker service provider has been given a reasonable opportunity of showing
cause against the proposed suspension. (5) No DigiLocker service provider whose
license has been suspended shall provide any access or sharing of documents and
shall as per procedure, make provisions for transfer of repository / documents
to another service provider/Receiver as specified by the Controller. 16.
Renewal of licence: (1) The provisions of rule 8 to rule 14, shall apply in the
case of an application for renewal of a licence as it applies to a fresh
application for licensed DigiLocker service provider. (2) A DigiLocker service
provider shall submit an application for the renewal of its licence not less
than ninety days before the date of expiry of the period of validity of
licence. (3) The application for renewal of licence may be submitted in the
form of electronic record subject to such requirements as the Controller may
deem fit. (4) An application for renewal of a license shall be – a) in such
form; b) accompanied by such fees, not exceeding twenty five thousand rupees,
as may be prescribed by the Central Government and shall be made not less than
forty-five days before the date of expiry of the period of validity of the
license: 17. Issuance of Licence: The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 14 of 62 (1) The Controller may, within four weeks from the date of
receipt of the application, after considering the documents accompanying the
application and such other factors, as he/she may deem fit, grant or renew the
licence or reject the application: Provided that in exceptional circumstances
and for reasons to be recorded in writing, the period of four weeks may be
extended to such period, not exceeding eight weeks in all as the Controller may
deem fit. (2) If the application for licensed DigiLocker service provider is
approved, the applicant shall- (a) submit a performance bond or furnish a
banker's guarantee within one month from the date of such approval to the
Controller in accordance with subrule (2) of rule 8; and (b) execute an
agreement with the Controller binding him/her self to comply with the terms and
conditions of the licence and the provisions of the Act and the rules made
thereunder. 18. Refusal of Licence: (1)The Controller may refuse to grant or
renew a licence ifa) the applicant has not provided the Controller with such
information relating to its business, and to any circumstances likely to affect
its method of conducting business, as the Controller may require; or b) the
applicant is in the course of being wound up or liquidated; or c) a receiver
has, or a receiver and manager have, been appointed by the court in respect of
the applicant; or d) the applicant or any trusted person has been convicted,
whether in India or out of India, of an offence the conviction for which
involved a finding that it or such trusted person acted fraudulently or
dishonestly, or has been convicted of an offence under the Act or these rules;
or the Controller has invoked performance bond or banker's guarantee; or The
Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________
Page 15 of 62 e) a DigiLocker service provider commits breach of, or fails to
observe and comply with, the procedures and practices as per the DigiLocker
Practice Statement; or f) a DigiLocker service provider fails to conduct, or
does not submit, the returns of the audit in accordance with rule 41; or g) the
audit report recommends that the DigiLocker service provider is not worthy of
continuing DigiLocker service provider's operation; or h) a DigiLocker service
provider fails to comply with the directions of the Controller. 19.
Representations upon opening of DigiLocker account A DigiLocker service
provider while opening a DigiLocker account shall certify that – (a) it has
complied with the provisions of this Act and the rules and regulations made
there under; 20. Notice of suspension or revocation of license: (1) Where the
license of the DigiLocker service provider is suspended or revoked, the
Controller shall publish notice of such suspension or revocation, as the case
may be, in the data-base maintained by him/her. (2) Where one or more
repositories are specified, the Controller shall publish notices of such
suspension or revocation, as the case may be, in all such repositories.
Provided that the data-base containing the notice of such suspension or
revocation, as the case may be, shall be made available through a web site
which shall be accessible round the clock Provided further that the Controller
may, if he/she considers necessary, publicize the contents of the data-base in
such electronic or other media, as he/she may consider appropriate. 21. Power
to delegate: The Information Technology (Controller of Digital Locker) Rules,
2016 _______________________________________________________________________________________________________
Page 16 of 62 The Controller may, in writing, authorize the Deputy Controller,
Assistant Controller or any officer to exercise any of the powers of the
Controller under this Chapter. 22. Power to investigate contraventions: (1) The
Controller or any officer authorized by him/her in this behalf shall take up
for investigation any contravention of the provisions of this Act, rules or
regulations made there under. (2) The Controller or any officer authorized by
him/her in this behalf shall exercise the like powers which are conferred on
Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall
exercise such powers, subject to such limitations laid down under that Act. 23.
