West Bengal State Electronic Data Centre Storage Sharing and Electronic Data Retention Guidelines, 2020

Information Technology and Electronics. .

Phone: 2357-2533, Fax: 2357-2534, E-mail: secit@wb.gov.in

No. 588-Estt/ITE-20012/2/2020 Date: 28/12/2020

Subject: West Bengal State Electronic Data Centre Storage Sharing and Electronic Data Retention Guidelines, 2020.

Ref: This Office Notification vide No 584-Estt/ITE-20012/2/2020 dated 28.12.2020.

The State Government in the Department of Information Technology & Electronics has issued Notification under reference to formulate ‘West Bengal State Broadband Policy 2020’ wherein the instant ORDER features as Annexure D.


The Governor is pleased hereby to make the following guidelines in order to bring clarity, simplification and standardization in the process of electronic data storage, data sharing and data retention after the primary objective of electronic data processing has been achieved. West Bengal is poised to promote transparency in electronic Data Protection measures by bringing in a set of guidelines that ensures that electronic data storage, data sharing and data retention is undertaken in a legal, transparent and secure manner.

The Government of West Bengal is poised to promote transparency in allocation, augmentation & reclamation of storage space and implementation of proper Information Security Management System (ISMS) through a set of guidelines that ensures all data would be protected and applications to be hosted under safe & securer environment in State Data Centre.

Through these guidelines, the Government of West Bengal (GoWB) in the Department of Information Technology & Electronics, would be able to ensure that Government departments and organisations along with their parastatals, subsidiaries, corporations, statutory authorities including associated agencies -public and private organizations abide by laid down guidelines as enumerated below.

1. Short title, extent and commencement

a) The guidelines may be called the “West Bengal State Electronic Data Centre Storage Sharing and Electronic Data Retention Guidelines, 2020”.

b) It shall extend to the whole of the State of West Bengal.

c) It shall come into force with effect from the date of issue.

2. Definition

Data is the new oil to drive the economic growth. The state governments who are cognizant of the rise of data economy, will feature in the list of the successful states in terms of stability, investment, employment generation, smart public service delivery, overall growth and prosperity. Data is a set of values of subjects with respect to qualitative or quantitative variables. Data is raw, unorganized facts that need to be processed. Data can be something simple and seemingly random and useless until it is organized. When data is processed, organized, structured or presented in a given context so as to make it useful, it is called information. Information, necessary for research activities are achieved in different forms. The main forms of the information available are:

West Bengal State Data Centre (WBSDC) – WBSDC was established under National e-Governance Plan (NeGP) (presently known as Digital India) and to ensure shared, reliable and secure infrastructure services centre for hosting and managing the e-Governance Applications of State and its constituent departments. Several critical applications including citizen centric applications were hosted in the State Data Centre. With the increase in demand for hosting environment it is imperative to develop certain guidelines for effective utilization of storage space and implementation of Information Security Management System (ISMS) under WBSDC environment.

For Government application and processes, most of the data is being processed at various levels viz. National Informatics Centre, State Data Centre (SDC), Local Data centres (Department specific) for achieving better public service delivery and participative governance. In accordance to the MeitY guidelines, focussing on the State Data Centre (SDC) and its importance of data retention plan, the Government of West Bengal has decided to lay down through a set of state electronic data guidelines which are majorly categorised into six (7) verticals:

A. Electronic Data Storage
B. Electronic Data Classification
C. Electronic Data Sharing in anonymous format
D. Electronic Data Retention
E. Electronic Data Security
F. Electronic Data Disposal or archival
G. Electronic Data Allocation & reclamation of storage space at State Data Centre (SDC)

In terms of government services catering to public needs, huge amount of electronic data is being consumed and processed everyday by both Government organizations and private entities. In most of the instances, a substantial volume of data is being retained in form of electronic records even after the primary objective of data processing is fulfilled. While data retention is necessary for future business/ Departmental needs or statutory/ regulatory requirements, it is also important that the electronic form of data storage, data sharing and data retention are done in an authentic and secure way. A proper standard is required to be in place to avoid data breach and reduce unnecessary storage consumption.

