Central Information Commission
Lavkush vs Centre For Railway Information System ... on 7 May, 2024
केन्द्रीय सूचना आयोग
Central Information Commission
बाबा गंगनाथ मागग, मुननरका
Baba Gangnath Marg, Munirka
नई निल्ली, New Delhi - 110067
File No : CIC/CFRIS/A/2023/614134 and CIC/CFRIS/A/2023/613914.
Lavkush .....अपीलकर्ाग /Appellant
VERSUS
बनाम
PIO,
Centre for Railway Information
System (CRIS), Safdarjung
Railway Station, Chanakyapuri,
New Delhi - 11001 ....प्रनर्वािीगण /Respondent
Date of Hearing : 02-05-2024
Date of Decision : 06-05-2024
INFORMATION COMMISSIONER : Vinod Kumar Tiwari
The above-mentioned Appeals have been clubbed together for disposal as
these are based on similar RTI Application of the same Appellant.
Relevant facts emerging from appeal:
RTI applications filed on : 10-01-2023, 28-11-2022.
CPIO replied on : 08-02-2023, 21-12-2022.
First appeal filed on : 16-02-2023, 10-01-2023
First Appellate Authority's order : 23-02-2023, 30-01-2023.
2nd Appeals/Complaint dated : 18-03-2023.
CIC/CFRIS/A/2023/614134
Information sought:
Page 1 of 11The Appellant filed an RTI application dated 10-01-2023 seeking the following information:
"उपरोक्त विषय के अंतर्गत आपसे अनुरोध है कक प्रार्थी उत्तर मध्य रे लिे के इलाहबाद मंडल में सहायक कार्मगक अधधकारी (APO) के पद पर कायगरत र्था, IPAS में िेतन बनाने हे तु मुझे IPAS ID- NCR02PBL1002 (Gazetted ID) & ADMINALDP03 (Admin ID) जारी की र्ई र्थी, इस ID से सम्बंधधत ननम्न सुचनाए उपलब्ध कराने हे तु अनुरोध ककया र्था ।
प्रार्थी का IPAS EMP No-33229810935 ितगमान में Registered Mobile No- 9455620325, पुराना 9794837604 प्रार्थी अपने ADMIN ID- ADMINALDP03 से ददनांक 01.04.2019 से 17.07.2019 तक ककन-2 IPAS User को Transfer In & Out की Permission दी और Withdrawn (हटाई) की र्ई के सम्बन्ध में सूचना चादहए।
1- Permission Granted for Transfer IN
Login ID Emp No Use IPAS Use Emp No Date & Time
Login ID
ADMINALDP03 33229810935
2- Permission Granted for Transfer Out
Login ID Emp No Use IPAS Use Emp No Date & Time
Login ID
ADMINALDP03 33229810935
3- Permission Withdrawn for Transfer IN
Login ID Emp No Use IPAS Use Emp No Date & Time
Login ID
ADMINALDP03 33229810935
4- Permission Withdrawn for Transfer Out
Login ID Emp No Use IPAS Use Emp No Date & Time
Login ID
ADMINALDP03 33229810935
संदर्भगत पत्र के अनुसार प्रयार्राज मंडल द्िारा जबाब ददया र्या कक यह सुविधा CRIS ने उन्हें उपलब्ध नहीं कराई है इस कारण मुझे उपरोक्त सूचना हे तु आपके पास RTI के तहत सूचना मंर्नी पड़ रही है।Page 2 of 11
CRIS से अनुरोध है की उपरोक्त सूचना उपलब्ध कराने की कृपा करे ।
उपरोक्त सूचनाए मेरी जजंदर्ी और कैररयर से जुड़ी हुई है और मेरे र्लए इन्हें जानना बहुत जरुरी है ।"
The CPIO furnished a reply to the Appellant on 08-02-2023 stating as under:
"Applicant has sought certain information related to permission granted by User Id- ADMINALDP03 of IPAS and given a format for this information.
Information sought by the applicant as per the format given is not maintained in the IPAS and hence the same is not available to be provided to the applicant."
Being dissatisfied, the appellant filed a First Appeal dated 16-02-2023. The FAA vide its order dated 23-02-2023, upheld the reply of CPIO.