Access to computers and data: (1) Without prejudice to the provisions of
sub-section (1) of section 69, the Controller or any person authorized by
him/her shall, if he/she has reasonable cause to suspect that any contravention
of the provisions of this chapter made there under has been committed, have
access to any computer system, any apparatus, data or any other material
connected with such system, for the purpose of searching or causing a search to
be made for obtaining any information or data contained in or available to such
computer system. (2) For the purposes of sub-section (1), the Controller or any
person authorized by him/her may, by order, direct any person in charge of, or
otherwise concerned with the operation of the computer system, data apparatus
or material, to provide him/her with such reasonable technical and other
assistant as he/she may consider necessary. 24. DigiLocker service providers to
follow certain procedures: Every DigiLocker service provider shall- The
Information Technology (Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 17 of 62 a) ensure that the document URI and other data provided by
issuers and requesters is stored and/or transferred in its original state
without any tampering. b) make use of hardware, software, and procedures that
are secure from intrusion and misuse: c) provide a reasonable level of
reliability in its services which arc reasonably suited to the performance of
intended functions; d) adhere to security procedures to ensure that the secrecy
and privacy of the documents are assured. e) publish information regarding its
practices and current status of such procedures; and f) observe such other standards
as may be specified by regulations. 25. DigiLocker service provider to ensure
compliance of the Act, etc: Every DigiLocker service provider shall ensure that
every person employed or otherwise engaged by it complies, in the course of his
employment or engagement, with the provisions of this Act, rules, regulations
and orders made there under. 26. Display of license: Every DigiLocker service
provider shall display its license at a conspicuous place of the premises in
which it carries on its business. 27. Surrender of license: (1) Every
DigiLocker service provider whose license is suspended or revoked shall
immediately after such suspension or revocation, surrender the license to the
Controller. The Information Technology (Controller of Digital Locker) Rules,
2016
_______________________________________________________________________________________________________
Page 18 of 62 (2) Where any DigiLocker service provider fails to surrender a
license under sub-section (1), the person in whose favour a license is issued,
shall be guilty of an offense and shall be punished with imprisonment which may
extend up to six months or a fine which may extend up to ten thousand rupees or
with both. 28 Disclosure: (1) Every DigiLocker service provider shall disclose
in the manner specified by regulations (a) its DigiLocker Certificate (b) any
DigiLocker practice statement relevant thereto; (c) notice of revocation or
suspension of its DigiLocker certificate, if any; and (2) Where in the opinion
of the DigiLocker service provider any event has occurred or any situation has
arisen which may materially and adversely affect the integrity of its computer
system or the conditions subject to which access to a document was granted,
then, the DigiLocker service provider shall- (a) use reasonable efforts to
notify any person who is likely to be affected by that occurrence; or (b) act
in accordance with the procedure specified in its certification practice
statement to deal with such event or situation. 29. Governing Laws: The DigiLocker
Practice Statement of the DigiLocker service provider shall comply with, and be
governed by, the laws of the country. 30. Security Guidelines for DigiLocker
service provider: The Information Technology (Controller of Digital Locker)
Rules, 2016 _______________________________________________________________________________________________________
Page 19 of 62 (1) The DigiLocker service provider shall have the sole
responsibility of integrity, confidentiality and protection of information and
information assets employed in its operation, considering classification,
declassification, labeling, storage, access and destruction of information
assets according to their value, sensitivity and importance of operation. (2)
Information Technology Security Guidelines and Security Guidelines for
DigiLocker service provider aimed at protecting the integrity, confidentiality
and availability of service of DigiLocker service provider are given in
ScheduleII and Schedule-III respectively. (3) The DigiLocker service provider
shall formulate its Information Technology and Security Policy for operation
complying with these guidelines and submit it to the Controller before
commencement of operation: Provided that any change made by the DigiLocker
service provider in the Information Technology and Security Policy shall be
submitted by it within two weeks to the Controller. 31. Commencement of
Operation by Licensed DigiLocker service provider: (1) The licensed DigiLocker
service provider shall commence its commercial operation only after (a) it has
confirmed to the Controller the adoption of DigiLocker Practice Statement; (b)
the installed facilities and infrastructure associated with all functions of
management of DigiLocker system have been audited by the accredited auditor in
accordance with the provisions of rule 41; and (c) it has submitted the
arrangement for cross certification with other licensed DigiLocker service
provider within India to the Controller. 32. Requirements Prior to Cessation as
DigiLocker service provider: The Information Technology (Controller of Digital
Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 20 of 62 (1) Before ceasing to act as a DigiLocker service provider, a
DigiLocker service provider shall, a) give notice to the Controller of its
intention to cease acting as a DigiLocker service provider: Provided that the
notice shall be made one hundred eighty days before ceasing to act as a
DigiLocker service provider or ninety days before the date of expiry of
licence; b) will follow the data retention and data migration guidelines
notified by DeitY. c) advertise one hundred twenty days before the expiry of
licence or ceasing to act as DigiLocker service provider, as the case may be,
the intention in such daily newspaper or newspapers and in such manner as the
Controller may determine; d) notify its intention to cease acting as a
DigiLocker service provider to the subscriber, issuers and requesters of each
documents available in its system: e) the notice shall be sent to the
Controller, affected subscribers, issuers and requesters by digitally signed
e-mail and registered post; f) make a reasonable effort to ensure that
discontinuing its DigiLocker services causes minimal disruption to its
subscribers; g) make reasonable arrangements for preserving the records for a
period of seven years; h) pay reasonable restitution (not exceeding the cost
involved in opening a DigiLocker account) to subscribers for ceasing DigiLocker
services;. 33. Database of DigiLocker Service Providers: (1) The Controller
shall maintain a database of the disclosure record of every DigiLocker service
provider, containing inter alia the following details: a) the name of the
person/names of the Directors, nature of business, Income tax Permanent Account
Number, web address, if any, office and residential The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 21 of 62 address, location of facilities associated with functions of
DigiLocker system, voice and facsimile telephone numbers, electronic mail
address(es), administrative contacts and authorized representatives; b) current
and past versions of DigiLocker Practice Statement of DigiLocker service
provider; c) time stamps indicating the date and time ofi. grant of licence;
ii. confirmation of adoption of DigiLocker Practice Statement and its earlier
versions by DigiLocker service provider; iii. commencement of commercial
operations of DigiLocker system by the DigiLocker service provider; iv.
