Section 10 in The Credit Information Companies Regulations, 2006
10. In addition to the principles and procedures as provided in section 20 of the Act, every credit information company, credit institution and specified user, shall adopt the following privacy principles in relation to their functioning, namely:-
(a)Care in collection of credit information:(i)Every credit information company shall take all such necessary precautions, in respect of information received or collected by it so as to ensure that such information is-(A)properly and accurately recorded, collated and processed; and(B)protected against loss, unauthorised access, use, modification or disclosure thereof.(ii)Every credit institution shall-(A)keep the credit information maintained by it, updated regularly on a monthly basis or at such shorter intervals as may be mutually agreed upon between the credit institution and the credit information company; and(B)take all such steps which may be necessary to ensure that the credit information furnished by it, is update, accurate and complete.(b)Access to, and modification of, the credit information:(i)Every credit information company shall-(A)establish and adopt procedures relating to disclosure to a person, upon his request, his own credit information and subject to his satisfactory identification; and(B)provide reasonable time and opportunity to such person for establishing his identity and the credit information company may call for his personal attendance, if so necessary, and production of such other documents as may be necessary as proof of his identity.(ii)Every specified user on receipt of a request as per sub-section (3) of section 21 of the Act, from a client or a borrower, as the case may be, for updating of his credit information, shall intimate about such request to the credit information company which had furnished such credit information to the specified user.(iii)Every credit information company on receipt of the intimation from a specified user, shall intimate about the request made by the borrower or the client, as the case may be, the credit institution which had furnished such credit information to the credit information company .(iv)Every specified user, credit information company, and credit institution, shall take prompt action in relation to updating of the credit information and to send the intimation and their response with proper co-ordination amongst them so as to ensure that the requisite action is taken in this behalf within the time limit as provided under sub-section (3) of section 21 of the Act.(c)Data use limitation:Obligation to disclose .-Every specified user, in case of denying credit or any other service to a borrower or a client, as the case may be, on the basis of his credit information report within thirty days of its such decision shall-(A)send a written intimation to such borrower, or the client about the rejection ;(B)include in such intimation the specific reasons for rejection;(C)forward a copy of the credit information report relied upon for such decision; and(D)also provide the name and address of the credit information company which had provided the credit information report to the borrower or client, as the case may be.(d)Length of preservation of credit information:(i)every credit information company and credit institution shall retain credit information collected, maintained and disseminated by them for a minimum period of seven years.(ii)Every credit information company and credit institution shall develop guidelines and procedures to be adopted by them, with the approval of the Reserve Bank in respect of preservation and destruction of credit information.
