CBDT issues Information Security Guidelines to stop disclosure of taxpayer’s information

Dat­ed: July 10, 2015

Con­fi­den­tial­i­ty of tax­pay­er infor­ma­tion has always been a fun­da­men­tal cor­ner­stone of tax sys­tems. The tax admin­is­tra­tion is oblig­ed to keep the infor­ma­tion sub­mit­ted by the tax­pay­ers, includ­ing their sen­si­tive finan­cial and per­son­al infor­ma­tion, con­fi­den­tial and is required to take steps to ensure that they are not dis­closed inap­pro­pri­ate­ly, either inten­tion­al­ly or by acci­dent. Main­tain­ing the con­fi­den­tial­i­ty of tax­pay­ers’ infor­ma­tion has assumed a greater sig­nif­i­cance in view of increased avail­abil­i­ty of infor­ma­tion regard­ing off­shore tax eva­sion and tax avoid­ance and stash­ing of unac­count­ed mon­ey abroad. The infor­ma­tion and or evi­dence of such tax avoidance/evasion and the under­ly­ing crim­i­nal activ­i­ty is often locat­ed out­side the ter­ri­to­r­i­al juris­dic­tion and is obtained only through bilat­er­al and mul­ti­lat­er­al coop­er­a­tion amongst countries/jurisdictions.

2. The Gov­ern­ment of India has played an impor­tant role on inter­na­tion­al forums in devel­op­ing inter­na­tion­al con­sen­sus for such coop­er­a­tion as per glob­al­ly accept­ed norms. The Gov­ern­ment of a country/jurisdiction will, how­ev­er, agree to exchange infor­ma­tion with anoth­er coun­try only if the infor­ma­tion exchanged is kept con­fi­den­tial, used only for the spec­i­fied pur­pos­es and dis­closed only to autho­rized person(s) in accor­dance with the agree­ment on the basis of which it is exchanged. It is there­fore, essen­tial that for con­tin­ued assis­tance by the treat) part­ners of India, the infor­ma­tion received is kept con­fi­den­tial and is used and dis­closed strict­ly as per the terms of the Agreement.

3. An Infor­ma­tion Secu­ri­ty Com­mit­tee (ISC) has been con­sti­tut­ed in the Cen­tral Board of Direct Tax­es (CBDT) under the chair­man­ship of Mem­ber (IT) through orders F. No. 500/137/2011-FTTR-III dat­ed 7th April, 2015 and 19th June 2015 with a view to pulling in place a robust Infor­ma­tion Secu­ri­ty Mech­a­nism in the Depart­ment. The ISC shall con­sist of a Chief Infor­ma­tion Secu­ri­ty Offi­cer (CISO)) and six oth­er mem­bers. The respon­si­bil­i­ties of the ISC and CISO are enclosed at Annex­ure A.

4. It has now been decid­ed that all Cadre Con­trol­ling Pr. CCsIT should set up a Local infor­ma­tion Secu­ri­ty Com­mit­tee (LISC) head­ed by a Pr. CIT lev­el offi­cer and com­pris­ing CIT (Admin­is­tra­tion), two CIT lev­el offi­cers and two Addl./Jt. CIT Lev­el offi­cers. Addi­tion­al Com­mis­sion­er (HQ) (Admin­is­tra­tion) will be the Mem­ber Sec­re­tary of the LISC, The LISC will he respon­si­ble for:

(a) Ensur­ing imple­men­ta­tion of the Infor­ma­tion Secu­ri­ty Poli­cies and Pro­ce­dures (ISPP) issued by the CISO.

(b) Ensur­ing that ongo­ing infor­ma­tion secu­ri­ty aware­ness edu­ca­tion and train­ing is pro­vid­ed to all employees.

© Con­duct­ing secu­ri­ty reviews ensur­ing that action is tak­en to plug any identified/potential gaps.

(d) Pro­vid­ing month­ly reports to the CISO on the sta­tus of infor­ma­tion secu­ri­ty. pol­i­cy vio­la­tions and infor­ma­tion secu­ri­ty incidents.

5. If an unau­tho­rized dis­clo­sure takes place, the LISC should under­take an inves­ti­ga­tion and pre­pare a com­plete report, fix­ing respon­si­bil­i­ty and rec­om­mend­ing actions to be tak­en against the person(s) con­cerned for the breach. The report should also sug­gest mea­sures to be tak­en to avoid sim­i­lar inci­dents in the future. Action for breach of con­fi­den­tial­i­ty includ­ing under the con­duct rules and ini­ti­a­tion of pro­ceed­ings under sec­tion 280 of the Income-tax Act. 1961, may be tak­en in appro­pri­ate cas­es by the Pr. CCIT Pr, DGIT/ CCIT/DGIT concerned.