revocation or suspension of licence of DigiLocker service provider;
The Information Technology (Controller of
Digital Locker) Rules, 2016 In exercise of the powers conferred by clause (x)
of sub-section (2) of section 87 read with sections 67C and section 6A of the
Information Technology Act, 2000 (21 of 2000), the central Government hereby
makes the following rules regulating the applications and other guidelines for
DigiLocker service providers, namely: 1. Short Title and Commencement: (1)
These rules may be called the Information Technology (Controller of Digital
Locker) Rules, 2016. (2) They shall come into force on the date of their
publication in the Official Gazette. 2. Definitions: (1) In these rules, unless
the context otherwise requires, - a) “Act” means the Information Technology
Act, 2000 (21 of 2000); b) “access gateway” means licensed system to provide
access to repositories under Digital Locker System; c) “application program
interface (API)”, means a set of routines, protocols, and tools for building
software applications; d) “appropriate government” means appropriate government
as defined in clause (e) of sub-section (1) of section 2 of the Act; e) “body
corporate” means any company and includes a firm, Limited Liability
Partnership, sole proprietorship or other association of individuals engaged in
commercial or professional activities; f) “controller of digital locker” means
the officer of the Government notified as the Controller of Digital Locker; g)
“DeitY” means Department of Electronics & Information Technology,
Government of India. The Information Technology (Controller of Digital Locker)
Rules, 2016
_______________________________________________________________________________________________________“digital locker”, means a service of preservation, retention
and delivery of electronic records to the user; i) “DigiLocker Practise
Statement” means a statement by the DigiLocker service provider describing the
services and flow of the services being offered by the provider. j) “DigiLocker
service provider” means an agency including a body corporate or an Agency of
the Government, licensed by the Controller of Digital Locker, to establish and
manage digital locker system electronically, in accordance with these rules; k)
“document Uniform Resource Identifier (URI)”, means documents or records issued
complying with prescribed technical specifications; l) “Government” means the
Government of India; m) “Issuer” means any department or agency of the appropriate
Government issuing digitally signed or equivalently authenticated electronic
records to the subscriber under Digital Locker System; n) “License” means
binding agreement between/among the Controller of Digital Locker and any
service provider; o) “Digital Locker Portal” means a web and mobile based
system to provide access to documents under Digital Locker System; p) “National
Digital Locker Portal” means DeitY owned and operated webbased hosting Digital
Locker System; q) “repository” means an electronic repository of digitally
signed as well as digitised electronic records, maintained by any DigiLocker
service provider for the purpose of accessing such records and delivering them
to the users. r) “Requester” means any department or agency of the appropriate
Government requesting access to subscribers digitally signed or equivalently
authenticated electronic records preserved and retained in the repository
created and managed under Digital Locker System; The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________ “subscriber” means subscriber to a digital locker under the
Digital Locker Portal; t) “user” means a subscriber, issuer or requester of the
Digital Locker System. (2) Words and expressions used and not defined in these
rules but defined in the Act and Rules shall have the same meanings assigned to
them in the Act and the Rules made thereunder. 3. Digital Locker System: (1)
For the purpose of providing preservation and retention of machine readable,
printable, shareable, verifiable and secure appropriate Government and private
agency issued electronic records, the Government and other service providers to
provide a digital locker system of limited electronic storage to all users.
