Regulations 30. Other duties.—

• (1) An information utility shall-

• (a) provide services to a user based on its explicit consent;
• (b) guarantee protection of the rights of users;
• (c) establish adequate procedures and facilities to ensure that its records are protected against loss or destruction;
• (d) adopt secure systems for information flows;
• (e) protect its data processing systems against unauthorised access, alteration, destruction, disclosure or dissemination of information; and
• (f) transfer all the information submitted by a user, and stored with it to another information utility on the request of the user.

• (2) An information utility shall not-

• (a) outsource the provision of core services to a third-party service provider;
• (b) use the information stored with it for any purpose other than providing services under these Regulations, without the prior approval of the Board;
• (c) seek data or details of users except as required for the provision of the services under these Regulations.