Andhra Pradesh Core Digital Data Authority (Effective Delivery of e-Services) Act, 2017

(Act No. 15 of 2017)

ap255

[Date 29.5.2017.]

An Act to Provide for Collection of Core Data For the Purposes of Providing an Efficient, Transparent, and Convenient Digital Services to the Citizens and Business Community of the State and for Providing Good Governance, and For Matters Connected Therewith or Incidental Thereto.

Be it enacted by the Legislature of Andhra Pradesh in the Sixty-eighth Year of the Republic of India as follows:-

CHAPTER I

Preliminary

Short title, extent, application and commencement.- (1) This Act may be called The Andhra Pradesh Core Digital Data Authority (Effective Delivery of e-Services) Act, 2017.

(2) It shall extend to the whole of the State of Andhra Pradesh and save as otherwise provided in this Act, it shall also apply to any offence or contravention thereunder committed outside Andhra Pradesh by any person.

(3) It shall come into force on such date as the State Government may, by notification in the Andhra Pradesh Gazette, appoint.

Definition.- In this Act, unless the context otherwise requires,-

(a) "Authentication" means the process by which the core data of a core entity is submitted to the Core Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it;

(b) "Authentication Record" means the record of the time of authentication and identity of the requesting entity and the response provided by the Authority thereto;

(d) "Chairperson" means the Chairperson of the Authority appointed under section 1 1;

(e) "Core Data Collection" means the process, as may be specified by regulations, to collect core data from individuals and organizations as may be the case, by the core data agencies for the purpose of providing services;

(f) "Core Data Collection Agency (CDCA)" means an agency appointed by the Authority or by the "Owner of Core Digital Data (OCDD)", as the case may be, for collecting core digital data under this Act, and transmitting it automatically and securely to the Core Digital Data Repository ;

(g) "Core Digital Data" means the essential and minimal data about core entities and collected, transmitted, stored, maintained secured and processed in a digital form, in the course of or for the purpose of providing efficient, transparent and convenient digital services to the citizens and the business community of the State and for providing good governance

(h) "Core Digital Data Repository (CDDR)" means a centralised database in one or more locations containing the core digital data and other information related thereto;

(i) "Core Data Service Agency (CDSA)" means the organisation authorized by the owner to access the core data for the purposes of processing the same in a manner defined by the owner and providing services specified or approved by the owner;

(j) "Core Entity" means a physical or artificial juridical person, property or thing, namely,

(i) the households in the State,

(ii) the land parcels and immoveable properties attached thereto,

(iii) the artificial juridical persons or establishments registered or operating in the State, and

(iv) the sensors and intelligent devices deployed for capturing and communicating information to central servers.

(k) "Custodian of Core Digital Data (CCDD)" means the legal entity with the rights to hold and manage the Core Digital Data on behalf of the owners of such Core Digital Data, and includes the agencies notified by the custodian for holding and managing the Core Digital Data;

(I) "Member" includes the Chairperson and Member of the Authority appointed under section 11;

(m) "Notification" means a notification published in the Andhra Pradesh Gazette and the expression "notified" with its cognate meanings and grammatical variations shall be construed accordingly;

(n) "Owner of Core Digital Data (OCDD)" or "owner" means the entity, which is notified through a regulation, to have the full legal rights of ownership and control of the Core Digital Data and obliged by such notification to be responsible for the manner in which such a data is used;

(o) "Prescribed" means prescribed by rules made by the State Government or Authority under this Act;

(P) "Regulations" means the regulations made by the Authority under this Act;

(q) "Requester" means an agency or person that submits the UNICORE of a core entity, and such other information as may be required by regulation, to the Core Digital Data Repository for authentication;

(r) "Service" means any provision, facility, utility or any other assistance provided in any form to an individual or a group of individuals and includes such other services as may be notified by the State Government;

(s) "Steward of Core Digital Data" means a person designated by name and position by the owner to be responsible for the security, privacy and appropriate use of the Core Digital Data;

(t) "Unique Number for Identification of Core Entity (UNICORE)" means the number assigned to a core entity in such method as may be notified by regulation, and different methods may be prescribed for assigning UNICOREs to different types of core entities.

CHAPTER II

Collection of Core Digital Data

Unicore number.- (1) Every core entity in the State shall be assigned a Unique Number called UNICORE number by collecting the core data and following such processes as may be notified in a regulation.