Explanation. – It is hereby clarified that the present rules provide for the
administration of digital locker system by Controller of Digital Locker through
DigiLocker Service Providers in accordance with the technical standards as laid
down by controller from time to time. (2) Subject to the sub-rule (1), the
digital locker system shall act as web and mobile based portal, to be a Digital
Locker Portal for appropriate Government and private agency issued electronic
records maintained in a prescribed format. 4. Operation of Digital Locker
System: (1) Any individual who is resident of India shall be able to open and
gain access to digital locker after submitting duly prescribed application form
to the Controller of Digital Locker after due authentication manner prescribed
by the Controller of Digital Locker. (2) Subject to the sub-rule (1), citizen
may obtain the services of the licensed DigiLocker Service Providers for the
purpose of access The Information Technology (Controller of Digital Locker)
Rules, 2016
_______________________________________________________________________________________________________ Locker, gateways and repository services using web or mobile based
Digital Locker Portal. (3) Digital Locker Portal shall provide access to
repositories and access gateway for issuers to issue and requesters to access
digitally signed or equivalently authenticated electronic records respectively
in a uniform way in real-time by making available Digital Locker Directory to
the users. (4) Digital Locker Directory shall provide following details: (a)
issuer ID (name, ID, registration date), Requester ID (name, URL, date of
empanelment, contact details), Gateway ID (name, URL, date of empanelment,
contact details) and empanelled repositories (name, URL, date of empanelment,
contact details); (b) repository and gateway empanelment guidelines, standards,
application form, and other particulars; (c) electronic workflow to request,
approve, and publish new ID for new issuers, gateways & repositories, as
the case may be; and (d) any other information as prescribed by the Controller
of Digital Locker. 5. DigiLocker Standards: Standards for DigiLocker eco system
will be notified by the Department of Electronics & Information Technology
(DeitY), Government of India. 6. Appointment of Controller and other officers:
1) The Central Government may, by notification in the Official Gazette, appoint
a Controller of Digital Locker for the purposes of this Act and may also by the
same or subsequent notification appoint such number of Deputy Controllers and
Assistant Controllers, other officers and employees as it deems fit. The
Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________
Page 5 of 62 2) The Controller shall discharge his functions under this Act
subject to the general control and directions of DeitY. 3) The Deputy
Controllers and Assistant Controllers shall perform the functions assigned to
them by the Controller under the general superintendence and control of the
Controller. 4) The qualifications, experience and terms and conditions of
service of Controller, Deputy Controllers and Assistant Controllers other
officers and employees shall be such as may be prescribed by the Central
Government. 5) The Head Office and Branch Office of the Office of the
Controller shall be at such places as DeitY may specify, and these may be
established at such places as DeitY may think fit. 6) There shall be a seal of
the Office of the Controller. 7. The Controller may perform all or any of the
following functions, namely: 1) Grant licenses to DigiLocker service providers;
2) exercising supervision over the activities of the DigiLocker Service
Providers; 3) specifying the conditions subject to which the DigiLocker Service
Providers shall conduct their business; 4) specify the conditions under which
documents from issuers are made available to DigiLocker service providers. 5)
specify the conditions under which documents accessed by requesters are made
available to DigiLocker service providers 6) specifying the content of written,
printed or visual material and advertisements that may be distributed or used in
respect of DigiLocker Services; The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 6 of 62 7) specifying the form and manner in which accounts shall be
maintained by the DigiLocker service provider; 8) specifying the terms and
conditions subject to which auditors may be appointed and the remuneration to
be paid to them; 9) facilitating the establishment of any electronic system by
a Service Provider either solely or jointly with other Service Providers and
regulation of such systems; 10)specifying the manner in which the Service
Providers shall conduct their dealings with the subscribers; 11)resolving any
conflict of interests between the Service Providers and the subscribers;
12)laying down the duties of the Service Providers; 13) maintaining a data-base
containing the disclosure record of every DigiLocker Service Providers
containing such particulars as may be specified by regulations, which shall be
accessible to public. 8. Licensing of DigiLocker Service Providers: (1) The
following may apply for grant of a licence to become a DigiLocker Service
Provider, namely:- (a) an individual , being a citizen of India and having a
capital of five crores of rupees or more in his business or profession. (b) a
company having– i. paid up capital of not less than five crores of rupees; and
ii. net worth of not less than fifty crores of rupees: Provided that no company
in which the equity share capital held in aggregate by the Nonresident Indians,
Foreign Institutional Investors, or foreign companies, exceeds forty-nine per
cent of its capital, shall be eligible for grant of licence: Provided further
