The Indian government has long propagated that centralisation of citizen data can simplify their lives and help in the rollout of welfare schemes and recently in the economic survey, which was relates earlier this month, it made the case for citizen data being treated as a public good as opposed to a private good.
But just days later, Nitin Gadkari, the minister of road transport and highways, revealed that the government is selling vehicle registration and driving licence data of Indians and earning money from it.
The Indian government has made INR 65 Cr by selling in bulk the data of crores of vehicle-owners and driving license-holders, including data on insurance and tax paid, all this is at specified rates for each data set. The government has also linked Vahan and Sarathi with stolen vehicles data from National Crime Records Bureau.
The government on July 8 revealed that it has provided 87 private and 32 government entities access to the Vahan and Sarathi database. Vahan and Sarathi deal with data related to vehicle registration and driving licenses, respectively. The ministry maintains the Centralized National Registry through the National Informatics Centre and it has approximately 25 Cr vehicle registration records and 15 Cr driving license records.
How It Works
Under its ‘Bulk Data Sharing Policy & Procedure‘, the government has said that all commercial organisations and individuals seeking bulk data will have to pay an amount of INR 3 CR for the FY 2019-2020 while educational institutions can use this data only for research purposes for internal use only for INR 5 lakh only for the FY 2019-20. These charges shall come under an annual increase of 5% from FY 2020-21 onwards.
Organizations shall purchase the data for one calendar year at any time. For every year of purchase of data, they will receive the same in four data dumps.
Under the policy, the data in bulk will be released in an encrypted format and will be encrypted with the public key of the nodal person of the purchasing organisation who will manage the data.
The organisations acquiring this data are required to carry out security audits and only after receipt of security audit compliance report for the past data will the second quarter of data be provided to the companies.
Any misuse shall be liable for any action permissible under the IT Act/ any other applicable law besides debarring of such agency from access to this data for a period of three years.
Cause For Concern?
Last year, Justice BN Srikrishna Committee report on the draft Personal Data Protection Bill 2018 was finally submitted to the minister of law and justice, Ravi Shankar Prasad, in July and it was also made public to seek stakeholders comments.
The bill gives new definitions of “personal data” and “sensitive personal data”. It defines personal data as any data of a natural person which allows direct or indirect identifiability. Sensitive personal data has been defined as financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.
But data protection bill is still at the draft stage and in the absence of it, it is unclear how efficient and stringent the IT Act would be to prevent and punish misuse of the data. What is also alarming is that not enough awareness or information was passed onto the user when this service came into being which also means there hasn’t been much consultation with consumers.
Another worry is data triangulation, which is adding the different data sets of an individual to get comprehensive information on him/her. The Transport Ministry’s policy clearly warns that the merging of disparate datasets is harmful to individual privacy and places the onus to refrain from doing so on the organisation purchasing the data but it lists no active measures that the government will take to make sure this does not happen.
All in all, there is a case for further deliberations especially when prima facie there is a for-profit transaction taking place between the government and private enterprises with users, whose data is being traded, seemingly having no control or say in anything.