India's government has granted its Computer Emergency Response Team, CERT-In, an exemption from RTI purview. Giving this body an equivalent status to that of an intelligence agency. Though the reasons for this change have not been explicitly stated.
That case rated to India's sudden decision in 2022 to require businesses of all sizes to report infosec incidents to CERT-IN within six hours of detection. The rapid reporting brought with it itself software attacks and other critical messes. CERT-in justified the rules as necessary to defend the nation's cyberspace. The plan gathered international criticism as it didn't meet the set deadline of notifying authorities of data breaches.
The RTI Act enacted in 2005 said that the Act shall not apply to intelligence and security organizations provided that the information concerning allegations of human rights violations shall not be excluded. There are 26 other intelligence and security organizations established by the Central Government such as the Intelligence Bureau and Analysis Wing, Directorate of Enforcement.
The CERT-In has been probing major cyber attacks in the recent past. It was the first to respond when a cyber attack had crippled the All India Institute of Medical Sciences
The exemption of CERT-In from RTI purview, aligning it with intelligence agencies, raises concerns about transparency. The move, possibly linked to the mandatory reporting of infosec incidents, garnered international criticism for not meeting data breach notification deadlines. The RTI Act's provisions exempt intelligence organizations, but scrutiny remains essential for a balanced approach.
. . .
Reference:
- theregister.com
- m.thewire.in
- m.slashdot.org