that in a case where the company has been The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 7 of 62 registered under the Companies Act, 1956 (1 of 1956) during the
preceding financial year or in the financial year during which it applies for
grant of licence under the Act and whose main object is to act as DigiLocker
Service Provider, the net worth referred to in sub-clause (ii) of this clause
shall be the aggregate net worth of its majority shareholders holding at least
51% of paid equity capital, being the Hindu Undivided Family, firm or company:
Provided also that the majority shareholders referred to in the second proviso
shall not include Non-resident Indian, foreign national, Foreign Institutional
Investor and foreign company: Provided also that the majority shareholders of a
company referred to in the second proviso whose net worth has been determined
on the basis of such majority shareholders, shall not sell or transfer its
equity shares held in such company- (i) unless such a company acquires or has
its own net worth of not less than fifty crores of rupees; (ii) without prior
approval of the Controller of Digital Locker; (c) a firm having – i. capital
subscribed by all partners of not less than five crores of rupees; and ii. net
worth of not less than fifty crores of rupees: Provided that no firm, in which
the capital held in aggregate by any Non-resident Indian, and foreign national,
exceeds forty-nine per cent of its capital, shall be eligible for grant of
licence: Provided further that in a case where the firm has been registered
under the Indian Partnership Act, 1932 (9 of 1932) during the preceding
financial year or in the financial year during which it applies for grant of
licence under the Act and whose main object is to act as DigiLocker service
provider, the net worth referred to in sub-clause (ii) of this clause shall be
the aggregate net worth of all of its partners: Provided also that the partners
referred to in the second proviso shall not include Non-resident Indian and
foreign national: Provided also that the partners of a firm referred to in the
second proviso whose net worth has been determined on the basis of such
partners, shall not sell or transfer its capital held in such firm- (i) unless
such firm has acquired or has its own The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 8 of 62 net worth of not less than fifty crores of rupees; (ii) without
prior approval of the Controller; (d) Central Government or a State Government
or any of the Ministries or Departments, Agencies or Authorities of such
Governments. Explanation.- For the purpose of this rule,- i.
"company" shall have the meaning assigned to it in clause 17 of
section 2 of the Income-tax Act, 1961 (43 of 1961); ii. "firm",
"partner" and "partnership" shall have the meanings respectively
assigned to them in the Indian Partnership Act, 1932 (9 of 1932); but the
expression "partner" shall also include any person who, being a minor
has been admitted to the benefits of partnership; iii. "foreign
company" shall have the meaning assigned to it in clause (23A) of section
2 of the Income-tax Act, 1961 (43 of 1961); iv. "net worth" shall
have the meaning assigned to it in clause (ga) of subsection (1) of section 3
of the Sick Industrial Companies (Special Provisions) Act, 1985 (1 of 1986); v.
"Non-resident" shall have the meaning assigned to it as in clause 26
of section 2 of the Income-tax Act, 1961 (43 of 1961). (2) The applicant being
an individual, or a company, or a firm under sub-rule (1), shall submit a
performance bond or furnish a banker's guarantee from a scheduled bank in favour
of the Controller in such form and in such manner as may be approved by the
Controller for an amount of not less than five crores of rupees and the
performance bond or banker's guarantee shall remain valid for a period of six
years from the date of its submission: Provided that the company and firm
referred to in the second proviso to clause (b) and the second proviso to
clause (c) of sub-rule (1) shall submit a performance bond or furnish a
banker's guarantee for ten crores of rupees: Provided further that nothing in
the first proviso shall apply to the company or firm after it has acquired or
has its net worth of fifty crores of rupees. The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 9 of 62 (3) Without prejudice to any penalty which may be imposed or
prosecution may be initiated for any offence under the Act or any other law for
the time being in force, the performance bond or banker's guarantee may be
invoked– a) when the Controller has suspended the licence under sub-section (2)
of section 25 of the Act; or b) for payment of an offer of compensation made by
the Controller; or c) for payment of liabilities and rectification costs
attributed to the negligence of the DigiLocker service provider, its officers
or employees; or d) for payment of the costs incurred in the discontinuation or
transfer of operations of the licensed DigiLocker service provider, if the
DigiLocker service provider's licence or operations is discontinued; or e) any
other default made by the DigiLocker service provider in complying with the
provisions of the Act or rules made thereunder. Explanation.- "transfer of
operation" shall have the meaning assigned to it in clause (47) of section
2 of the Income-tax Act, 1961 (43 of 1961). 9. Location of the Facilities: The
infrastructure associated with all functions of DigiLocker system as well as
maintenance of Directories containing information about the status of
DigiLocker system shall be installed at any location in India. 10. Submission
of Application: (1) Every application for a licensed DigiLocker service
