Every financial institution, including the thousands of NBFCs, (you can also consider that they have thousands of employees each), can effectively access it.
I am sure XYZ small NBFC with <20 employees is having rigourous access controls that prevent an employee from accessing the DB. As you are well aware the cyber security infrastructure in our country is one of the best. /S
With such a large and ineffective access control, I consider it an open database.
Also not like restricting it to financial institutions matters because they don’t bother securing it anyway.
And like the original poster mentioned, if reliance is accessing it without his permission, why not someone else? What makes you consider it not open?
Even if he has used reliance, he cannot control the access to his data. They fetched it once without asking. What’s stopping them from fetching it again?
Yes, all the reporting entities registered with Central KYC Records Registry are required to obtain the consent from the customer for downloading their CKYC record from Central KYC Records Registry.
"
This is a loose requirement… The consent is not enforced using OTPs or any PINs or tokens.
They just trust the entity to obtain the consent but they don’t check whether that was done.
a) Reporting entity shall search for the record by entering CKYC identifier or by
entering a valid ID type and number.
b) Reporting entity can download single / bulk records by entering CKYC identifier
and an authentication factor (viz. date of birth (incorporation)/ Mobile
number/pincode + year of birth).
c) Reporting entity shall obtain download consent from the customer every time
the CKYC record is being downloaded from Central KYC Records Registry. This
consent form shall be retained with the reporting entity.
What if it is a woman living solo & has had stalker issues? This is truly dangerous.
I mean consent needs to be strictly enforced via an OTP etc… wtf is this nonsense… Btw wasn’t Reliance Gen Insurance acquired by Hinduja Group? wondering if my recent Hinduja hospital visit had anything to do with it… very long shot of course…
I shifted my residence because of redev but I have not changed my address on ckyc or anywhere … it causes me a lot of problems but I still don’t want to share my communication address because of this data privacy issue. I have literally not shared my new address with anyone … not even the local post office… i must say this peace is another level.
pls read again. i didn’t say that i have stalker issues. i am just trying to understand why they fetched my details without my consent when I have nothing to do with them…
I also didn’t say that you’re being stalked. I said that the hypothetical stalker that you mentioned needs to be working at an FI to fetch this record.
And what use is a complaint when they already have the data? It’s not like it’s money to get back. Nothing stopping them from keeping it after complaint too
Intention should be to prevent them from getting the data. Not to ask you to file a complaint if someone fetches it
Retarded logic. If someone deliberately bangs your car and causes a dent, you don’t file a complaint? You let go because not like you’re going to get the dent fixed?
DPDP act 2023 is yet to be notified. When that happens they’ll give 6 more months to companies for compliance. Only after that you’ll be able to get someone penalized for unauthorized data access.
until then your best hope is using right to privacy.
CERSAI probably will not introduce any token based or OTP based consent permission like aadhaar because it will slow down the adoption of using CKYCR. Even now banks don’t use it/ or use it properly. With aadhaar CERSAI CKYC is redundant so banks don’t want to put in the work. Only those data hungry or public sector ones do it.
“After the Supreme Court judgement on Aadhaar, the rules around database access became more formalised. The government is now extending this to all government databases”…