Note: Electronic Data – Documents in electronic form comprising various types viz. *.doc, *.odt, *.txt, *.pdf et al; Emails, Multimedia and the likes are considered as Electronic Data. Individuals and the organization that create / process/ share/ store the electronic data are responsible to ensure that the data is stored in appropriate location, and in classified format.

3. Goals & Objectives

All state electronic data needs be securely stored, backed-up, archived and disposed in a consistent manner in regard to its criticality, sensitivity, present & future requirements in line with the industry best practices. Data classification is a key component for making consistent and appropriate decisions related to secure data storage and retention. Primary objectives revolve around electronic data storage, anonymous data sharing and data retention guidelines are listed below-

4. Applicability of the Guidelines

The guidelines are applicable to all the Government departments and organisations along with their parastatals, subsidiaries, corporations, statutory authorities including associated agencies – public and private organizations having server and storage location in West Bengal storing public data. All employees working in the above-mentioned organizations, will directly fall under the ambit of the electronic Data Retention Guidelines and hence abide by them. All electronic records that are created, handled, stored, processed, anonymously shared by any of the above organizations in form for business and operations shall also come under the ambit of West Bengal Electronic Data Sharing and Retention Guidelines, 2020.

The guidelines enlisted herein will also be applicable for those organisations who desire to avail the services from WBSDC. Any user may deploy their existing or new application except Top Secret & Secret applications (data or information that can cause serious threat/ damage to the security of the state/ country or compromising the National interest). All applications before hosting need to obtain Safe to Host certificate from CERT-In empanelled security auditor. The scope of these guidelines includes but not limited to the ease of allocation, management and effective usage of resources as well as protection of assets and services delivered by WBSDC.

5. Implementation framework

Following Public Information Infrastructure will collaborate to achieve the end goals and objectives of these guidelines:

A. Electronic Datastorage: The electronic data is being stored at various level:

a. National Informatics Centre (NIC): Under Ministry of Electronics and Information Technology (MeitY) in the Indian government, supports the national level initiatives and provides infrastructure to help support the deliver) of government IT services and the delivery of some of the initiatives of Digital India. As per the drafted Personal Data Protection Act, the data principal (data owner), data fiduciary and data processor strictly confined to the Central government. The electronic data is consumed, processed, stored and maintained by the central government.

b. State Data Centre: Under the state government, provides infrastructure support and electronic data management including electronic data generated in any form, stored, processed and maintained by the state government authorities. All employees both permanent and contractual are strictly not allowed to use the official system for their personal needs.

c. Local Data Centres (storing government/ public data): These includes the data centres which are facilitating respective state/s with a third-party engagement programs in delivering public benefits. The electronic data stored, processed and maintained by state or local authorised bodies. All employees both permanent and contractual are strictly not allowed to use the official system for their personal needs (storing of personal data).

d. Government Departments: They are inclusive of Directorates, Municipalities, District, Subdivision and Block level Government units, Gram Panchayats and other local self-government bodies in any form that are connected to activities of electronic data consumption, processing and maintenance for public benefits. All employees both permanent and contractual are strictly not allowed to use the official system for their personal needs.

e. End point systems existing in government (in any form): The system owner or data owner may be responsible for all the electronic data stored, processed and maintained in system or application. The administrator will be responsible for proper data management, network management and providing access control rights to restrict misuse of data. The onus also lies on the departmental heads for overall electronic data management. All employees both permanent and contractual are strictly not allowed to use of the official systems for their personal needs (storing of personal data). The storing of unofficial or personal content (in any form) in public systems is strictly prohibited. The department or the system issuing authority will not be liable for any type of personal data loss in case of personal data is kept in the system (issued by the governing body) but the authorised system owner will be liable for ensuring data privacy (of the official data) even if it is stored by the official in one’s personal system with or without prior approval of the Head of the Office. Government shall not be liable for safekeeping of data kept in personal system of any official.