(2) The Core Data Collection Agency (CDCA) shall, at the time of collecting the core data, inform the core entity or the owner thereof,as the case may be, of the following details in such manner as may be specified by regulations, namely:-

(a) the manner in which the data shall be used;

(b) the nature of recipients with whom the data is intended to be shared;and

(c) the existence of a right to access the data, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made.

(3) On receipt of the core data under sub-section (1), the Authority shall, after verifying the data, in such manner as may be specified by regulations, issue a UNICORE number to such core entity.

Properties of Unicore number.- (1) A UNICORE number, issued to a core entity shall not be reassigned to any other entity.

(2) The UNICORE number shall be in such a format and have such attributes as the Authority may notify, and shall enable identification of the core entity to which it relates. The Authority may notify different formats and attributes for different types of core entities. The Authority may also assign appropriate distinct names to different categories of UNICORE numbers.

(3) A UNICORE number, in physical or electronic form subject to authentication and other conditions, as may be specified by regulations, may be accepted as proof of the existence of a distinct core entity and, as may be the case, its location.

Explanation. - For the purposes of this sub-section, the expression "electronic form" shall have the same meaning as assigned to it in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000.

Special measures for issuance of Unicore number to certain category of persons.- (1) The Authority may require the core entities or the owners thereof to update the core data, from time to time, in such manner as may be specified by regulations, so as to ensure continued accuracy of their information in the Core Digital Data Repository.

(2) The Authority may also take such steps as may be specified in appropriate regulations so as to ensure that the core data remains accurate and current.

CHAPTER III

Authentication of Core Entity

Proof of Unicore necessary or receipt of services.- The State Government may, for the purpose of establishing the identity and the attributes of a core entity as a condition for receipt of a service for which the core data is required, require that such core entity to undergo authentication, or furnish proof of possession of a UNICORE number or in the case of an entity for which no UNICORE number has been assigned, such entity or its owner, as the case may be,makes an application for issuance of a UNICORE number:

Provided that if a UNICORE number is not assigned to an entity, the entity or the owner thereof as the case may be, shall be offered alternate and viable means of identification for delivery of the service.

Authentication of Unicore number.- (1) The Authority shall perform authentication of the UNICORE number of a core entity submitted by any requester, in relation to its core data, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations.

(2) A requester shall-

(a) unless otherwise provided in this Act, obtain the consent of the entity before collecting core data for the purposes of authentication in such manner as may be specified by regulations; and

(b) ensure that the core data of an entity is only used for submission to the Core Digital Data Repository for authentication.

(3) A requester shall inform, in such manner as may be specified by regulations, the core entity submitting its core data for authentication, the following details with respect to authentication, namely:-

(a) the nature of information that may be shared upon authentication;

(b) the uses to which the information received during authentication may be put by the requester; and

(4) The Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing, such core data.

Unicore number not evidence of ownership or rights.- The UNICORE number or the authentication thereof shall not, by itself, confer any right of, or be proof of, ownership or rights in respect of the core entity.
Core Digital Date Repository.- The Authority may engage one or more entities to establish and maintain the Core Digital Data Repository and to perform in any other functions as may be specified by regulations.

CHAPTER IV

Core Digital Data Authority

Establishment of Authority.- (1) The State Government shall, by notification, establish an Authority to be called as the Andhra Pradesh Core Digital Data Authority to be responsible for prescribing the processes of collection, transmission, storage and archival of core data and authentication thereof on a request and for performing such other functions assigned to it under this Act.

(2) The Authority shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract, and shall, by the said name, sue or be sued.

(3) The head office of the Authority shall be in Amaravati.

(4) The Authority may, with the prior approval of the State Government, establish its offices at other places in the State.

Composition of Authority.- The Authority shall consist of a Chairperson, appointed on part-time or full- time basis, three part-time Members, and the Chief Executive Officer, who shall be Member-Secretary of the Authority, to be appointed by the Government.
Qualifications for appointment of Chairperson and Members of Authority.- Term of office and other condition of service of Chairperson and members. The Chairperson and Members of the Authority shall be persons of ability and integrity having experience and knowledge of at least ten years in matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.
Term of office and other conditions of service of Chairperson and members.- (1) The Chairperson and the Members appointed under this Act shall hold office for a term of three years from the date on which they assume office and shall be eligible for re-appointment:

Provided that no person shall hold office as the Chairperson or Member after he has attained the age of sixty-five years.

