19. Accuracy and security of credit information.—A credit information company or credit
institution or specified user, as the case may be, in possession or control of credit information, shall take
such steps (including security safeguards) as may be prescribed, to ensure that the data relating to the
12
credit information maintained by them is accurate, complete, duly protected against any loss or
unauthorised access or use or unauthorised disclosure thereof.
20. Privacy principles.—Every credit information company, credit institution and specified user,
shall adopt the following privacy principles in relation to collection, processing, collating, recording,
preservation, secrecy, sharing and usage of credit information, namely:—
(a) the principles—
(i) which may be followed by every credit institution for collection of information from its
borrowers and clients and by every credit information company, for collection of information
from its member credit institutions or credit information companies, for processing, recording,
protecting the data relating to credit information furnished by, or obtained from, their member
credit institutions or credit information companies, as the case may be, and sharing of such data
with specified users;
(ii) which may be adopted by every specified user for processing, recording, preserving and
protecting the data relating to credit information furnished, or received, as the case may be, by it;
(iii) which may be adopted by every credit information company for allowing access to
records containing credit information of borrowers and clients and alteration of such records in
case of need to do so;
(b) the purpose for which the credit information may be used, restriction on such use and
disclosure thereof;
(c) the extent of obligation to check accuracy of credit information before furnishing of such
information to credit information companies or credit institutions or specified users, as the case may
be;
(d) preservation of credit information maintained by every credit information company, credit
institution, and specified user as the case may be (including the period for which such information
may be maintained, manner of deletion of such information and maintenance of records of credit
information);
(e) networking of credit information companies, credit institutions and specified users through
electronic mode;
(f) any other principles and procedures relating to credit information which the Reserve Bank may
consider necessary and appropriate and may be specified by regulations.
21. Alteration of credit information files and credit reports.—(1) Any person, who applies for
grant or sanction of credit facility, from any credit institution, may request to such institution to furnish
him a copy of the credit information obtained by such institution from the credit information company.
(2) Every credit institution shall, on receipt of request under sub-section (1), furnish to the person
referred to in that sub-section a copy of the credit information subject to payment of such charges, as may
be specified by regulations, by the Reserve Bank in this regard.
(3) If a credit information company or specified user or credit institution in possession or control of
the credit information, has not updated the information maintained by it, a borrower or client may request
all or any of them to update the information; whether by making an appropriate correction, or addition or
otherwise, and on such request the credit information company or the specified user or the credit
institution, as the case may be, shall take appropriate steps to update the credit information within thirty
days after being requested to do so:
Provided that the credit information company and the specified user shall make the correction,
deletion or addition in the credit information only after such correction, deletion or addition has been
certified as correct by the concerned credit institution:
Provided further that no such correction, deletion or addition shall be made in the credit information if
any dispute relating to such correction, deletion or addition is pending before any arbitrator or tribunal or
court and in cases where such dispute is pending, the entries in the books of the concerned credit
institution shall be taken into account for the purpose of credit information.
13
22. Unauthorised access to credit information.—(1) No person shall have access to credit
information in the possession or control of a credit information company or a credit institution or a
specified user unless the access is authorised by this Act or any other law for the time being in force or
directed to do so by any court or tribunal and any such access to credit information without such
authorisation or direction shall be considered as an unauthorised access to credit information.
(2) Any person who obtains unauthorised access to credit information as referred to in sub-section (1)
shall be punishable with fine which may extend to one lakh rupees in respect of each offence and if he
continues to have such unauthorised access, with further fine which may extend to ten thousand rupees
for every day on which the default continues and such unauthorised credit information shall not be taken
into account for any purpose.