provider shall be made to the Controller,- a) in the form given at Schedule-l;
and The Information Technology (Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 10 of 62 b) in such manner as the Controller may, from time to time,
determine, supported by such documents and information as the Controller may
require and it shall inter alia includei. a DigiLocker Practice Statement
(DPS); ii. a statement including the procedures with respect to identification
of the applicant; iii. a statement for the purpose and scope of DigiLocker
technology, management, or operations to be outsourced; iv. certified copies of
the business registration documents of DigiLocker service provider that intends
to be licensed; v. a description of any event, particularly current or past
insolvency, that could materially affect the applicant's ability to act as a
DigiLocker service provider; vi. an undertaking by the applicant that to its
best knowledge and belief it can and will comply with the requirements of its
DigiLocker Practice Statement; vii. an undertaking that the DigiLocker service
provider's operation would not commence until its operation and facilities
associated with the functions of generation, issue and management of DigiLocker
system are audited by the auditors and approved by the Controller in accordance
with rule 31; viii. an undertaking to submit a performance bond or banker's
guarantee in accordance with sub-rule (2) of rule 8 within one month of
Controller indicating his approval for the grant of licence to operate as a
DigiLocker service provider; c) any other information required by the
Controller. (2) Every application for issue of a license shall be accompanied
bya) a DigiLocker practice statement; The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 11 of 62 b) a statement including the procedures with respect to
identification of the applicant; c) payment of such fees, not exceeding one lac
rupees as may be prescribed by the Central Government; d) such other documents,
as may be prescribed by the Central Government. 11. Procedure for grant or
rejection of license : The Controller may, on receipt of an application under
sub-section (1) of section 4, after considering the documents accompanying the
application and such other factors, as he deems fit, grant the license or
reject the application: Provided that no application shall be rejected under
this section unless the applicant has been given a reasonable opportunity of
presenting his case. 12. Fee: (1) The application for the grant of a licence
shall be accompanied by a nonrefundable fee of one lac rupees payable by a bank
draft or by a pay order drawn in the name of the Controller. (2) The
application submitted to the Controller for renewal of DigiLocker service
provider's licence shall be accompanied by a non-refundable fee of twenty five
thousand rupees payable by a bank draft or by a pay order drawn in the name of
the Controller. (3) Fee or any part thereof shall not be refunded if the
licence is suspended or revoked during its validity period. 13. Cross
Certification: The licensed DigiLocker service provider shall have arrangement
for cross certification with other licensed DigiLocker service providers within
India which shall be submitted to the Controller before the commencement of
their The Information Technology (Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 12 of 62 operations as per rule 30: Provided that any dispute arising as a
result of any such arrangement between the DigiLocker service providers; or
between DigiLocker service providers or DigiLocker service provider and the Subscriber,
shall be referred to the Controller for arbitration or resolution. 14. Validity
of licence: (1) A licence shall be valid for a period of ten years from the
date of its issue. (2) The licence shall not be transferable or heritable. 15.
Suspension of Licence: (1) The Controller may by order suspend the licence in
accordance with the provisions contained in subrule (3). (2) The licence
granted to the persons referred to in clauses (a) to (c) of subrule (1) of rule
8 shall stand suspended when the performance bond submitted or the banker's
guarantee furnished by such persons is invoked under sub-rule (2) of that rule.
(3) The Controller may, if he/she is satisfied after making such inquiry, as
he/she may think fit, that a DigiLocker service Provider has – (a) made a
statement in, or in relation to, the application for the issue or renewal of
the license, which is incorrect or false in material particulars; (b) failed to
comply with the terms and conditions subject to which the license was granted;
(c) failed to maintain the standards specified in rule (5); (d) contravened any
provisions of this Act, rule, regulation or order made there under, revoke the
license: Provided that no license shall be revoked unless the DigiLocker
service provider has been given a The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 13 of 62 reasonable opportunity of showing cause against the proposed revocation.
(4) The Controller may, if he/she has reasonable cause to believe that there is
any ground for revoking a license under subrule (3) by order suspend such
license pending the completion of any enquiry ordered by him/her: Provided that
no license shall be suspended for a period exceeding ten days unless the
DigiLocker service provider has been given a reasonable opportunity of showing
cause against the proposed suspension. (5) No DigiLocker service provider whose
license has been suspended shall provide any access or sharing of documents and
shall as per procedure, make provisions for transfer of repository / documents
to another service provider/Receiver as specified by the Controller. 16.