B. Electronic Data Classification: Data can be classified in two ways – (a) mode or format of data &(b) criticality of data

a. Based on the mode or format of data, data, which comes under the ambit of the retention guidelines, they can further be classified as follows –

i. Electronic Data – Documents, Emails, Multimedia are considered as Electronic Data. Individuals and the organization that create/ process/ share the electronic data are responsible to ensure that the data is stored in appropriate location, format, classified format.

ii. Electronic Data for Business Applications – Other type of electronic data includes the business application records which are generally required for business analysis purpose and can be required to be temporarily stored. These type of data needs special attention and must be erased after primary objective is fulfilled and data retention period is over.

iii. Physical Records converted into Digital format – The Government of West Bengal is the front runner in adopting and promoting digitization through various single window systems. The government is encouraging all the state departments and their respective subsidiaries to migrate from the paper-based work culture to digital impressions. There are the still few physical/ printed copies of documents that are created out of day to day operations and business obligations. These documents are very critical to the security of respective departments and its subsidiaries or entities and must hr handled with utmost care. The Department is taken measure to convert the physical files into digital ones.

Note: The West Bengal State Data Centre Storage Sharing and Electronic Data Retention Guidelines, 2020 is strictly targeted towards the electronic medium of data (for Government use) which is stored, processed, retained or archived within the geographical boundaries of the state.

b. Based on the criticality of data, Electronic Data can be classified in the following manner. Data retention period primarily depends upon the critical nature of the data.

i. Confidential Data: This classification applies to all information generated and shared within and/ or across various state departments, its subsidiaries or entities. Its unauthorized disclosure could adversely impact its business, its stakeholders, its business partners, its employees and/or its customers.

ii. Internal Data: This classification applies to information that is specifically meant for employees of a department, its subsidiaries or entities. While its unauthorized or unintended disclosure is against the prescribed guidelines, it is not expected to seriously or adversely impact the governmental processes, business, employees, customers, stakeholders and/ or business partners.

iii. Public Data: This classification applies to information, which has been explicitly approved by the government/ Department/ management for release to the public.

iv. Restricted Data: Highly confidential, there should be a separate provision of restricted data:

Data classified as Restricted and Protected or Confidential will be stored only in approved locations; viz. State Data Centre and/or on approved equipment or storage facilities notified by the Government as and when applicable.

Nodal officers, to be duly notified by the Government, shall have the authorisation to make duplicate copies or shadow files of the such classified data.

Standards for storing electronic data containing sensitive data shall be formulated, notified and periodically reviewed.

Standards for copying/ printing of hardcopy containing sensitive data shall be formulated, notified and periodically reviewed.

Periodic reviews shall be performed by Third Parry Security Assurance Agency to ensure compliance with data management policies, standards and procedures.

C. Electronic Data Sharing in anonymous format

Data collaboratives is an emerging form of partnership in which participants exchange data for the public good, have huge potential to benefit society and improve decision making. But they must be designed responsibly and take data-privacy concerns into account. The state departments generate tons of cross sectoral data which may reap direct benefits for the State-level Start-ups, MSMEs, public service delivery organisation, state departments, its subsidiaries or entities, data collaboratives et al. These data-sets when utilised properly, can drive decision making, improve situational and causal analysis. The unique collections of data will help government decision makers to better understand issues such as traffic problems, healthcare, transportation or financial inequality and design more agile and focused evidence-based policies to address them. AI will be at the centre of twenty-first-century governance, its output is only as good as the underlying models. And the sophistication and accuracy of the models generally depend on the quality, depth, complexity, and diversity of data underpinning them. Data collaboratives can thus play a vital role in building better AI models by breaking down silos and aggregating data from new and alternative sources. Moreover, such data exchanges enhance decision-makers’ predictive capacity. The anonymised data sharing will deliver benefit to Public service delivery’ providers by:

a. Reduce duplication and wastage
b. Better target front service delivery
c. Monitoring demand and delivery pattern
d. Improving level of customer satisfaction
e. Facilitating evidence-based policy and decision making
f. Identifying root cause of the problems/ challenges
g. Predicting user service needs
h. Increasing public trust in government and Public functions
i. Enabling research

To seek the above listed benefits, the shared data (anonymised format- to add data protection and prevent data breaches) should reach the right recipients viz. Start-up or Developer community, MSMEs, state decision makers, public service deliver) organisation and NGOs; State Government in the Dept of IT&E has laid down West Bengal Transactional Data Sharing Guidelines, 2020.