CIC/CFRIS/A/2023/613914 Information sought:
The Appellant filed an RTI application dated 28-11-2022 seeking the following information:
"उपरोक्त विषय के अंतर्गत आपसे अनुरोध है कक प्रार्थी उत्तर मध्य रे लिे के इलाहबाद मंडल में सहायक कार्मगक अधधकारी (APO) के पद पर कायगरत र्था, IPAS में िेतन बनाने हे तु मुझे IPAS ID- NCR02PBL1002 (Gazetted ID) & ADMINALDP03 (Admin ID) जारी की र्ई र्थी, इस ID से सम्बंधधत ननम्न्न सुचनाए उपलब्ध कराने की कृपा करे | प्रार्थी का IPAS EMP No-33229810935 ितगमान में Registered Mobile No- 9455620325, पुराना 9794837604 1- NCR02PBL1002 का ददनांक 01.04.2019 से 17.07.2019 तक का Login के दौरान प्राप्त होने िाली OTP (One Time Password) संख्या और प्रत्येक OTP कब जारी हुआ और कब तक िैध र्था इसकी सूची उपलब्ध कराई जाए | इस प्रारूप में यदद उपलब्ध हो सके तो -Page 3 of 11
Login ID Emp No OTP OTP OTP valid
Generated on upto (Date &
(Date & Time) Time)
NCR02PBL1002 33229810935
2- NCR02PBL1002 का ददनांक 01.04.2019 से 17.07.2019 तक कब-कब Login ककया र्या (IPAS Log list) और इन Login के दौरान कौन सी OTP संख्या दजग की र्ई र्थी | इस प्रारूप में यदद उपलब्ध हो सके तो -
Login ID Emp No IP Log In (Date Log Out OTP
Address & Time) (Date &
Time)
NCR02PBL1002 33229810935
"
The CPIO furnished a reply to the Appellant on 21-12-2022 stating as under:
"ददनांक 01.04.2019 से 17.07.2019 के दौरान ककसी भी यूजर आईडी के र्लए ददनांक के प्रर्थम लॉधर्न करने पर यूजर के ददए हुए मोबाइल नंबर पर OTP प्राप्त होता र्था और उस OTP की िैधता उसके उपयोर् करने के समय से अधधकतम 4 ददनों के र्लए रहती र्थी।"
Being dissatisfied, the appellant filed a First Appeal dated 10-01-2023. The FAA vide its order dated 30-01-2023, held as under:-
"(1) OTP is used for second level of authentication for logging in IPAS application and stored in encrypted format.
(ii) In the instant case details of OTP as sought by the applicant in the desired format is not maintained in the IPAS Application. Hence, information in the sought format is unavailable and hence can not be provided.
(iii) Maximum validity of the OTP for the desired period as sought by the applicant vide Registration No. CFRIS/R/E/22/00366 dated 28-11-2022 has already been provided online to the applicant on 21-12- 2022.
(iv) OTP is used for facilitating login by authorized users. It is observed that in the instant case all details of login with time etc. for the User ID NCR02PBL1002 Page 4 of 11 as sought by the Applicant, have already been provided by EDPM/NCR, PRYJ vide letter No. EDPM/PRYJ/RTI/22 dated 15-11-2022."
Feeling aggrieved and dissatisfied, appellant approached the Commission with the instant Second Appeals on the ground that the information has not been provided in the form as it might have been existed.
Relevant Facts emerged during Hearing:
The following were present:-
Appellant: Present through video-conference.
Respondent: Shri Virender Kumar Setia, CM/APIO accompanied with Shri Vaibhav Datt Jowhari, PDE/AIMS, Shri Kalyan Singh Meena, AM/AIMS and Shri Harish Chandra Banga, AM/AIMS (all from CRIS) present in person.
The Appellant while reiterating the contents of RTI Applications stated that information/requested data are maintained by CRIS under the control of Railway authority; therefore, it must be available with the Respondent and be provided as exists, since it pertains to his own Admin Id for which a vigilance case is ongoing against the Appellant.
Written submissions dated 01-05-2024 have been filed by the Respondent with the Commission, contents of which case- wise are reproduced below -
CIC/CFRIS/A/2023/614134
"2. lt is brought to the notice of Hon'ble Commission that "Centre for Railway lnformation Systems (CRIS) is an organization engaged in design, development and implementation of Application Software for the Zonal Railways. Further CRIS develops Application Software for lndian Railways as per advice of Nodal Railways/Railway Board.
3. Under the RTI Act, 2005, only such information can be supplied that is available and existing and is held by the public authority. The Public lnformation Officer is not supposed to create information that is not a part of the record of the public authority.
Page 5 of 114. Based on the above facts, the appellant was replied vide this office letter dated 23.02.2023 after the approval of Appellate Authority/CRlS (copy enclosed). This is reiterated please."
CIC/CFRIS/A/2023/613914 "With reference to above, Shri Lavkush sought details of OTP (One Time Password) from 01.04.2019 to 17.07.2019 of login ID NCR02PBL1002 in IPAS application.
2. As OTP (Second level of authentication password) and passwords are considered as sensitive information, it cannot be shared with any individual (Gazetted notification extract attached). This office stores OTP information in encrypted format only for a limited period due to the technical requirements. No historical data regarding OTP information is being maintained. Presently, OTP validity period is regulated by the Railway board letter vide ref No. 2022/AC-II(CC)37/1/e dated 21.12.2022.
THE GAZETTE OF INDIA: EXTRAORDINARY [PART II-SEC. 3(1)]
(h) "Password" means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information:
(i) "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.
3. Sensitive personal data or information. Sensitive personal data or information of a person means such personal information which consists of information relating to:-
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;Page 6 of 11
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history,
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
4. Body corporate to provide policy for privacy and disclosure of information.- (1)The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for-
(i) Clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected under rule 3;
3. The appellant Shri Lavkush has been advised accordingly after the approval of Appellate Authority/CRIS (copy of the reply also enclosed)."