(2) The Chairperson and every Member shall, before entering office, make and subscribe to, an oath of office and of secrecy, in such form and in such manner and before such Authority as may be prescribed.

(3) Notwithstanding anything contained in sub-section (1), the Chairperson or Member may,-

(a) relinquish his office, by giving in writing to the State Government, a notice of not less than thirty days; or

(b) be removed from his office in accordance with the provisions of section 14.

(4) The salaries and allowances payable to, and the other terms and conditions of service of, the Chairperson and allowances or remuneration payable to part-time Members shall be such as may be prescribed.

Removal of Chairperson and Members.- (1) The State Government may remove from office, the Chairperson, or a Member, who,-

(a) is, or at any time has been adjudged as insolvent;

(b) has become physically or mentally incapable of acting as the Chairperson or, as the case may be, a Member;

(d) has acquired such financial or other interest as is likely to affect pre-judicially his functions as the Chairperson or, as the case may be, a Member; or

(e) has, in the opinion of the Government, so abused his position as to render his continuance in office detrimental to the public interest.

(2) The Chairperson or a Member shall not be removed under clause (b), clause (d) or clause (e) of sub-section (1) unless he has been given a reasonable opportunity of being heard.

Restriction as Chairperson or members on employment after cessation of office.- The Chairperson or a Member on ceasing to hold office for any reason, shall not, without previous approval of the State Government,-

(a) accept any employment in, or be connected with the management of any organisation, company or any other entity which has been associated with any work done or contracted out by the Authority, whether directly or indirectly, during his tenure as Chairperson or Member, as the case may be, for a period of three years from the date on which he ceases to hold office:

Provided that nothing contained in this clause shall apply to any employment under the State Government or the Central Government or local authority or in any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in clause (45) of section 2 of the Companies Act, 2013;

(b) act, for or on behalf of any person or organisation in connection with any specific proceeding or transaction or negotiation or a case to which the Authority is a party and with respect to which the Chairperson or such Member had, before cessation of office, acted for or provided advice to, the Authority;

(c) give advice to any person using information which was obtained in his capacity as the Chairperson or a Member and being unavailable to or not being able to be made available to the public; or

(d) enter, for a period of three years from his last day in office, into a contract of service with, accept an appointment to a board of directors of, or accept an offer of employment with, an entity with which he had direct and significant official dealings during his term of office.

Functions of Chairperson.- The Chairperson shall preside over the meetings of the Authority, and without prejudice to any provision of this Act, exercise and discharge such other powers and functions of the Authority as may be prescribed.
Chief Executive Officer.- (1) There shall be a Chief Executive Officer of the Authority, not below the rank of a Joint Secretary to a State Government, to be appointed by the State Government.

(2) The Chief Executive Officer shall be the legal representative of the Authority and shall be responsible for,-

(a) the day-to-day administration of the Authority;

(b) implementing the work programmes and decisions adopted by the Authority;

(d) the preparation of the statement of revenue and expenditure and the execution of the budget of the Authority; and

(e) performing such other functions, or exercising such other powers, as may be specified by regulations.

(3) Every year, the Chief Executive Officer shall submit to the Authority for approval-

(a) a general report covering all the activities of the Authority in the previous year;

(b) programmes of work;

(d) the budget for the coming year.

Meetings of Authority.- (1) The Authority shall meet at such times and places and shall observe such rules of procedure in regard to the transaction of business at its meetings, including quorum at such meetings, as may be specified by regulations.

(2) The Chairperson, or, if for any reason, he is unable to attend a meeting of the Authority, the senior most Member shall preside over the meetings of the Authority.

(3) All questions which come up before any meeting of the Authority shall be decided by a majority of votes by the Members present and voting and in the event of an equality of votes, the Chairperson or in his absence the presiding Member shall have a casting vote.

(4) If any Member, who is a director of a company and who as such director, has any direct or indirect pecuniary interest in any manner coming up for consideration at a meeting of the Authority, he shall, as soon as possible after relevant circumstances have come to his knowledge, disclose the nature of his interest at such meeting and such disclosure shall be recorded in the proceedings of the Authority, and the Member shall not take part in any deliberation or decision of the Authority with respect to that matter.

Officers and other employees of Authority.- (1) The Authority may, with the approval of the Government, determine the number, nature and categories of other officers and employees required by the Authority in the discharge of its functions.

