Criteria for marking official records 'Top Secret', 'Secret' and 'Confidential' made public
In the past, the Ministry of Home Affairs had refused to disclose the criteria for marking official records 'Top Secret', 'Secret' and 'Confidential' in response to my application filed under the RTI Act as I had sought for publication of the secretive Manual of Departmental Security Instructions (MoDSI) which contains the classification criteria and procedures under the Right to Information Act, 2005 (RTI Act) a few years ago and failed in my efforts. The Central Information Commission refused to order its disclosure despite hearing strong arguments based on legal concepts and international practices in support of disclosure. However the Department of Defence Production (DDP) of the Ministry of Defence has laid down the criteria for and procedure for classifying records as 'Top Secret', 'Secret' and 'Confidential' in a manual publicised in June this year for- believe it or not - private sector companies and firms that obtain licenses for producing defence-related commodities. Readers may access the Security Manual for Licensed Defence Industries on the DDP website at: http://ddpmod.gov.in/showfile.php?lid=151. DDP is a department under the Ministry of Defence (MoD).
Why is this Manual Public Now?
Readers will remember that under the earlier tenure of the National Democratic Alliance, curbs on private sector participation including foreign direct investment (FDI) in defence production were lifted (in 2001). Ever since, the cap on foreign investment including FDI and foreign institutional investment, foreign portfolio investment etc. has been reduced bit by bit. So now, private companies can manufacture almost any kind of defence equipment in India ranging from battle tanks to aircrafts and their component parts as well as spare parts. So it is obvious that such companies will require to generate or hold a range of information whose public disclosure would be harmful to the defence and security interests of the country, Hence the creation of DDP's Manual containing instructions for classifying documents and also ensuring the safety of equipment and manufacturing or assembly premises. The wheel has turned a full circle since 2009 when the CIC bought the Central Government's argument that if the MODSI used in Government offices is disclosed under RTI, it will fall into the hands of terrorists- an argument that the CIC bought hook, line and s(t)inker and rejected my appeal for disclosure. Iwonder if the Union Home Ministry which was the party to my case still thinks that the Security Manual will also be used by terrorists as it is accessible online to any person sitting in any corner of the planet.
The Security Manual of the DDP contains almost all information that the MODSI contains (yes, I know what is written in that Home Ministry's Manual as a good samaritan permitted me to only 'read' its contents some time ago- name will not be revealed for obvious reasons).
What is unique about this Manual?
1) The criteria for classifying sensitive documents of private companies engaged in defence production according to the manual are given below:
“TOP SECRET” shall be applied to information and equipment, the unauthorized disclosure of which could be expected to cause exceptionally grave damage to the National Security or national Interest. This category is reserved for the nation’s closest SECRETs and is to be used with great reserve.
“SECRET” shall be applied to information and equipment, the unauthorized disclosure of which could be expected to cause serious damage to the National Security or National Interests or cause serious embarrassment to the Government in its functioning. This classification should be used for highly important matters and is the highest classification normally used.
“CONFIDENTIAL” shall be applied to information and equipment, the unauthorized disclosure of which could be expected to cause damage to National Security or could be prejudicial to the National Interests or would embarrass the Government in its functioning.
“RESTRICTED” shall be applied to information and equipment which is essentially meant for official use only and which should not be published or communicated, to anyone except for official purpose.
In other words, the age-old criteria for classifying official information will continue to apply to information created or held by private companies engaged in defence production without any reference whatsoever to the RTI Act, especially Sections 8 and 9. This is in complete violation of the Tshwane Principles of national Security and the Right to Information which we as a global coalition of transparency advocates put together (see: http://fas.org/sgp/library/tshwane.pdf)
2) The responsibility for ensuring that the Security Manual is strictly adhered to will lie with the private company's Chief Security Officer who must be an Indian citizen, and an ex-army/paramilitary force/Police officer.
3) All employees joining a private company engaged in defence production known as - Indian Licensed Defence Company (ILDC) will have to get security clearance from the police before joining the company.
