Section 28 in The Credit Information Companies Rules, 2006
28. Prohibition from unauthorised access or use or disclosure
(1)Every credit institution, credit information company, and specified user, existing before the commencement of these rules within three months of such commencement and every credit institution, credit information company or specified user coming into existence after the commencement of these rules within three months of commencement of their business, shall take such steps as they may deem necessary to ensure that the data, information and the credit information maintained by them is duly protected against any unauthorised access or use and formulate and adopt an appropriate policy and procedure in this behalf with the approval of their Board of Directors.(2)Without prejudice to the generality of the policy and procedure, as formulated and adopted under sub-rule (1), every credit institution, credit information company, and specified user shall include such other aspects in such policy and procedure so as to-(i)secure the confidentiality of the data, information and credit information maintained by them;(ii)ensure that access to the data, information and credit information maintained by them is permitted only to such of their managers or employees or designated officers, who are duly authorised for the purpose on a need to know basis;(iii)ensure and control, access to the data, information and credit information, terminals, and networks, maintained by them, by means of physical barriers including biometric access control and logical barriers by way of passwords and to ensure that the passwords used in this behalf are not shared by anyone else than who is authorised in this behalf and the passwords are changed frequently on irregular intervals;(iv)ensure that the best practices in relation to the deletion and disposal of data, especially where records or discs are to be disposed of off-site or by external contractors are followed;(v)ensure that the system adopted for the purpose is sufficiently adequate to protect against any unauthorised modification or deletion of the data, information or credit information maintained by them;(vi)ensure maintenance of log made for accessing to data, information or credit information maintained by them including-(a)the data relating to identity of all such persons whosoever had accessed or attempted to access the data information or credit information maintained by them and the date and time of such access, the identity of the borrower whose data or credit information were so accessed; and(b)the provision relating to preservation of the records and entries pertaining to such log for minimum period of two years and to ensure that the same is available for examination by auditors, or the officials of the Reserve Bank authorised in this behalf, as the case may be.;(vii)ensure the maintenance and review of records and entries of log, on a regular and frequent basis to detect and investigate any unusual or irregular patterns of use of or access to data including creation of the audit trails and verification thereof;(viii)provide the guidelines for the use and access of information systems by external contractors; and(ix)protection against pilferage of information while passing through the public and private networks;.
