You are reading it here first: The Maharashtra government is planning to introduce a unique, unified ID for its residents that would provide a “360-degree view of its citizens” by merging databases managed by various departments under several government bodies.
Over 56 databases, across 377 government bodies, including Maharashtra Aadhaar, Maharashtra State Police, Health, Education, and Finance departments, will be ‘participating’ in the creation of this unified database providing 360-degree profiles of the state’s residents. These profiles will also include a ‘golden record’ of each citizen consisting of details such as their names, caste, employment details, and more.
These details were revealed in a tender floated by the Maharashtra government for appointing a system integrator who will “design, deploy, and maintain a data integration and data exchange platform called the Maharashtra Unified Citizen Data Hub (MH-UCDH). It is through the MH-UCDH that the unique ID will be created for every citizen.”
“MH-UCDH shall host citizen’s demographic information and deliver a master record of the citizens through entity resolution and surviving record identification. It must also create a unique identification number for the master record and manage changes to citizen data received from departmental databases, keeping the master data record up to date. The unique identification should be available to all the departmental databases through API / Webservices. The unique identification number should also be augmented with a household identification number, which will be a unique record of all the households, with contributing citizen records for the household.” — State government tender
Although the Maharashtra government claimed that this would help in devising citizen-centric policies and targetted delivery of state benefits, MediaNama spoke to various experts who pointed out that there could be privacy concerns around such a database especially since India still does not have a data protection law in place. Supreme Court advocate Vrinda Bhandari said that 360-degree profiles would enable surveillance and could have a disproportionate impact on persons belonging to marginalised communities. MediaNama reached out to Shiv Sena MP Priyanka Chaturvedi with queries in this regard, but we are yet to receive any response.
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What data will feature in a citizen’s Golden Record?
The tender defined Golden Record as “a unique record created for an individual which will facilitate as a unique identifier to identify, track, etc. an individual / entity across various databases available with the Government of Maharashtra and Government of India.”
This Golden Record will consist of (but won’t be limited to) the following attributes of a state resident:
- ID
- Name
- Village
- Taluka
- Address
- Date of birth
- Place of birth
- Educational Qualification Details
- Marital status
- Number of children
- Income
- Family income
- Father’s ID
- Mother’s ID
- Family Details
- Caste
- Bank Account Details
- Land Ownership Details
- Vehicle Ownership Details
- Tax status
- Employment Details
- Ration card number
- Ration card type
- Ration eligibility
- PAN Card Number
- Driving License Number
- Other Government ID Details
- Other personal attribute (social/medical/physical/economic)
- Asset Details
“This record, its attributes must serve as a single source of truth. This record will help information systems that support outreach, intake, registration, and determination of potential eligibility for one or more social programs also known as Social Registries,” the tender read.
Master database to be integrated with Vahaan, Census data
Through the unique ID, the Maharashtra government will maintain a master data repository of citizens in every household and maintain the changes. “This Master Data is also expected to host information related to citizen’s asset holding through integration not limited to IGRS, Vahaan, Census of India etc. and other association with the state,” the tender said. These third-party databases are to be integrated with each other using APIs, it added.
The following databases will also be up for integration with the master database, as per the tender:
- Aadhaar, Maharashtra
- General Administrative Department
- Directorate General of Information and Public Relations
- Maharashtra Public Service Commission
- Maharashtra State Police
- Maharashtra City and Industrial Development Corporation
- Industries Department
- Maharashtra State Mining Corporation
- Maharashtra Industrial Development Corporation
- Maharashtra State Khadi and Village Industries Board
- Maharashtra State Road Development Corporation
- Agriculture, Animal Husbandry, Dairy Development and Fisheries Department
- Rajiv Gandhi Science and Technology Commission
- Revenue Department
- Mahabhulekh
- Inspector General of Registration
- Pre-matric Scholarship for Minority Students
- Maharashtra State Secondary and Higher Secondary Education Board
- School Education and Sports Department
- Urban Development Department
- Finance Department
- Public Sector Undertaking Reporting System
- Nivruttivetanwahini
- Directorate of Local Fund Accounts Audit
- Medical Education and Drug Department
- Directorate of Aayush
- Rural Development and Panchayat Raj
- Directorate of Economics and Statistics
- MahaMudra Portal
- Social Justice and Special Assistance Department
- Mahatma Phule Backward Class Development Corporation
- Aam Aadmi Bima Yojna
- Maharashtra State Handicap Finance Development Corporation
- Other Backward Class Development Corporation
- Vasantrao Naik Vimukta Jatis and Nomadic Tribes Development Corporation Ltd
“Historical social benefit data is presently not expected to be integrated, however may be required to do so on request by State departments. Upon citizen consent the data will be shared through an API to approved departments for their social welfare purposes,” the tender stated. The Unique ID shall be used for internal consumption only and is not expected to be shared with citizens through a chip / biometric card presently, it added.
