delhi

Updated: Mar 13, 2019 10:36 IST

On March 8, the government approved a Bulk Data Sharing policy, enabling it to monetise a database of vehicle registration certificates, citing benefits to the “transport and automobile industry”, even as the issue of privacy and data protection looms large over such sharing.

The policy was cleared along with several other decisions as the government sought to finish a lot of business before the parliamentary elections were announced.

The ministry of road transport and highways collects and holds data as part of issuance of vehicle registration certificates (RC) and driver licenses (DL). According to the ministry, at present, the data is shared with specified law enforcement agencies and in addition, data is also shared with automobile industries, banks, finance companies etc., at specified rates for each data set.

According to the policy cleared, organisations requesting the data should be registered in India and be majority (at least 50%) owned by an Indian resident or company. HT has reviewed a copy of the policy.

“It is recognized that sharing data for other purposes, in a controlled manner, can support the transport and automobile industry. The sharing of data will also help in service improvements and wider benefits to citizens and government. In addition, it will also benefit the country’s economy. The prime focus is on delivering simpler, better and safer services to the citizens...,” the policy states.

The data shared will be the vehicle’s registration number and other details (including financing and insurance), and will not have the owner’s name. In all, 28 fields of data for each vehicle will be shared.

However, the policy itself admits that “there is a possibility of triangulation” or matching the data with other publicly available databases to identify. That’s because the Vahan app, also run by the ministry, maps registration details against names.

And names, in some cases, can help track other details, including addresses, e-mails, and phone numbers.

“It is concerning that without firm, legal binding rules through movement of a data protection law more personal information of millions of Indians will be sold. Even basic details of vehicular registration when matched against names of people have immense amounts of information. For instance what is the financial capacity of a person. This measure has not been properly thought out,” said Apar Gupta, executive director, Internet Freedom Foundation.

The transport ministry currently stores data related to licences and registrations in Sarathi and Vahan — the government’s web-based databases of all driving licences and vehicle registrations. The applications are aimed at creating a national repository. The two databases are currently operational in 28 states and UTs across the country.

The transport ministry last Thursday issued a notification mandating universal specifications for driving licences and registration certificates, a move also aimed at making it easier to link the two with the government’s online database.

In addition to the data for sale, “free access to the vehicle’s basic data is available to all the registered users through mParivahan App or through the web portal of the Ministry. The information available shall be restricted to the basic details regarding statutory compliances and the owner’s name. The purpose of this information is to promote statutory compliances and also facilitate individual hiring/ renting or purchase/ sale of vehicles and hiring of drivers,” the policy notes.

According to the policy, all bulk data accessed by the organisation shall be processed/ stored in servers/ data centers residing in India. “The data at any point shall not be transferred/ processed/ stored in a server outside India.”

The policy states that organisations can purchase the data for one calendar year at any time. They will receive the same in four data dumps for each year of the purchase of data.

“The data dump will be provided in respect of the data as on 1st January, 1st April, 1st July and 1st October of each calendar year, which will have data up to last day of the previous month,” it says.

Commercial organisations and individuals seeking bulk data will have to pay an amount of ₹3 core for 2019-20 while educational institutions can use this data for “research purposes” for “internal use only” and pay a one-time payment of Rs 5 lakh for the current financial year.

There will be an annual increase of 5% from FY 2020-21 onwards, as per the policy.

In terms of data protection, the policy states that data in bulk will be released in encrypted format. “The data will be encrypted with the public key of the nodal person of the purchasing organization who will manage the data securely,” the policy states adding that data will be provided on an as-is-where-is basis.

“It is not entirely clear from their policy as to whether personal information of individuals will be shared or not. If it is essentially a data set in bulk which does not have any personal information of individuals and cannot be identified then there are prima facie no significant privacy concerns. They have also shown some cognizance of a possibility of triangulation by which they can combine data sets in order to identify personal details of the individual. As long as there is no possibility of identifying individuals and getting personal information there should not be any issues ,” said Arghya Sengupta, research director, Vidhi Centre for Legal Policy.

Organisations desiring to access data will be required to provide security audit reports and any non-compliance of data loss prevention or handling of sensitive information will result in termination of the contract, the policy to share RC and DL details says.

“Wherever it comes to the notice of the ministry through audit or any other source that the protocol of use of data as prescribed herein has not been followed or has been violated, the person/ agency concerned shall be liable for any action permissible under the IT Act/ any other applicable law besides debarring of such agency from access to this data for a period of three years,” the policy notes.

Some of this data is already shared with some companies.

“At present we share this data with banks, insurance companies, manufacturers and transport companies. There are rates on the bases of each record (individual data). For eg., banks and insurance companies purchase data at ₹50 per record and transport companies and Original Equipment Manufacturers (OEMs) take it at ₹100 per record. We don’t give personalized data to transport companies and OEMs but we do give some personalized information to banks and insurance companies because they use it for authentication. Under the bulk sharing policy we aim to provide anonymized data in bulk to companies, “a senior government official said on condition of anonymity.

The National Democratic Alliance (NDA) government in the railway budget for financial year 206-17 had also announced its plans of monetising the huge pool of passenger data available with the Indian Railways. In October, 2018, IRCTC, railways’ ticketing arm, had issued an Expression of Interest (EOI) seeking offers on its data from private players.

“IRCTC is interested in exploring the revenue potential from its digital assets that are spread across all possible modes by way of advertisement/ marketing/cross selling, promotional mailers/SMS, etc., using modern day techniques. At present, IRCTC with its secured technical and commercial skills, in partnership with service providers has been monetizing its website and mobile app with advertisements through Image captcha, banners and ‘chatbot’ and also by way of Push Notifications, promotional SMS, etc.,” IRCTC had said.