(2) The salaries and allowances payable to, and the other terms and conditions of service of, the Chief Executive Officer and other officers and other employees of the Authority shall be such as may be specified by regulations with the approval of the Government.

Powers and Functions of Authority.- (1) The Authority shall develop the policy, procedure and systems for issuing UNICORE numbers to core entities and perform authentication thereof under this Act.

(2) Without prejudice to sub-section (1), the powers and functions of the Authority, inter alia, include,-

(a) specifying, by regulations, core data required for issuing a UNICORE number and the processes for collection and verification thereof;

(b) collecting core data in such manner as may be specified by regulations;

(d) generating and assigning UNICORE numbers to core entities;

(e) performing authentication of UNICORE numbers;

(f) maintaining and updating the core data in the Core Digital Data Repository in such manner as may be specified by regulations;

(g) omitting and deactivating of a UNICORE number and information relating thereto in such manner as may be specified by regulations;

(h) specifying the manner of use of core data for the purposes of providing or availing of various services and other purposes for which it may be used;

(i) specifying, by regulations, the terms and conditions for appointment of core data collection agencies and service providers and revocation of appointments thereof;

(j) sharing, in such manner as may be specified by regulations, the core data, subject to the provisions of this Act;

(k) calling for information and records, conducting inspections, inquiries and audit of the operations for the purposes of this Act of the Core Digital Data Repository, core data collection agencies and other agencies appointed under this Act;

(l) specifying, by regulations, various processes relating to data management, security protocols and other technology safeguards under this Act;

(m) levying and collecting the fees or authorising the owners, core data collection agencies or other service providers to collect such fees for the services provided by them under this Act in such manner as may be specified by regulations;

(n) promoting research and development for advancement in data management and related areas, including usage of UNICORE numbers through appropriate mechanisms;

(o) such other powers and functions as may be prescribed.

CHAPTER V

Grants, Accounts and Audit and Annual Report

Grants by State Government.- The State Government may, make to the Authority, grants of such sums of money as it may think fit for being utilised for the purposes of this Act.
Accounts and Audit.- (1) The Authority shall maintain proper accounts and other relevant records and prepare an annual statement of accounts in such form as may be prescribed by the Government

(2) The accounts of the Authority shall be audited annually by the Comptroller and Auditor-General of India at such intervals as may be specified by him and any expenditure incurred in connection with such audit shall be payable by the Authority to the Comptroller and Auditor-General.

(3) The Authority shall prepare, once in every year, and in such form and manner and at such time as may be prescribed, an annual report giving,-

(a) a description of all the activities of the Authority for the previous years;

(b) the annual accounts for the previous year; and

(4) A copy of the report received under sub-section (2) shall be laid by the State Government, as soon as may be after it is received, before each House of Legislature.

CHAPTER VI

Protection and Maintenance of Core Digital Data

Security and Confidentiality of information.- (1) The Authority shall ensure the security of core digital data Security and and authentication records of the same. Confidentiality of information.

(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of core data and authentication records of core entities, unless such information has been declared as public record by the law for the time being in force.

(3) The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Core Digital Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

(4) Without prejudice to sub-sections (1) and (2), the Authority shall,-

(a) adopt and implement appropriate technical and organisational security measures;

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information; and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, it-lipase obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.

(5) Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Core Digital Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Core Digital Data Repository or authentication record to anyone:

Restriction on sharing Core Data.- The core data, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations.
Alteration of Core Data.- (1) In case any core data is found incorrect or changes subsequently, the UNICORE number holder shall request the Authority to alter such data in the Core Digital Data Repository in such manner as may be specified by regulations.

(2) On receipt of any request under sub-section (1), the Authority may, if it is satisfied, make such alteration as may be required in the record relating to such entity and intimate such alteration to the concerned UNICORE number holder.

(3) The Authority may, by regulation, permit a change in the core digital data, as a consequence of or incidental to a transaction or event that necessitates or has the effect of changing any element of a core digital data, and in all such cases, the Authority shall ensure that the aforesaid transaction shall be completed only after the aforesaid change has been committed simultaneously and in an automated manner in the databases of the Authority and of the owner of such core digital data, so as to ensure that the core digital data maintained by the Authority remains current and is always held to be the single source of truth in respect of such data.