The data sharing system is designed based on the below parameters; the details will be communicated as an when required:

  1. Selection Criteria
  2. Project Agreement
  3. Application procedure
  4. Training on data Protection
  5. Data and Meta Data description
  6. Financial and Benefit Model
  7. Support and Research services

Special emphasis has to be made so that all security pre-requisites are adhered to by those Start-Ups before they are offered, counselled and allowed to host their applications on this C-IaaS.

D. Electronic Data Retention: RTI Act does not require the public authority to retain records for indefinite period; Information needs to be retained as per the record retention schedule. Various types of data viz. business/ personal/ public data are processed for different purposes and are of different critical level – hence, retention periods also vary on case to case basis. Retention of electronic data has to be reviewed periodically to check the status of objective of retaining the data. While finalizing a retention period, the following factors are to be kept in mind-

a. Type of electronic data in consideration
b. Purpose of electronic data retention
c. Legality of the department/ organizations for collecting, processing and retaining the data under consideration

In certain instances, criteria shall be established by which the retention period of the data can be determined, thereby ensuring that the data storage and retention can be regularly reviewed against those criteria. Data must be deleted/ destroyed after pre-defined retention period is over.

In limited exceptional circumstances, Data (business/ personal) can be retained for a longer period where such retention is for archiving purposes and are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the proper data security measures at technical and organisational level and the Secretary of the concerned administrative department shall expressly notify such extension stating clearly the need for exceptional retention.

Beyond the identified time period for normal retention, the owner of the data shall have to take a copy of the said data from the ‘in-system – the application/ location that includes Data Centre & Disaster Recovery (DR) site’ into a physical tape or otherwise, as to be decided by the owner under notification, and preserve it for archival period of retention.

Note: Before any transactional data is archived into the physical tapes or drives, data must be made anonymised and shared with the state public data sharing system for facilitating the state government, start-ups, MSMEs for helping state to grow based on analysis in form of measuring trends, training data for their application or systems, research and development.

Based on international standard practices, Data Retention period for different types of data will be as follows:

CATEGORYRETENTION PERIOD (in system – the application/ location where primary use of the data was held i.e. Data Centre & DR site)TOTAL RETENTION PERIOD (including archival)
Medical Records3 years25 years (inclusive of the 3 years) or based on applicable regulations
HR Records3 years25 years (inclusive of the 3 years) or based on applicable regulations
Medical & Security Assistance Case Record2 years3 years (inclusive of the 2 years)
Call Recordings1 year2 year
Audit logs3 months2 year
Corporate Secretariat RecordLife of the entityLife of the entity + 50 years
Accounting & Financial Records2 years7 years or based on applicable regulations
Procurement & Contract RecordContract DurationContract Duration + 7 years or based on applicable regulations
Travel Tracker Records2 years or based on contractual commitments3 years or based on contractual commitments
Other Records2 years or based on applicable regulations2 years or based on applicable regulations

Explanation: In order to check whether a candidate has attempted before in an entrance examination, the data of that candidate after his first attempt, is required to be kept only until his age crosses the upper limit or the maximum number of attempts that one is allowed. Later, the electronic data is securely encrypted and transferred to a physical tape to optimise data centre storage cost.

E. Electronic Data Security: After the primary objective is fulfilled, data can be retained for a longer period for business/ regulatory purpose as per pre-approved retention period. In many instances, during this period, data is archived to save storage cost. Be in in system retaining or data archival, this is important to secure the data under consideration.

a. All data during retention/ archival must be encrypted/ locked by using proper encryption methods

b. All electronic data records shall be archived in secure labelled storage onsite or secure offsite location

c. All the electronic data must be reviewed (after a defined interval) to check the status of the purpose of data retention

d. In case electronic data archival is outsourced, the selected vendor shall also come under state Data Retention guidelines and must comply with the existing data protection guidelines and state prescribed Information security standards.

e. Data stored in the physical tape/s (both is SDC- Production site and DR site) by the data owner must be checked/ validated by structured walkthrough or sample testing at a defined time frame based on the historic and economic importance.

F. Electronic Data Disposal or archival

The first step is to review of all electronic data requirements in regard to the electronic data retention need, usage frequency (last time used) and to decide whether to destroy or delete or archive any data once the purpose of those data is fulfilled or no longer required. Overall responsibility and ownership for the destruction or deletion or archival of the electronic data falls to the Nodal Officer of the owner organisation, notified duly for the said purpose.