During the hearing, Shri Vaibhav Datt Jowhari, PDE/AIMS clarified that CRlS is not the owner of data. lt only develops and maintains the software data on the requirements of Railway Board/ Central Railway, on the approval/directions of the Central Railways. lf Railways asks it to provide some report and details, this is provided as per feasibility and based on records available. They have no authority to create any software for retrieval/ upkeep of database without the permission of the superior authorities which in this case is Northern Central Railway or railway Board.
Post hearing, on the advice of the bench, the Respondent filed additional written submissions, contents of which (case -wise) are reproduced below-
Page 7 of 11CIC/CFRIS/A/2023/614134 "1. Report as desired by the appellant is not available and maintained in lPAS software by CRIS.
2. CRlS is not the owner of data. lt only develops and maintains the software data as custodian as per the requirement given by Railway Board and Nodal Railway. lf Railways asks it to provide some report and details, this is provided as per feasibility and based on records available.
3. The data/details as sought by appellant is more than 5 years old pertaining to year 2019, it will need to be seen through suitable reports whether the data/details as desired actually exists in the database."
CIC/CFRIS/A/2023/613914 "CRIS maintains OTP information in encrypted format only for a limited period of 4 hours only and no historical data regarding OTP is being maintained.
Maximum validity of OTP is regulated by Railway Board's letter No 2022/AC- II(CC)37/1/e dated 27.12.2022. Copy of this letter was provided to CIC for records during hearing which read as under -
"CENTRE FOR RAILWAY INFORMATION SYSTEMS (An organization of Ministry of Railways, Govt. of India) No.: 2018/CRIS/NDLS-HQ/AIMS/R&BARB0894 Dated: 24.11.2022 Principal Executive Director (Accounts) Railway Board Rail Bhawan New Delhi Sub.: Strengthening Security of IPAS National Critical Information Infrastructure Protection Centre (NCIIPC) vide their mail dated 13/09/2022 reported Board that a suspected phishing Domain (aimsindianrailwaysgov.com) was registered, which resembled "Accounting Information Management System (AIMS)" of Indian Railways (aims.indianrailways.gov.in). NCIIPC asked Board to take appropriate action to get the Suspected Phishing Domain removed/suspended urgently, to prevent Page 8 of 11 malicious use of this domain. Based on the information received from Board, CRIS approached Godaddy.com (an Internet Domain Registration company) and got the fake website removed.
Certain incidences of sharing of Login Credentials (Login ID, Password & OTP) are also suspected in field working conditions.
In order to further strengthen security of IPAS with respect to:
1. Issues with fake websites
2. Issues with sharing of Password/OTP by users, a document has been prepared by CRIS suggesting steps/ measures/changes in the "Login" functionality of IPAS. The suggested measures are being proposed balancing the security of the system with operational ease/ flexibility. The detailed document is hereby annexed. The development of the same is already underway. If approved by Board, the same will be released in Production environment.
Submitted for kind approval, please.
*** (Vineet Dwivedi) GM/AIMS"
Lastly, Respondent agreed to check the records of log In-out of 2019, as sought in case File No. CIC/CFRIS/A/2023/614134 and if available, provide the same to Appellant and in case File No. CIC/CFRIS/A/2023/613914, Respondent volunteered to furnish a copy of SoP/ Guidelines regarding retention of OTP for
4 hours only to the Appellant.
Decision:
The Commission, after adverting to the facts and circumstances of the case, hearing both the parties and perusal of the records observes that the information sought by the Appellant pertains to his own vigilance case which he desires to defend his case. Therefore, the Commission deems it fit to direct the Respondent case- wise as under -Page 9 of 11
CIC/CFRIS/A/2023/614134.
Respondent is directed to check their office records and provide available updated information regarding Permission IN-OUT and withdrawn permission of User Id- ADMINALDP03 of IPAS for the period mentioned in the RTI Application. In the event, information sought is not available, then a categorical statement for the same in writing be provided by the Respondent. This direction should be complied by the Respondent within 4 weeks from the date of receipt of this order.
CIC/CFRIS/A/2023/613914.
Respondent is directed to provide updated and revised reply along with a copy of SoP/ Guidelines/ Rules which governs the system for maintenance of OTP for login through IPAS, within 4 weeks from the date of receipt of this order.
First Appellate Authority to ensure compliance with of the above-mentioned directions.
The instant Appeals are disposed of accordingly.
Vinod Kumar Tiwari (विनोद कुमार वििारी) Information Commissioner (सूचना आयुक्त) Authenticated true copy (अनिप्रमानणर् सत्यानपर् प्रनर्) (S. Anantharaman) Dy. Registrar 011- 26181927 Date Copy To:
The FAA, Centre for Railway Information System (CRIS), Safdarjung Railway Station, Chanakyapuri, New Delhi - 11001 Page 10 of 11 Page 11 of 11 Recomendation(s) to PA under section 25(5) of the RTI Act, 2005:-
Nil Powered by TCPDF (www.tcpdf.org)