Renewal of licence: (1) The provisions of rule 8 to rule 14, shall apply in the
case of an application for renewal of a licence as it applies to a fresh
application for licensed DigiLocker service provider. (2) A DigiLocker service
provider shall submit an application for the renewal of its licence not less
than ninety days before the date of expiry of the period of validity of
licence. (3) The application for renewal of licence may be submitted in the
form of electronic record subject to such requirements as the Controller may
deem fit. (4) An application for renewal of a license shall be – a) in such
form; b) accompanied by such fees, not exceeding twenty five thousand rupees,
as may be prescribed by the Central Government and shall be made not less than
forty-five days before the date of expiry of the period of validity of the
license: 17. Issuance of Licence: The Information Technology (Controller of
Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 14 of 62 (1) The Controller may, within four weeks from the date of
receipt of the application, after considering the documents accompanying the
application and such other factors, as he/she may deem fit, grant or renew the
licence or reject the application: Provided that in exceptional circumstances
and for reasons to be recorded in writing, the period of four weeks may be
extended to such period, not exceeding eight weeks in all as the Controller may
deem fit. (2) If the application for licensed DigiLocker service provider is
approved, the applicant shall- (a) submit a performance bond or furnish a
banker's guarantee within one month from the date of such approval to the
Controller in accordance with subrule (2) of rule 8; and (b) execute an
agreement with the Controller binding him/her self to comply with the terms and
conditions of the licence and the provisions of the Act and the rules made
thereunder. 18. Refusal of Licence: (1)The Controller may refuse to grant or
renew a licence ifa) the applicant has not provided the Controller with such
information relating to its business, and to any circumstances likely to affect
its method of conducting business, as the Controller may require; or b) the
applicant is in the course of being wound up or liquidated; or c) a receiver
has, or a receiver and manager have, been appointed by the court in respect of
the applicant; or d) the applicant or any trusted person has been convicted,
whether in India or out of India, of an offence the conviction for which
involved a finding that it or such trusted person acted fraudulently or
dishonestly, or has been convicted of an offence under the Act or these rules;
or the Controller has invoked performance bond or banker's guarantee; or The
Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________
Page 15 of 62 e) a DigiLocker service provider commits breach of, or fails to
observe and comply with, the procedures and practices as per the DigiLocker
Practice Statement; or f) a DigiLocker service provider fails to conduct, or
does not submit, the returns of the audit in accordance with rule 41; or g) the
audit report recommends that the DigiLocker service provider is not worthy of
continuing DigiLocker service provider's operation; or h) a DigiLocker service
provider fails to comply with the directions of the Controller. 19.
Representations upon opening of DigiLocker account A DigiLocker service
provider while opening a DigiLocker account shall certify that – (a) it has
complied with the provisions of this Act and the rules and regulations made
there under; 20. Notice of suspension or revocation of license: (1) Where the
license of the DigiLocker service provider is suspended or revoked, the
Controller shall publish notice of such suspension or revocation, as the case
may be, in the data-base maintained by him/her. (2) Where one or more
repositories are specified, the Controller shall publish notices of such
suspension or revocation, as the case may be, in all such repositories.
Provided that the data-base containing the notice of such suspension or
revocation, as the case may be, shall be made available through a web site
which shall be accessible round the clock Provided further that the Controller
may, if he/she considers necessary, publicize the contents of the data-base in
such electronic or other media, as he/she may consider appropriate. 21. Power
to delegate: The Information Technology (Controller of Digital Locker) Rules,
2016 _______________________________________________________________________________________________________
Page 16 of 62 The Controller may, in writing, authorize the Deputy Controller,
Assistant Controller or any officer to exercise any of the powers of the
Controller under this Chapter. 22. Power to investigate contraventions: (1) The
Controller or any officer authorized by him/her in this behalf shall take up
for investigation any contravention of the provisions of this Act, rules or
regulations made there under. (2) The Controller or any officer authorized by
him/her in this behalf shall exercise the like powers which are conferred on
Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall
exercise such powers, subject to such limitations laid down under that Act. 23.
Access to computers and data: (1) Without prejudice to the provisions of
sub-section (1) of section 69, the Controller or any person authorized by
him/her shall, if he/she has reasonable cause to suspect that any contravention
of the provisions of this chapter made there under has been committed, have
access to any computer system, any apparatus, data or any other material
connected with such system, for the purpose of searching or causing a search to
be made for obtaining any information or data contained in or available to such
computer system. (2) For the purposes of sub-section (1), the Controller or any
person authorized by him/her may, by order, direct any person in charge of, or
otherwise concerned with the operation of the computer system, data apparatus
or material, to provide him/her with such reasonable technical and other
assistant as he/she may consider necessary. 24. DigiLocker service providers to
follow certain procedures: Every DigiLocker service provider shall- The
Information Technology (Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 17 of 62 a) ensure that the document URI and other data provided by
issuers and requesters is stored and/or transferred in its original state
without any tampering. b) make use of hardware, software, and procedures that
are secure from intrusion and misuse: c) provide a reasonable level of
reliability in its services which arc reasonably suited to the performance of
intended functions; d) adhere to security procedures to ensure that the secrecy
and privacy of the documents are assured. e) publish information regarding its
