Five months after its announcement, the NDA government is in a quandary over compulsory submission of Aadhaar and PAN details of top corporate executives in the e-business register following the realisation that these would be freely accessible to the public under the Companies Act. Last April, the Ministry of Corporate Affairs (MoCA) had asked individual stakeholders to obtain Aadhaar to weed out bogus entities and identify shell companies suspected to be used for laundering illicit funds.
But in a communication to the Law Ministry, MoCA has raised concerns over making Aadhaar and PAN filing mandatory for managers and directors in “MCA21” — the public portal that serves as the registry for the Registrar of Companies — as Section 399 of the Companies Act stipulates that any person can inspect these documents and obtain their certified copies to submit as “evidence in Court of Law”.
“When such proofs of identity (Aadhaar) as well as their personal information such as address etc. and other person specific numbers such as Aadhaar, bank account, PAN…are given in the documents and if the members of public access such documents, the said information would get passed on to them,” the Ministry has said.
Since the Aadhaar Act and the Information Technology Act do not allow sharing such personal information of individuals with the public, the MCA has asked Law Ministry to advise if the Aadhaar and IT Acts were overarching and in case they were, “whether the personal information and documents captured in the MCA21 portal as per the Companies Act could continue to be disclosed on the public platform MCA21 in spite of the Aadhaar and IT Acts”.
The other option, MoCA suggested, was to term the Aadhaar number as sensitive personal data or information so as not to provide public access.
But that, it fears, would violate Rule 3 of IT (Reasonable Security Practices, Procedures and Sensitive Personal Data or Information) Rules of April 2011 which forbids “any information that is freely available or accessible in public domain or furnished under the Right to Information Act or any other law” to be regarded as sensitive personal data or information.
Moreover, any failure to protect data (as it happened in May 2017 when ransom malware WannaCry attacked MCA21) would mean payment of compensation of up to Rs 5 crore for the offence under Section 43A of the IT Amendment Act.
MCA21 is managed by IT major Infosys for electronic filing related to compliances under the Companies Act and Limited Liability Partnership Act. It was subjected to WannaCry attack, first noticed on May 7, when some documents related to front and back office services were affected. The servers were re-formatted and re-deployed without any loss by May 12.