Once the decision is made to dispose of the data according to the state electronic data retention guidelines 2020, the data should be deleted, shredded, archived or otherwise destroyed completely. The method of disposal varies and is dependent upon the nature of the document. The specific deletion or destruction process may be carried out either by an employee or by an internal or external sendee provider that the duly notified Nodal Officer either delegates or subcontracts for this purpose. The data disposal process must be controlled in order to avoid loss of important data. The disposal process must be documented and approved by the duly notified Nodal Officer.

Prior to (a) transferring data into physical tape for archival beyond the primary retention period prescribed and (b) destroying the data permanently after completion of the total retention period including archival, the Nodal Officer with explicit written permission from the Head of the Department shall upload the said data on Public Transactional Data Sharing System after due anonymisation so that the said public data can be used by MSMEs and Start-ups in the greater interest of public service.

Disposal method shall vary depending upon the critical nature and type of the Data. This is briefed below-

G. Sharing of Public Transactional Data with West Bengal Public Transactional Data Sharing System:

In compliance with the provisions of the West Bengal Public Transactional Data Sharing Guidelines, 2020; any public transactional data, if not already shared on the above-mentioned system after duly anonymising the same, should be first anonymised and shared on this system for ensuring their full utilisation by Start-ups, MSMEs, Govt organisations, NGOs of the State for promoting research and development, analysis and decision making including promotion of industry based upon such anonymised public transactional data.

H. State Data Center Storage Space Requisition guidelines

The State Government departments, associated Government organisations, parastatals etc. who desire to host any type of the application and/ or avail any form of the services from WBSDC should apply online for seeking storage space for hosting their required application/s. A Self-Supporting Portal (SSP) of WBSDC should be in place for requisition of storage space, augmentation & reclamation of storage space, monitoring and other remote service management under WBSDC operations. In case of rejection of requisition, applicant should receive an email notification from WBSDC authority containing the reason of rejection. Some criteria need to be followed before hosting of an application, which are as follows:

a) Before hosting, each website must contain proper domain name and must be security audited by the CERT-In empanelled Security Auditor. In case of non-availability of the same, WBSDC authority will aid the applicant in meeting pre-requisites and ensuring compliance

b) Safe-to-Host certificate must be issued by the concerned CERT-In empanelled Security Auditor on latest version of their respective website/ web portal and furnished at the time of hosting at WBSDC.

c) The resources required for hosting of web application (application space & database space) would be provided by WBSDC authority

d) To host any application in WBSDC Cloud, the applicant initially needs to furnish the specification details in brief viz. number of VMs, storage space etc.

e) The allocation of storage space for the application will depend on the application Size (KLOC-Thousands (Kilo) of Lines of Codes)), Transactions/ Day and number of Concurrent Users.

f) For large application the initial storage size will be maximum up to 2 TB and small application the initial storage size will be maximum up to 500 GB. The average size of storage space required for a single transaction will be considered as 10 MB (including data & supporting like image, pdf etc.)

An indicative process flow for hosting of an application at WBSDC environment are mentioned below:

Once the initial space will be exhausted then the owner of the hosted application has to re-apply through online portal for space augmentation along with the certain mandatory documents/ reports viz. Load/Stress testing report, Profiler statistics, System and Application Logs etc. for validation purposes. The size of allocable space will be decided based on the sizing of the hosted application and the usability The WBSDC authority has the mandate to withdraw unutilized allotted space, if the initial allocated space is underutilized. In that case the free space will be reclaimed in the free storage pool. These guidelines will be applicable for space reclamation of existing application in WBSDC if after 6 months from the date of space allocation, less than 75% of the storage space was utilized.

Once in every three year, for any hosted application, when more than 80% of the presently allocated storage space is exhausted then the owner of the application need to ensure that the existing data needs to be archived year on year basis in a dedicated archive storage space as designated/ provided by the SDC authorities and accordingly the existing storage is cleaned up to bring down the occupancy of storage space to at least 10%.

The data to be cleaned will be primarily transactional in nature. The master data related to any hosted application do not require any clean up or archival activities.

