Long overdue protection law still on the back-burner; meanwhile, depts put more of one's personal details online
Surabhi Agarwal & Somesh Jha | New Delhi October 29, 2013 Last Updated at 00:49 IST
It was in 2010 when the central government decided to institute a legal framework on privacy. This was in the wake of increasing data collection by both government and corporate agencies. Concerns had mounted in the wake of projects such as the National Population Register, Aadhaar and the National Intelligence Grid.
Over three years and hundreds of consultations later, several drafts of the proposed Bill were written and rejected, and at least two committees have given recommendations. However, the law has not seen the light of day. Meanwhile, citizen data digitisation is moving at a pace like never before in the country.
Business Standard had reported on October 28 about how an investigation revealed that several states and central departments might be, unwittingly, following a bare-it-all approach in posting citizen data online in order to push the government's agenda of greater transparency and accountability. While the Centre's National Rural Employment Guarantee Scheme puts out full bank account numbers of its beneficiaries, government website of Uttar Pradesh has put out full details of ration card holders, including annual income along with address and information about members of the family. By putting such sensitive information online, the government could be jeopardising the privacy of its 1.2 billion citizens, who stand exposed to a variety of risks, including those of 360-degree profiling and financial frauds. (INFORMATION DELUGE)
According to government officials, the department of personnel and training has finished compiling the final draft of the privacy legislation, now awaiting approval from the prime minister; the department is under him.
"In the absence of a privacy Bill, the only data protection, pseudo, is through Section 43A of the Information Technology (IT) Act. Unfortunately, that is not a data protection law; it is only a data security provision," said Sunil Abraham, executive director of the Centre for Internet and Society.
Pavan Duggal, a Supreme Court lawyer and cyber security expert, said India needs more security while collecting data and "currently a lot of these websites don't have these security layers". Take for instance, the website of the chief electoral officer of New Delhi. Type a person's first or last name and select the constituency - the website throws up the details of all people with this name, along with all the details such as address and voter identity number. According to officials of the Election Commission, the searchability feature helps in easy access of voter details by people themselves or by interested political parties. "There has been no evidence to prove its use otherwise," an official of the EC told Business Standard.
However, experts said otherwise. Abraham said the electronic version of the electoral roll has a unique identifier, the voter ID number. "And, if there are other databases with the same identifier, a comprehensive profile of a citizen can be created." He added, at the moment, we are saved from 360-degree profiling to some extent, since there is no common identifier.
Once a privacy law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary for the purpose. It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.
Though in a less detailed manner, the current IT Act also addresses some of these issues. It defines anything which reveals financial information, biometric, health and medical records, etc, as sensitive financial information which cannot be put in the public domain.
However, experts said the government is lax in even enforcing the existing laws. To be fair, some states and departments have started being prudent about the data they put online. For instance, the state government of Chhattisgarh, a trend setter in effectively implementing the Public Distribution System, doesn't reveal much in terms of citizen information that can identify a person or can be termed as a breach of privacy. Similarly, Odisha and some northeastern states have put in a layer of security which creates some deterrents while using common keywords to search the electoral roll and create a profile of residents in a particular locality.
However, for now, most departments stuck in the tradeoff between privacy and transparency find solace in pointing fingers at contemporaries who might have also put "more sensitive and dangerous" citizen details online. The blame game doesn't end.
PRIVACY PRINCIPLES
Recommendations of the A P Shah Committee*
ACCOUNTABILITY
* A data controller to give notice before collecting personal information, state its purposes, whether it would be disclosed to third parties and the security measures taken
CHOICE AND CONSENT
* Individuals to get choice as to what information can be shared, empowering them to approve and authorise collection and usage
DISCLOSURE OF INFORMATION
* Personal information would not be disclosed to third parties without notice
COLLECTION LIMITATION
* Only necessary data required for the purpose would be collected; reduces possibilities of misuse
PURPOSE LIMITATION
* Data collected should be adequate and relevant to the purposes for which these are processed
* Ensure personal information is retained only as long as it is necessary
SECURITY
* Reasonable security safeguards against any reasonably foreseeable risks, including unauthorised access
Over three years and hundreds of consultations later, several drafts of the proposed Bill were written and rejected, and at least two committees have given recommendations. However, the law has not seen the light of day. Meanwhile, citizen data digitisation is moving at a pace like never before in the country.