Citizen data portal to have analytics for fraud detection in schemes
Aadhaar authentication required: As part of the tender, the appointed system integrator will have to develop the MH-UCDH portal through which citizens can apply for various social welfare schemes like scholarships, loan waivers, disaster funds, and so on. “The citizens while applying to a social welfare scheme shall provide KYC details including Aadhaar authentication and other documents as required to determine their eligibility,” it read.
MH-UCDH portal should be capable of finding fraud: This portal should also have analytical capabilities, which would allow the department “to better understand entity demographic profile and overlay targetted rules to find fraud in sub-groups,” the tender said. Through analysis, the state expects to detect fraud by “finding suspicious activity before funds are lost” and also by “reducing operational costs by eliminating false positives”.
MH-UCDH portal should track mismatched DBT from bank accounts: “Any Direct benefit Transfer (hereinafter referred to as “DBT”) process may encounter multiple scenarios of internal leakages and financial abuse like siphoning of funds by employees in collusion with beneficiaries and other authorities. The Purchaser would like to curb losses due to such activities too. The solution should be able to track the DBT process for mismatches in debits and credits from and to bank accounts,” the tender read.
What else should the analytics-based portal do?
- Detect abnormality in registrations of the beneficiaries with respect to locations, agencies, and CSCs
- Expedite processes by reporting gaps in payments and disbursements to eligible beneficiaries
- Understand pendency in payments and alert the state departments about the level where payments are stuck
- Alert duplicity in registrations
Use of analytics to uncover ‘hidden relationships’
“Network Analysis should use demographic data to build links between entities and uncover the hidden relationships that exist within a dataset and should automatically generate networks (groups of entities linked based upon their relationships with each other),” the tender said.
Here are the other advanced analytics requirements sought by the Maharashtra government to identify relationships:
- Solution should help to visualise a complex network of relationships between entities – such as people, places / locations, things, and events over time and across other multiple dimensions.”
- “Solution should help to identify entity relationships that are not obvious, traverse and query complex relationships, and uncover patterns and communities interactively.”
- “Solution should support identification of associations (owner relationship to others, relatives/friends of owners etc.) across n- levels, through matching PAN, names, addresses etc
- Solution should allow identification of localities/ regions where high numbers of anomalies are detected
System must be secure from all unauthorised access
“The Project envisages a high degree of security control to ensure the data, which includes the entire state’s citizen Personally Identifiable Information (hereinafter referred to as “PII”) along with financial data is secure from all unauthorized access. The bidder should include the required security related services and solutions to secure the application and supporting infrastructure,” the tender said.
The Maharashtra government proposed a few services that would aid in securing the platform —
- Security Operation Center (SOC) services: The Maharashtra government said that the SOC Services center should provide IT security long monitoring service by leveraging AI/ML technologies.
- Detect information security threat and prevent breach: “The SOC should be able to detect advanced security threats, patterns, abnormalities targeting the Purchaser’s infrastructure and prevent breach. The service should have below capabilities but not limited to, Security Analytics, Monitoring and Feeds services, Threat Hunting, Incident Analysis and Response, Detect Unknown attacks, blind spots and deep detection,” the tender read.
- Incident response and management: The service should be able to automate incident response. IT should have capabilities to report, log security incidents and track them to closure, the tender read.
- Vulnerability Management Services: “The SI shall be required to perform complete security assessment of the Purchaser’s infrastructure using their own tool by deploying skilled resources remotely / onsite. Few mandatory assessments, but not limited to, Vulnerability Scan, Network Penetration Test, API / Application Penetration Test, Secure Code Review. The SI needs to perform the assessment once a year,” it read.
- Designing data governance and protection framework: The tender said that the system integrator should develop Data Classification Guideline/Procedure documentation for complete data lifecycle and reviewing existing IT policies and procedures.