practices and current status of such procedures; and f) observe such other standards
as may be specified by regulations. 25. DigiLocker service provider to ensure
compliance of the Act, etc: Every DigiLocker service provider shall ensure that
every person employed or otherwise engaged by it complies, in the course of his
employment or engagement, with the provisions of this Act, rules, regulations
and orders made there under. 26. Display of license: Every DigiLocker service
provider shall display its license at a conspicuous place of the premises in
which it carries on its business. 27. Surrender of license: (1) Every
DigiLocker service provider whose license is suspended or revoked shall
immediately after such suspension or revocation, surrender the license to the
Controller. The Information Technology (Controller of Digital Locker) Rules,
2016
_______________________________________________________________________________________________________
Page 18 of 62 (2) Where any DigiLocker service provider fails to surrender a
license under sub-section (1), the person in whose favour a license is issued,
shall be guilty of an offense and shall be punished with imprisonment which may
extend up to six months or a fine which may extend up to ten thousand rupees or
with both. 28 Disclosure: (1) Every DigiLocker service provider shall disclose
in the manner specified by regulations (a) its DigiLocker Certificate (b) any
DigiLocker practice statement relevant thereto; (c) notice of revocation or
suspension of its DigiLocker certificate, if any; and (2) Where in the opinion
of the DigiLocker service provider any event has occurred or any situation has
arisen which may materially and adversely affect the integrity of its computer
system or the conditions subject to which access to a document was granted,
then, the DigiLocker service provider shall- (a) use reasonable efforts to
notify any person who is likely to be affected by that occurrence; or (b) act
in accordance with the procedure specified in its certification practice
statement to deal with such event or situation. 29. Governing Laws: The DigiLocker
Practice Statement of the DigiLocker service provider shall comply with, and be
governed by, the laws of the country. 30. Security Guidelines for DigiLocker
service provider: The Information Technology (Controller of Digital Locker)
Rules, 2016 _______________________________________________________________________________________________________
Page 19 of 62 (1) The DigiLocker service provider shall have the sole
responsibility of integrity, confidentiality and protection of information and
information assets employed in its operation, considering classification,
declassification, labeling, storage, access and destruction of information
assets according to their value, sensitivity and importance of operation. (2)
Information Technology Security Guidelines and Security Guidelines for
DigiLocker service provider aimed at protecting the integrity, confidentiality
and availability of service of DigiLocker service provider are given in
ScheduleII and Schedule-III respectively. (3) The DigiLocker service provider
shall formulate its Information Technology and Security Policy for operation
complying with these guidelines and submit it to the Controller before
commencement of operation: Provided that any change made by the DigiLocker
service provider in the Information Technology and Security Policy shall be
submitted by it within two weeks to the Controller. 31. Commencement of
Operation by Licensed DigiLocker service provider: (1) The licensed DigiLocker
service provider shall commence its commercial operation only after (a) it has
confirmed to the Controller the adoption of DigiLocker Practice Statement; (b)
the installed facilities and infrastructure associated with all functions of
management of DigiLocker system have been audited by the accredited auditor in
accordance with the provisions of rule 41; and (c) it has submitted the
arrangement for cross certification with other licensed DigiLocker service
provider within India to the Controller. 32. Requirements Prior to Cessation as
DigiLocker service provider: The Information Technology (Controller of Digital
Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 20 of 62 (1) Before ceasing to act as a DigiLocker service provider, a
DigiLocker service provider shall, a) give notice to the Controller of its
intention to cease acting as a DigiLocker service provider: Provided that the
notice shall be made one hundred eighty days before ceasing to act as a
DigiLocker service provider or ninety days before the date of expiry of
licence; b) will follow the data retention and data migration guidelines
notified by DeitY. c) advertise one hundred twenty days before the expiry of
licence or ceasing to act as DigiLocker service provider, as the case may be,
the intention in such daily newspaper or newspapers and in such manner as the
Controller may determine; d) notify its intention to cease acting as a
DigiLocker service provider to the subscriber, issuers and requesters of each
documents available in its system: e) the notice shall be sent to the
Controller, affected subscribers, issuers and requesters by digitally signed
e-mail and registered post; f) make a reasonable effort to ensure that
discontinuing its DigiLocker services causes minimal disruption to its
subscribers; g) make reasonable arrangements for preserving the records for a
period of seven years; h) pay reasonable restitution (not exceeding the cost
involved in opening a DigiLocker account) to subscribers for ceasing DigiLocker
services;. 33. Database of DigiLocker Service Providers: (1) The Controller
shall maintain a database of the disclosure record of every DigiLocker service
provider, containing inter alia the following details: a) the name of the
person/names of the Directors, nature of business, Income tax Permanent Account
Number, web address, if any, office and residential The Information Technology
(Controller of Digital Locker) Rules, 2016
_______________________________________________________________________________________________________
Page 21 of 62 address, location of facilities associated with functions of
DigiLocker system, voice and facsimile telephone numbers, electronic mail
address(es), administrative contacts and authorized representatives; b) current
and past versions of DigiLocker Practice Statement of DigiLocker service
provider; c) time stamps indicating the date and time ofi. grant of licence;
ii. confirmation of adoption of DigiLocker Practice Statement and its earlier
versions by DigiLocker service provider; iii. commencement of commercial
operations of DigiLocker system by the DigiLocker service provider; iv.
revocation or suspension of licence of DigiLocker service provider;
Comments
Post a Comment