J. Application Architecture guidelines

The web application to be hosted at WBSDC must comply with predefined standards in their design for better performance and easy maintainability so that it can deliver better user experience, case of monitoring and improves service quality. The guidelines to be followed are:

K. User Access Management guidelines

These guidelines will ensure that access to the information assets is allowed based on the requirements of the business applications, information asset classification legal and contractual requirements.

The application/ data owner/s should define security requirements of their respective web application/s

Proper Access control should be deployed as per the defined role/s and comply with Contract terms.

Minimum or baseline level of access control should be defined and implemented on all information types and data levels

Every WBSDC information system user must have a unique user ID and password for system access.

WBSDC documents, software’s and any form of information should never be sold or transferred to any third party (Non WBSDC user) for any purpose. In case of any exception, an exception request needs to be raised and seek formal approval and authorization from the appropriate WBSDC authorities

In case of any data leak or data loss of sensitive information or any form of data disclosure to unauthorized parties, the data/ application owner and department heads should be notified immediately.

WBSDC information systems users are prohibited from gaining unauthorized access to any other information systems to prevent any form of damage, alteration, disruption to the operation or services.

In case of separation from WBSDC, all user access privileges, and login access must be revoked immediately as on date of separation.

L. Information Security Management guidelines

To ensure Confidentiality, Integrity, Availability and Privacy (CIAP) of information stored in the WBSDC environment, the certain security guidelines need to be followed by every user of WBSDC. All important Information Security Controls need to be followed by the WBSDC management and operation team namingly ISO 27001:2013- controls for data centre physical security & environmental controls, supply chain security, personnel security and network security. ISO 27017 controls for use of cloud services. ISO 27018 controls for protecting Personally Identifiable Information (PII) in public clouds which will also be in line with the ISO/IEC 29100:2011 controls that provide privacy framework where privacy controls are required for the processing of PII. Certain mandatory guidelines under Information Security Management Systems that are mandated are mentioned below:

i. Password Guidelines:

ii. Backup as a Service Guidelines:

iii. Cryptography Guidelines

iv. Patch Management Guidelines

v. Remote Access Security Guidelines

vi. Information access guidelines

vii. Security incident management guidelines

M. Removable Media Usage Guidelines

N. Software Usage Guidelines

O. Start-Up Support Guidelines:

The West Bengal State Government has accepted in principle and allocated a portion of the cloud infrastructure of the WBSDC for the state start-up community to utilise the best available sectoral data for their robust system development, live data testing and better tracking of the user lifecycle in terms of public service delivery.

In order to maximise reach and ensuring more Start-Ups receiving support, the Dept of IT&E being the Nodal Dept will decide the standard configuration to be offered to each of the Start-ups.

Considering the above and/or prevailing comparative rates of various cloud-service providers, the State Government in the Department of IT&E will finalise the pricing model for providing web space to Start-Ups and state MSMEs.

The rate for such service, to be collected by the State Implementation Agency (SIA) as to be decided and under the aegis of the Dept of IT&E, shall duly be notified with concurrence from the State Finance Dept.

The proposed cost for such facility includes all licenses, tools and OS in various stages of deployment, to be charged monthly by the State Implementation Agency (SIA) notified by the Nodal Department i.e., Department of Information Technology & Electronics. Facility for availing rebate (of 15% or such amount as to be duly notified) will be extended to such Start-ups and MSMEs who will pay the charges on a yearly basis, in advance. This minimal revenue will augment Government funds in maintaining and providing a benchmarked service delivery to these Start-ups and MSMEs, which is first of its kind in the country.

A Selection Committee to be notified by the State Government in the Dept of IT&E, being the Nodal Department shall call for application through Departmental Portal with adequate publicity in digital as well as print media and select fifty (50) deserving Start-Ups to be offered the above Cloud Infrastructure as a Service (C-IaaS) at the WBSDC.

P. Grievance Redressal Guidelines

Any grievances related to the operations & maintenance of WBSDC should be raised online through Self-Supporting Portal (SSP) of WBSDC. There will he specific time frame in solving the problems and feedback to be captured online for further improvement.

By order of the Governor,

Principal Secretary to the
Government of West Bengal

No. 588-ITE dated 28.12.2020, Source

Related Notification