More than a year after the Road Transport Ministry enacted the Bulk Data Sharing policy, it has now decided to scrap it altogether, citing privacy concerns, according to the Economic Times. The policy, released in March 2019, allowed the Ministry to sell Vahan (vehicles registration) and Sarthi (drivers licence) databases to companies, and educational institutions. Banks, insurance companies, and other financial service providers are among the companies that have purchased this database from the government (more on that below). Vahan contains data of 25 crore vehicle registrations, while Sarthi is a 15 crore strong database of drivers’ licenses.
“There is a shift in the policy of this Ministry to publish reports specific to industry or stakeholders requirements, and further that there are issues in sharing of the personal information, it was unanimously decided that the ‘Bulk Data Sharing Policy & procedure’ should be scrapped,” the Ministry reportedly decided during a meeting with NIC and Home Ministry officials. The Ministry has also reportedly decided that it will now share reports generated on analysis of the data present with it, and on the basis of the Personal Data Protection Bill, 2019.
Why the Bulk Data Sharing policy was problematic: Apart from selling the massive database to companies and educational institutions, the policy also allowed the Ministry to share it with law enforcement agencies. The Vahan database includes things like, registration number of vehicle, engine number, model name, dealer’s name, and financer’s name, among other things. The price of the bulk data for FY 2019-20 was decided to be Rs 3 crore for companies, and Rs 5 lakh for educational institutions. Again, as we had earlier pointed out, the ministry had not held any public consultations before releasing this policy, neither did it go into specific details about the need for it, the demand, nor how it will ensure that the privacy of individuals is conserved.
- More so problematically, the ministry had admitted in the policy that there is a chance of “triangulation” (matching different data-sets that together could enable individuals to be identified and their privacy compromised) of this database to identify a person.
Both public and private entities had bought the data: The Ministry had sold vehicle registration and drivers’ license data to several public and private entities. Through an RTI, we found out that as of September 2019, the ministry had sold these databases to 142 entities which include 30 public and private sector banks, 20 logistics solution providers, 19 finance organisations, 18 insurance organisations and 5 automobile manufacturers, and had earned more than Rs 68 crore. Entities such as State Bank of India, Mercedes, ICICI Lombard and Ola had purchased this database.
Scrubbing already sold data can potentially be a big problem: While scrapping the policy altogether is a good move, it isn’t clear how the Ministry will ensure that the data it has already sold to companies will not be misused. As we established earlier, there were 142 entities that had bought this database as of September last year, and there can be more companies who bought it since then.
What about the Parihavan app? The Ministry also has an Android and iOS app, called Parihavan, using which it is possible to know the name of a person, just based on their vehicle registration number. Also, the app allows to see the number of violation tickets a particular vehicle has been charged, again, on the basis of their registration plate alone. The Ministry had said that it will cross out some letters from a person’s name within the app, but that hasn’t been done yet.