Business Standard had reported on October 28 about how an investigation revealed that several states and central departments might be, unwittingly, following a bare-it-all approach in posting citizen data online in order to push the government's agenda of greater transparency and accountability. While the Centre's National Rural Employment Guarantee Scheme puts out full bank account numbers of its beneficiaries, government website of Uttar Pradesh has put out full details of ration card holders, including annual income along with address and information about members of the family. By putting such sensitive information online, the government could be jeopardising the privacy of its 1.2 billion citizens, who stand exposed to a variety of risks, including those of 360-degree profiling and financial frauds. (INFORMATION DELUGE)
According to government officials, the department of personnel and training has finished compiling the final draft of the privacy legislation, now awaiting approval from the prime minister; the department is under him.
"In the absence of a privacy Bill, the only data protection, pseudo, is through Section 43A of the Information Technology (IT) Act. Unfortunately, that is not a data protection law; it is only a data security provision," said Sunil Abraham, executive director of the Centre for Internet and Society.
Pavan Duggal, a Supreme Court lawyer and cyber security expert, said India needs more security while collecting data and "currently a lot of these websites don't have these security layers". Take for instance, the website of the chief electoral officer of New Delhi. Type a person's first or last name and select the constituency - the website throws up the details of all people with this name, along with all the details such as address and voter identity number. According to officials of the Election Commission, the searchability feature helps in easy access of voter details by people themselves or by interested political parties. "There has been no evidence to prove its use otherwise," an official of the EC told Business Standard.
However, experts said otherwise. Abraham said the electronic version of the electoral roll has a unique identifier, the voter ID number. "And, if there are other databases with the same identifier, a comprehensive profile of a citizen can be created." He added, at the moment, we are saved from 360-degree profiling to some extent, since there is no common identifier.
Once a privacy law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary for the purpose. It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.
Though in a less detailed manner, the current IT Act also addresses some of these issues. It defines anything which reveals financial information, biometric, health and medical records, etc, as sensitive financial information which cannot be put in the public domain.
However, experts said the government is lax in even enforcing the existing laws. To be fair, some states and departments have started being prudent about the data they put online. For instance, the state government of Chhattisgarh, a trend setter in effectively implementing the Public Distribution System, doesn't reveal much in terms of citizen information that can identify a person or can be termed as a breach of privacy. Similarly, Odisha and some northeastern states have put in a layer of security which creates some deterrents while using common keywords to search the electoral roll and create a profile of residents in a particular locality.
However, for now, most departments stuck in the tradeoff between privacy and transparency find solace in pointing fingers at contemporaries who might have also put "more sensitive and dangerous" citizen details online. The blame game doesn't end.
PRIVACY PRINCIPLES
Recommendations of the A P Shah Committee*
ACCOUNTABILITY
* A data controller to give notice before collecting personal information, state its purposes, whether it would be disclosed to third parties and the security measures taken
CHOICE AND CONSENT
* Individuals to get choice as to what information can be shared, empowering them to approve and authorise collection and usage
DISCLOSURE OF INFORMATION
* Personal information would not be disclosed to third parties without notice
COLLECTION LIMITATION
* Only necessary data required for the purpose would be collected; reduces possibilities of misuse
PURPOSE LIMITATION
* Data collected should be adequate and relevant to the purposes for which these are processed
* Ensure personal information is retained only as long as it is necessary
SECURITY
* Reasonable security safeguards against any reasonably foreseeable risks, including unauthorised access
