The National Testing Agency (NTA) which is introducing facial recognition for verification of candidates sitting for entrance examinations like Joint Entrance Examination (JEE), National Eligibility cum Entrance Test (NEET), and so on, did not seek a legal opinion before introducing the technology, the autonomous agency told MediaNama in response to a Right to Information request. It also did not provide a direct answer to whether it conducted a privacy impact assessment for the project.
Question: Please state whether any legal opinion was sought by the National Testing Agency prior to procurement of the said facial recognition system
NTA: No, there was no such requirement
The introduction of facial recognition technology at exam centres is going to affect millions of students since India does not have robust laws in place to regulate the use of such technologies which deal with sensitive data. The Personal Data Protection Bill, which would address such concerns, is yet to be introduced in the Lok Sabha.
We also asked the NTA whether it had undertaken a privacy impact assessment of the facial recognition project that potentially involves data of millions of students including minors.
MediaNama: Please provide information regarding any privacy impact assessment done before the proposed use of facial recognition system
NTA: Please refer to Tender Document (Clause 11.9) Appointment of Successful Bidders.
NTA’s response on privacy assessment does not hold ground
Before going any further, it is important to note that the NTA floated two tenders recently for the installation of facial recognition technology at the exam centres. While one of the tenders looked into verification of exam candidates, the other was for candidates who will give the exams offline. Apart from the technical specifications, many provisions including the “Appointment of Successful Bidders” section are the same in the two tenders.
Contrary to NTA’s response that Clause 11.9 is the section that talked about ‘Appointment of Successful Bidders’, the tender actually showed that it was Clause 10.9. Now let’s see what it exactly says (or whether it says anything) regarding conducting a privacy impact assessment.
The selected bidder will be responsible for providing secure systems. The selected bidder is expected to adhere to Information Security Management procedures as per acceptable standards with best practices. The selected bidder shall be responsible for guarding the Systems against virus, malware, spyware and spam infections using the latest Antivirus corporate/Enterprise edition suites which include anti-malware, anti spyware and anti-spam solution for the entire system. The vendor shall have to maintain strict privacy and confidentiality of all the data it gets access to – National Testing Agency in both tenders (emphasis supplied)
This essentially shifts the entire responsibility of protection of data to the vendor and does not talk about conducting a privacy impact assessment.
What does the draft PDP Bill say about privacy assessment?
According to the draft Personal Data Protection Bill, a data protection impact assessment should contain—
- Description of the proposed processing operation; the purpose of processing and nature of personal data being processed
- Assessment of potential harm that may cause the subjects
- Measures of removing, minimising, managing risk of harm
When the NTA’s clause and the PDP Bill provision on privacy assessment are juxtaposed, it implies that the NTA failed to take up a privacy/data protection assessment.
‘Confidential information, cannot be disclosed’
MediaNama also asked NTA to provide details of persons or organisations authorised to operate and use facial recognition technology; to which it replied, “The details of the persons or organizations authorized to operate and use facial recognition technology cannot be made public by the National Testing Agency.” The tender does not specify how the data is going to be stored, whether it is going to be used by third parties, and if so, how the data is going to be used.
The NTA also declined to provide information regarding databases that the NTA is using for matching the photographs/videos obtained through the facial recognition system. “Information sought is confidential in nature, cannot be provided,” the agency said.
Facial recognition being brought in for fighting impersonation: NTA
In the two tenders that were floated, the NTA claimed that facial recognition systems and other biometric verification processes were being introduced to thwart impersonation problems. Impersonation in entrance tests such as JEE is not something new and continues to this day.
In 2020, the Assam topper of JEE Main 2020 was arrested for allegedly using an impersonator to sit for the exam. Additionally, the NTA had recently deployed an AI algorithm to detect impersonation and had identified 56 such candidates from the February cycle of JEE Main 2021. Their images matched with some of the 20,000 top-ranked candidates for the exams in 2019 and 2020, a report by the Times of India said.
This proposal coupled with the recent tender floated by the Ministry of Health and Family Welfare (MoHFW) for the introduction of FRT for online examinations conducted by the All India Institute of Medical Sciences (AIIMS), brings a majority of Indian entrance examinations under the ambit of facial recognition.
- Defence Ministry looking to install facial recognition-based attendance at its PSUs
- The COVID-19 Pandemic requires us to reconsider the Internet as infrastructure
- Facial authentication for vaccination not the same as facial recognition: Nandan Nilekani
Have something to add? Post your comment and gift someone a MediaNama subscription.