wordpress blog stats
Connect with us

Hi, what are you looking for?

Ministry of Road Transport and Highways’ Bulk Data sharing policy allows it to sell Drivers License and Vehicle registration data

The Ministry of Road Transport (MoRTH) and Highways has released a Bulk Data Sharing Policy & Procedure in which it states who can buy bulk vehicle data of Registration Certificates (RCs) and Driving Licenses (DLs), what it can do with it and how much the data will cost. MoRTH says that it shares data with enforcement agencies, automobile industries, banks, finance companies etc at specified rates for each data set.

Note that the ministry did not hold any public consultations before releasing this policy, neither does it go into specific details about the need for it, the demand, or how it will ensure that the privacy of individuals is conserved. 

On the need for the policy, MoRTH says that “It is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry… help in service improvements… benefit the country economy. (sic) There has been growing demand to share the data for wider benefits.” (Note: does not specify the ‘wider benefits’.)

However, it also adds that the ministry is not in a position to “ensure the sanctity of the data which would be made available on “as-is-where-is” basis” due to to the digital and analog divide of the available data.

“Free access to the vehicle’s basic data is available to all the registered users through mParivahan App or through the web portal of the Ministry…. The purpose of this information is to promote statutory compliances and also facilitate individual hiring/ renting or purchase/ sale of vehicles and hiring of drivers.”

Who is eligible to buy bulk data

  • The company should be India registered with at least 50% Indian resident or Indian company ownership
  • All bulk data it accesses should be processed, stored in data centres and servers in India, and cannot be transferred to servers outside India
  • The Analytics firm (unclear if MoRTH means the same “company” buying the bulk data or otherwise) “should submit a security pre-audit report from Cert-In empaneled security auditor. The report should ensure that:
    (i) Proper access control mechanism is in place. Information is maintained about any individuals accessing the data. (Note: The Ministry does not specify how this should be done.)
    (ii) Audit logging of all access of the data is maintained.
    (iii) All data is maintained in central location in a secure manner and is accessed through an application over LAN or WAN over secure channel.
    (iv) The application shall be free from top 10 OWASP vulnerability.
    (v) Data Loss prevention mechanism shall ensure the following:
  1. Monitor and block data transfers – Monitor, control and block any sensitive data being transferred from the data processing organization network. This includes e-mails, files, browser any application etc. This is to be achieved through content & context aware protection.
  2. Cross Platform security – Through policies to be ensured that sensitive data is not residing in desktops running over Windows, Linux or Mac OS. Discover any such information, which shall be deleted or encrypted.
  3. End Point Protection – Protection of data in all forms of end-points either desktops, laptops, mobile devices against loss and theft.
  4. Device Control – Through policies control and set rights for removable devices and ports at the endpoints.
  5. Audit trail & activity logger – Maintain activity report to ensure that data is not being leaked.
  6. The DLP shall be achieved through deployment of proper solution (software & hardware) in the organization while handling the data. All sensitive data to be in encrypted format while stored in disk and only to be decrypted while accessed through proper mechanism.

The price of bulk data

Companies can buy data for one calendar year at any time – this data will be provided in 4 data dumps on 1st January, 1st April, 1st July and 1st October of each calendar year. These dumps will have data up to last day of the previous month.

  • Bulk data will cost Rs 3 crore for FY 2019-20.
  • “Educational institutions can use this data only for research purposes for internal use only and would be provided the bulk data one time on payment of an amount of Rs 5 lakh only for the FY 2019-20.”
  • Educational & Research institutions using the data for any commercial purposes will pay Rs 3 crore for FY 2019-20.
  • “There shall be an annual increase of 5% from the FY 2020-21 onwards.”

How the data will be provided

  • Data in bulk will be released in encrypted format.. with the public key of the nodal person of the purchasing organization who will manage the data securely.
  • Data will be provided on as-is-where-is basis. No claims will be entertained in case some information/data is found to be missing.”
  • Companies wanting the data will have to provide a “security audit report”. The company has to “make sure the integrity of the data and security of data is protected. Correct use of data, including restrictions on de-anonymizing, is strictly enforced through proper access control.” “Any non-compliance of Data Loss prevention or handling of sensitive information will result in termination of the contract.
  • “The second quarter of data will be provided after receipt of security audit compliance report for the past data.
  • All Data provided will be non-transferable and cannot be re-sold on as-is or record basis. However, organization can sell analytics reports, forecasting, any other reports based on this data.

There is possibility of ‘Triangulation’ (matching different data-sets that together could enable individuals to be identified and their privacy compromised). It is the responsibility of the organization that any such activity, which result in identifying individuals using the RC data-set, shall not be undertaken.

  • MoRTH by itself or through its authorized agency reserve the right to carry out inspection/audit at any time on how data is stored and accessed and associated security controls built into the system. Intimation for any such inspection will be provided at least one week in advance.
  • All non-compliances raised in security audits or inspections shall be closed within a week of raising of such non-compliances.”

Consequences of misuse of data

The person, agency or company “shall be liable for any action permissible under the IT Act/ any other applicable law besides debarring of such agency from access to this data for a period of three years.”

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....

News

By Anand Venkatanarayanan                         There has been enough commentary about the Indian IT...

News

By Rahul Rai and Shruti Aji Murali The Indian antitrust regulator, the Competition Commission of India (CCI) has a little more than a decade...

News

By Stella Joseph, Prakhil Mishra, and Surabhi Prabhudesai The recent difference of opinions between the Government and Twitter brings to fore the increasing scrutiny...

News

This article is being posted here courtesy of The Wire, where it was originally published on June 17.  By Saksham Singh The St Petersburg paradox,...

You May Also Like

News

While these steps by the social media platform could improve the safety of children online, some of the updates will only be rolled out...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