4) The Intelligence Bureau (IB) - an organisation exempt form the ordinary obligations of transparency under the RTI Act as it is notified under Schedule 2, will conduct a security audit of the ILDC soon after the license is issued and along with the Home Ministry will be responsible for the enforcement of this Security Manual for ILDCs. The Manual may be revised by the Home Ministry based on the audit findings. The Industrial Security Branch of the IB will be the nodal agency for these matters- so we know something about IB's structuring from DDP's website even though IB does not have a website of its own. But, the audit report may not be made public ordinarily unless one alleges human rights violation or corruption.
5) All ILDCs must carry out a self-certification audit and give a report to IB soon after license is granted and then IB conducts a security audit every two years to ensure that all systems to keep information and equipment secret are working fine.
6) The Security Manual prohibits ILDCs from disclosing both 'classified' and 'unclassified' information pertaining to a classified contract to the general public without clearance according to -believe it or not- the specification for contract security classification contained in the very same contract! However, if information is to be shared with any outsider, then a non-disclosure agreement may be put in place prior to disclosure.
6) ILDCs are prevented from disclosing classified information to any legal advisor or consultant or any person acting in legal capacity without authorisation by the agency that has jurisdiction over the classified information. So does 'any person acting in legal capacity' include a judge? The Government must clarify this matter urgently as not doing so would amount to trampling upon the independence of the judiciary.
7) All ILDCs are required to destroy their records where necessary once a year in order to avoid accumulation and consequent problems of accounting and security. A Board of Officers selected by the Department Head will screen documents for destruction. If no longer required, classified records may be returned to the Department. There is no mention of archiving records of ILDCs after declassification. So the public will never get to see even such documents that are fit enough to be declassified or destroyed.
8) The Security Manual prohibits employees of ILDCs from becoming a member of any official or unofficial chat club on 'official Internet'. They are also prohibited from using mobile phones in areas that are classified 'top secret' or 'secret'. Such employees are prohibited from using private email addresses for any kind of official communication.
9) Cyber security and computer security are to be guided by the ISO 27001 standard (See details at: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm)
Who all are covered by this Manual?
According to the DDP's website, the Department of Industrial Policy and Promotion (DIPP) has issued 222 Letters of Intent or Industrial licenses to private companies. Of these 46 companies are reported to have commenced production as of August 2014 (see details on DDP's website: http://ddpmod.gov.in/index1.php?lang=1&level=0&linkid=12&lid=17). The DIPP has disclosed names and contact details of a range of companies that have been licensed to start production in various sectors of the economy including the defence sector. A list of some companies that have been issued licenses in 2014 is attached. Some of them have been issued licenses as recently as in July. Although DIPP has made this disclosure to comply with its proactive disclosure obligation under Section 4(1)(b)(xiii) of the RTI Act the extent and quality of disclosure leaves much to be desired. In some cases the total amount of investment approved is not known, in others the number of persons employed is not known. Perhaps readers might like to hunt for these details on MCA21 website if the private entity is registered as a company in India. All companies bringing in FDI must be registered in India according to the FDI policy relating to defence production. The DIPP must disclose similar details of all licensee companies immediately, to comply with the promise of increased transparency made by the NDA Government.
While arguing my case, before the CIC in 2009 I had pointed out that rules and regulations themselves cannot be kept secret. The CIC in its wisdom did not buy that argument. However, the MoD thinks differently and that should be welcomed. I had also pointed out last year that a chapter on classification procedures and criteria is published online in the Manual of Office Procedure of the Andaman and Nicobar Administration which is a division in the Home Ministry. This was the first instance of making the criteria for classifying official documents public. The DDP's disclosure is the second in this line of proactive disclosure. The Home Ministry has little reason to keep the original Manual secret.
Given the stringent requirements that ILDCs must follow in relation to both sensitive and non-sensitive information they generate or hold, it would be worthwhile testing out if information about them can be accessed from the DDP or even get them declared as public authorities where possible. Readers might like to try this out as a test case by using the names of companies mentioned in the third attachment to this email as a reference point. However, there is the larger issue that we must debate- with increasing privatisation of even sensitive sectors like defence production, how much of the scope of the transparency regime gets curtailed day by day? This topic could have been discussed at the Annual RTI Convention of the CIC. Strangely, the champions of transparency have elected to hold a closed-door meeting later this month by keeping the most important of stakeholders out- namely, the citizens who have their fundamental right to information guaranteed by the Constitution.