(4) The Authority may prescribe, by regulations, the appropriate procedures, application programming interfaces and standards for the purposes of giving effect to the requirements of sub-section (3).

Disclosure of information in certain cases.- (1) Nothing contained in section 23 or 24 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a District Judge:

Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority.

(2) Nothing contained in section 23 or section 24 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the State Government specially authorised in this behalf by an order of the Government

CHAPTER VII

Offences and Penalties

Penalty for impersonation at the time of enrolment.- Whoever, with the intention of causing harm or mischief to the holder of a UNICORE number, or changes or attempts to change any core data shall be punishable with imprisonment for a term which may extend to one year and shall also be liable to a fine which may extend to ten thousand rupees.
Penalty for impersonation.- Whoever, not being authorised to collect core data under the provisions of this Act, by words, conduct or demeanour pretends that he is authorised to do so, shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.
Penalty for unauthorised access to the Core Digital Data Repository.- Whoever, not being authorised by the Authority, intentionally,-

(a) accesses or secures access to the Core Digital Data Repository;

(b) downloads, copies or extracts any data from the Repository or stored in any removable storage medium;

(d) damages or causes to be damaged the data in the Repository;

(e) disrupts or causes disruption of the access to the Repository;

(f) denies or causes a denial of access to any person who is authorised to access the Repository;

(g) reveals, shares, uses any core data in contravention of the Act, or

(h) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used by the Authority with an intention to cause damage, shall be punishable with imprisonment for a term which may extend to one year and shall also be liable to a fine which shall not be less than one lakh rupees.

Penalty for unauthorised use by request entity.- Whoever, being a requester, uses the core data in contravention of the Act, shall be punishable with imprisonment which may extend to one year or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.
Penalty for non-compliance with intimation requirements.- Whoever, being a Core Data Collection Agency or a requester, fails to comply with the requirements of the Act, shall be punishable with imprisonment which may extend to one year or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.
General Penalty.- Whoever commits an offence under this Act or any rules or regulations made thereunder for which no specific penalty is provided elsewhere than this section, shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to twenty-five thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.
Act to apply for offence or contravention committed outside India.- (1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person, irrespective of his nationality.

(2) For the purposes of sub-section (1), the provisions of this Act shall apply to any offence or contravention committed outside India by any person, if the act or conduct constituting the offence or contravention involves any data in the Repository.

Cognizance of offences.- (1) No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.

(2) No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate shall try any offence punishable under this Act.

CHAPTER VIII

Miscellaneous

Power of State Government to issue directions.- (1) Without prejudice to the foregoing provisions of this Act, the Authority shall, in exercise of its powers or the performance of its functions under this Act be bound by such directions, as the State Government may give, in writing to it, from time to time:

Provided that the Authority shall, as far as practicable, be given an opportunity to express its views before any direction is given under this sub-section:

Provided further that nothing in this section shall empower the State Government to issue directions pertaining to technical or administrative matters undertaken by the Authority.

(2) The decision of the State Government shall be final.

Delegation.- The Authority may, by general or special order in writing, delegate to any Member, officer of the Authority or any other person, subject to such conditions, if any, as may be specified in the order, such of its powers and functions under this Act as it may deem necessary.
Protection of action taken in good faith.- No suit, prosecution or other legal proceeding shall lie against the State Government or the Authority or the Chairperson or any Member or any officer, or other employees of the Authority for anything which is in good faith done or intended to be done under this Act or the rule or: regulation made thereunder.
Power of State Government to make rules.- (1) The State Government may, by notification, make rules to carry out the provisions of this Act.

(2) Every rule made by the State Government, under this Act shall be laid, as soon as may be after it is made, before each House of State Legislature, while it is in session, for a total period of fourteen days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or both Houses agree that the rule should not be made, the rule, shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule.

Power of Authority to make regulations.- The Authority may, by notification, make regulations consistent with this Act and the rules made thereunder, for carrying out the provisions of this Act.
Application other laws not barred.- The provisions of this Act shall be in addition to, and not in derogation of, any other law for the time being in force.
Power to remove difficulties.- (1) If any difficulty arises in giving effect to the provisions of this Act, the State Government may, by order, published in the Andhra Pradesh Gazette, make such provisions not inconsistent with the provisions of this Act as may appear to be necessary for removing the difficulty:

Provided that no such order shall be made under this section after the expiry of three years from the commencement of this Act.

(2) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Legislature.