We met Sulekha (name changed) in a village in Uttarakhand. She was talking about the information she considered most important to her: Her ration card, Aadhaar card, NREGA [National Rural Employment Guarantee Act] job card and her phone number. When asked how much she would sell this information for, she visibly withdrew saying she did not want any money for it. What would she need to share this information? A guarantee that it would not be misused.

Sulekha was one of the 50 people–30 men and 20 women–surveyed as part of a qualitative study across Maharashtra, Uttarakhand, Tamil Nadu and Delhi to understand how Indian citizens think and act on their privacy and data protection. Equal number of respondents were chosen from urban and rural areas.

Contrary to common perception, people in India care deeply about their personal data and privacy, our conversations in the field revealed. Individuals asserted their right to have their personal information treated responsibly, and indicated clear and strong preferences for a system that provides them agency and control over their data.

The study–which used what is called “human-centred design (HCD), a method that gauges not just what people say but how they think, act and feel–was conducted by the Future of Finance Initiative at Chennai’s Dvara Research, in partnership with Dalberg Design, and the Consultative Group to Assist the Poor, a global partnership for financial inclusion.

The Methodology: HCD research uses in-context observation and in-depth interviews to gather diverse perspectives, often looking for ‘extreme users’ who amplify certain needs. These needs, we found, are also needs often experienced by the wider population, who however are not able to articulate it. For example, by interviewing an illiterate person, we arrive at the conclusion that consent needs to be more verbal, graphic- or video-based, and we found that even those who are literate favoured such solutions. To consolidate the views, we grouped similar ideas/quotes together under specific themes. These formed the basis of insight--what people said, how they responded to different activities etc. The insights are a synthesis of different quotes, observations, expert views, literature etc. We were also mindful to highlight the nuances. For example, while everyone valued it equally, and some were willing for it to be used for common good (such as de-duplication), others felt it could be a form of surveillance.

The Methodology: HCD research uses in-context observation and in-depth interviews to gather diverse perspectives, often looking for ‘extreme users’ who amplify certain needs. These needs, we found, are also needs often experienced by the wider population, who however are not able to articulate it. For example, by interviewing an illiterate person, we arrive at the conclusion that consent needs to be more verbal, graphic- or video-based, and we found that even those who are literate favoured such solutions. To consolidate the views, we grouped similar ideas/quotes together under specific themes. These formed the basis of insight--what people said, how they responded to different activities etc. The insights are a synthesis of different quotes, observations, expert views, literature etc. We were also mindful to highlight the nuances. For example, while everyone valued it equally, and some were willing for it to be used for common good (such as de-duplication), others felt it could be a form of surveillance.

The results:

Respondents were surprised that service providers could share their personal information with third parties, and wanted to be informed of such sharing.

People were also sensitive about sharing their personal data such as photos, messages and browsing histories—even with their family—and were unwilling to sell certain types of personal data like their telephone numbers.

Even data that they were willing to share in order to receive services came with conditions. People wanted to know how their data were handled. They also, much like Sulekha, wanted an assurance from providers that no harm would come to them through the use of their data.

Many interviewees recognised their inability to understand terms of data sharing by service providers and wanted more visual forms of consent that they could easily understand without relying on others.

Most interviewees had experienced fraud–especially via phone impersonators–and did not know how to protect themselves or seek redressal. Women, in particular, were highly vulnerable to reputational harm, and self-censored themselves (for example, by not sharing phone numbers or photos) to protect themselves.

Although most interviews trusted the government and its institutions, people working in government institutions were not trusted with personal data–unless the employees came from the same community group or geographic area. Agents of banks and mobile network providers were also recognised as common perpetrators of illicit disclosures of personal data.

In cases where harm was caused to them as a result of a data breach, the respondents wanted easy access to seek redressal, and wanted to be compensated fully.

A version of this story was first published here.

With inputs from Priti Rao, Dalberg India.

(Chugh, Aggarwal and Raghavan are part of the Future of Finance Team at Dvara Research.)

We welcome feedback. Please write to respond@indiaspend.org. We reserve the right to edit responses for language and grammar.