“The framework should provision data masking of sensitive / PII data of the citizens. The framework at a minimum should be aligned to Data Protection in India, Aadhar Act 2016 including any forthcoming laws/guidelines (Personal Data Protection Bill 2019) from Central or State Government authorities and others,” it read. - Security audits requirement: The tender said that the SI should perform risk assessment and secure network architecture assessments as per CERT-IN guidelines.
Citizens should be able to revoke consent for sharing personal data
On the MH-UCDH portal, the Maharashtra government has sought the integration of various APIs for data capturing, validation, consent management, and data synchronisation. The tender said that a consent management API should:
- Allow citizens to provision and revoke consent of sharing personal data to departments.
- Record all user details, the device IP, and timestamp while saving consent for any of the services.
- Integrate with the MH-UCDH portal to save/retrieve all the citizen consent data.
Additionally, a data exchange API, will be used for exchanging data from the repository with departmental users, the tender said. “The data would be shared based on the authorisation and the consent given by citizens,” it added.
Why does the government need 360-degree profiles of residents?
“At present, the Maharashtra Direct benefit Transfer (hereinafter referred to as “MahaDBT”) Portal is used by the Government of Maharashtra to transfer benefits and subsidies of various social welfare schemes like scholarships, loan waiver, agricultural facility development support, etc., directly into the bank account of the beneficiary. However, there is no platform wherein data is readily available for purpose of scheme planning and beneficiary identification. Aadhaar seeding has ensured that nobody else can claim the share of benefits by impersonating a beneficiary,” the tender read.
The tender outlined the following challenges with the existing process used by the MahaDBT portal:
- Processes primarily cater to scholarship and farmer schemes.
- “360-degree view of the beneficiary is not available”
- “360-degree view of state social benefit system is not available”
- Lack of facility to analyse for planning / administering social benefit schemes effectively, the tender said.
- Historical data and analysis of payouts made before linking of Aadhaar data is not available.
- Household-based analysis of payouts made to members of the household is not available.
- “The portal has maintained records of only registered citizens – and not an exhaustive database of all eligible residents of the State.”
- The portal data primarily pertains to individuals and not organizations, said the tender.
- “There is a possibility of leakages on account of a unified data hub architecture being employed.”
360-degree profiles enable vast surveillance
Yet another system to facilitate surveillance: “The creation of a 360-degree profile of citizens is reminiscent of the State Data Resident Hubs that had been established in various states and were reportedly dismantled as per the government’s submissions to the Supreme Court during the Aadhaar hearings. Creating 360-degree profiles enables vast surveillance and can have a disproportionate impact on persons belonging to marginalised communities. According to the government, Aadhaar was the answer to the problem of fraud detection in benefit delivery. Where is the question then to establish another system that will facilitate surveillance and perform a similar function to Aadhaar? Concerns of surveillance in India are not hypothetical, particularly given the lack of transparency and accountability in the surveillance architecture and the fact that we still do not have a data protection law,” said Vrinda Bhandari, advocate at the Supreme Court.
The impact on citizens’ privacy: “MH-UCDH, is a unique number that helps tie together several different aspects of a Maharastra citizen’s life (the welfare/subsidies they require, their health, their financial records, educational qualifications, etc) without also providing them means to authenticate or prove their identity (as Aadhaar does). A policy measure such as this, that impacts a citizens’ privacy to this extent and serves no purpose other than surveillance, is clearly diluting the right to privacy granted to every Indian resident,” Shruti Trikanad, a Programme Officer working on digital identity projects at the Centre for Internet Society told MediaNama.
Golden Record data is excessive: “The data sought to be collected for the “golden record” is also excessive, has grave implications for discrimination (caste, medical attributes, etc) and would not meet any criteria required to pass the Puttaswamy test. Much of this information is also sensitive personal data, which requires additional protection,” Trikanad added.
Will the project stand the test(s) of the Puttaswamy judgement?
More details required from the government: “Much more details are needed about the project to make a definitive assessment vis a vis the Puttaswamy judgement but suffice it to say that per se linking databases within government would not amount to a breach of privacy. While misuse is always possible, it is hard to define what is misuse in the absence of a concrete data protection law. That said, it will still need much more clarification from the government as to what it intends to do with this data, who will have access to it and how that will be controlled,” Alok Prasanna Kumar, Co-founder and Lead of Vidhi Karnataka said.