6. The Infor­ma­tion clas­si­fi­ca­tion guide­lines (based on exist­ing clas­si­fi­ca­tion as per Man­u­al of Depart­men­tal Secu­ri­ty instruc­tions issued by the Min­istry of Home Affairs in 1994) are enclosed at Annex­ure B. All infor­ma­tion should be clas­si­fied into one of the spec­i­fied categories.

7. Files/documents clas­si­fied as top secret/secret/confidential/restricted need to be safe­guard­ed since their autho­rized access or dis­clo­sure may cause embar­rass­ment to the Gov­ern­ment and result in breach of treaty com­mit­ments. Broad guide­lines for han­dling such doc­u­ments have been pro­vid­ed in Man­u­al on Exchange of Infor­ma­tion issued by the CBDT in May, 2015. Detailed instruc­tions in this regard as incor­po­rat­ed in the Man­u­al of Depart­men­tal Secu­ri­ty Instruc­tions issued by the Min­istry of Home Affairs in 1994 must be fol­lowed while deal­ing with such files/documents.

8. Infor­ma­tion secu­ri­ty guide­lines in respect of fol­low­ing domains are enclosed at Annex­ure C.

(a) Phys­i­cal and envi­ron­men­tal security

(b) Per­son­nel security

© Iden­ti­ty, access and priv­i­lege man­age­ment

(d) Secu­ri­ty mon­i­tor­ing and inci­dent management

9. The Infor­ma­tion secu­ri­ty guide­lines con­sist of fol­low­ing sections:

(a) Back­ground Pro­vides an overview and the cov­er­age of each domain and states the impor­tant evo­lu­tions and devel­op­ments in each area.

(b) Rel­e­vance of domain to infor­ma­tion secu­ri­ty – Estab­lish­es role and scope of a domain in con­text of Infor­ma­tion Security.

© Man­age­ment guide­lines – Pro­vides domain spe­cif­ic rec­om­men­da­tions in the form of guide­lines and objec­tives. These arc denot­ed by the nomen­cla­tureXX.G” fol­lowed by the guide­line num­ber, where XX is the code for domain. For exam­ple. PH.G1, PH.G2, G3 …

(d) Secu­ri­ty con­trols Pro­vides con­trol state­ments which arc admin­is­tra­tive. tech­ni­cal, oper­a­tional or pro­ce­dur­al and need to be dili­gent­ly fol­lowed. Secu­ri­ty con­trols pro­vide insight into mul­ti­ple areas which need to be implemented/ addressed in order to achieve the objec­tives laid out in the man­age­ment guide­lines sec­tion. These are denot­ed by the nomen­cla­ture “XX.C” fol­lowed by the con­trol num­ber, where XX is the code for domain. For exam­ple, PH.C1, PH.C2,PHC3

e) imple­men­ta­tion guide­lines – Pro­vides spe­cif­ic rec­om­men­da­tions to aid imple­men­ta­tion of man­age­ment guide­lines and secu­ri­ty con­trols. These are denot­ed by the nomen­cla­ture “XX.IG” fol­lowed by the imple­men­ta­tion guide­line num­ber, where XX is the code for domain. For exam­ple. PH.IG1, PH.102, PH.IG3

(f) Adop­tion matrix based on infor­ma­tion clas­si­fi­ca­tion – Pro­vides gen­er­al guid­ance on the depth of imple­men­ta­tion of var­i­ous con­trols, while con­sid­er­ing the val­ue of infor­ma­tion based on its classification.

10. All Cadre con­trol­ling Pr.CCIT/Pr. DGIT (System)/DGsIT should take nec­es­sary steps for imple­men­ta­tion of the above infor­ma­tion secu­ri­ty relat­ed guide­lines. The build­ings should be cat­e­gorised as fol­lows to enable imple­men­ta­tion of the guide­lines in a phased manner:

Build­ing Category Build­ing Description
A Build­ings hav­ing offices of Inves­ti­ga­tion Direc­torate. Cen­tral ( barges. I &CI. FT& TR. Sys­tems Directorate
B Build­ings hav­ing offices of Range 1 leads (oth­er than cov­ered under cat­e­go­ry A)
C Remain­ing buildings

11. The due dates for tak­ing action are as under:

S. No. Action to be taken Action by Due Date
1 Set­ting up of Local Infor­ma­tion Secu­ri­ty Com­mit­tee (LISC) head­ed by a Pr.CIT lev­el officer All Pr. CCIT 31st July
2 Sub­mis­sion of list of build­ings under Cat­e­go­ry A and B to CISO LISC/Pr.CCIT 31st August 2015
3 Imple­men­ta­tion of Infor­ma­tion Secu­ri­ty Pol­i­cy and Pro­ce­dures(ISPP) LISC/Pr.CCIT On Going

(Rekha Shuk­la)
Chief Infor­ma­tion Secu­ri­ty Offi­cer. CBDT
CIT (Inter­na­tion­al Taxation‑3), New Delhi

Leave a Reply

Your email address will not be published. Required fields are marked *