“Obviously tracking your daily movements would be surveillance if you haven’t consented to it but simply collecting an individual’s phone number and address would not be. Whether one finds this database problematic depends on one’s situation. If, like me, one is privileged enough not to need the state for most things in life, I would find this very problematic and worrisome. If on the other hand, you’re someone who depends on the state for basic needs of life, realising that the state knows you exist can be a huge relief because it means you don’t have to prove your existence to avail every new scheme that comes up. Personally, I would like to see much about this plan, including the legal framework around this before I conclude anything definitively about its legality.” – Alok Prasanna Kumar
Data collected would be disproportionate: “In this case, if the goal is to have a “360-degree profile” of citizens, then it would most likely fail this part of the test, since that is not a legitimate aim. The other aim mentioned of reducing “fraud, corruption, waste, or abuse of the benefit delivery system” is not sufficient to prove an aim, unless it is also shown that there was prevalent fraud/corruption in the welfare delivery system that will now be addressed by unifying the databases, and could not be addressed in any other way,” Trikanad said.
“For instance, when evaluating the Aadhaar program, the Govt. had claimed that identity fraud by beneficiaries was leading to supplies leaking out of welfare programs, and therefore the Aadhaar “unique” ID system was implemented to ensure that subsidies/benefits reach only the beneficiaries (this was widely disputed by petitioners in the case, but this is what the court ultimately accepted so the example is still relevant). In this case, even if the Maharashtra State was able to show a pressing need for this unified system, it will likely fail the very last tests, since this “360- degree profile” created of citizens, along with the excessive data collected, is severely disproportionate to such a goal.” — Shruti Trikanad of CIS
“In absence of a data protection law, such policies can be a recipe for disaster. Citizen’s data is crucial and it needs proper safeguards even against the government that has to be implemented before we start thinking about digital ids,” Radhika Jhalani, Volunteer Legal Counsel, SFLC.in told MediaNama.
How would a data protection law help?
Trikanad explained that a data protection law would have many applications over and above the law that implements the MH-UCDH portal. She said that it would:
- Create rights for citizens with respect to accessing, correcting, and deleting their data
- Require the government body to clearly define what use the data will be put to, who will access it, etc.
- Require relevant notifications to citizens about their data
- Require data impact assessments to be done before implementing such a system
- Have in place recourse systems in case of any unauthorised use of data
“But perhaps most importantly it would set up a layer of accountability for the administrator of the MH-UCDH, through the establishment of a data protection authority,” Trikanad said. “This authority would have the jurisdiction to hold the administrator of the MH-UCDH for any unauthorised use of data or any other violation of the data protection standards set. In the absence of a data protection law, citizens only have a fundamental right to privacy that they can take resort to, in case of any violations (and the grievance redressal system set up by the MH-UCDH law, if any),” she added.
The similarities with Telangana’s Samagra Vedika: In 2014, the Telangana government conducted the Samagra Kutumba Survey, an integrated household survey. Based on the data collected through this exercise, the Telangana government created Samagra Vedika, a project under which the state collected data and integrated it across various departments.
IT and Industries Principal Secretary Jayesh Ranjan had told MediaNama that Samagra Vedika, was an algorithm to obtain information from several databases, rather than being one master database itself. Ranjan said that Samagra Vedika has the power to query from more than 30 department databases (like the treasury, tax, GST, RTA and more) to create a “360 degree view” of virtually any citizen. He also assured us that Samagra Vedika was accessible only to employees of his department, and that there were “checks and balances” that govern this access.
Tamil Nadu too has a similar database: The State Family Database (SFDB), a mammoth e-governance project was announced by the state government in January 2019. SFDB is a data integration and exchange platform that is envisioned to be an all-in-one database used across different departments of the state government to maintain records of various kinds. For example, SFDB can be used by the Department of Revenue to maintain land records pertaining to a citizen and by the Department of Higher Education to maintain education records of the same citizen. Currently, fifteen state departments are expected to participate in this project and each can have its own application and associated database.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Tamil Nadu’s all-in-one database for e-governance: State Family Database
- Haryana’s Family ID Is An Aadhaar Redux, And A Massive Data Collection Exercise
- Health Ministry Permits ‘Voluntary’ Aadhaar Authentication For Creation Of Unique Health ID
- Supreme Court Dismisses Aadhaar Review Petitions, With Justice Chandrachud Dissenting
- Election Commission To Start E-KYC For Voter IDs, As Government Considers Linking Aadhaar To EPIC
Have something to add? Subscribe to MediaNama here and post your comment.
