Update on January 7/1/23 : Lok Sabha member Karti P Chidambaram has written a letter to the Chief Minister of Tamil Nadu M.K Stalin raising concerns over the absence of a legal contract or a tender under which Impact Technologies and the Greater Chennai Corporation have collaborated to collect people’s biometric data. The letter also questions whether data security safeguards have been put in place by the private company to deal with people’s sensitive personal data and to prevent data breaches and identity theft.
The lawmaker highlighted that in the absence of a data protection law, citizens’ data can be potentially misused and this can lead to a violation of their fundamental right to privacy.
Original story published on 2/1/23: Tender rules flouted, citizens’ biometric data in possession of a private firm with no legal framework in place, little to no risk assessment done, and the civic body’s denial of such a data collection exercise in Chennai—these highlights from a report by The News Minute raise concerns about the government’s approach towards people’s data security.
What’s the news?
A private firm in Chennai had been collecting sensitive biometric data of thousands of people to authenticate beneficiaries of a welfare scheme for the Greater Chennai Corporation, but the civic body had no knowledge of such data collection since 2015, The News Minute reported.
The firm Impact Technologies is in possession of personal data such as fingerprints and iris scans of people from socio-economically backward communities, many of whom are also potential beneficiaries of the Resettlement and Rehabilitation scheme of the Tamil Nadu Urban Habitat Development Board (TNUHDB). The News Minute has found that the company was first hired in 2011 for data enumeration under the city’s urban development project and has since then been engaged for the same under several other schemes without any formal contract in place.
The last formal agreement signed with the contractor was in 2015. The report states that the parties involved had not followed the tender process, a usual procedure for governments to engage with private contractors. This, reportedly, violates the Tamil Nadu Transparency in Tenders Act 1998 and The Tamil Nadu Transparency in Tenders Rules 2000.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Why is this worrisome?
The data collection activity carried out by the private entity raises concerns of data breach and theft amidst no legal framework laying out the terms and conditions for collaborating with the government. MediaNama spoke to Srikanth L, a data privacy activist from the Cashless Consumer collective, who states that this primarily opens up avenues for misuse of biometric data, particularly identity theft, which is not merely restricted to stealing money from accounts as we have seen in the past.
“Using this raw biometric data, somebody can open a bank account, which can be further used to launder money and engage in other financial crime,” he explains. Additionally, with the Election Commission planning to launch a programme for remote voting, Srikanth says such cases of identity theft can, in future, also result in affected people losing the ability to vote.
In the absence of a formal contract, it is unclear who is to be held accountable in cases wherein the data can be misused. Speaking to The News Minute, Anushka Jain, policy counsel at Internet Freedom Foundation, said, “The entire exercise (of biometric data collection) is happening outside legal constraints that the government could put on the private actor. The private actor has no liability against the government because there is no contract.”
Biometric data is not absolutely safe
While biometric authentication is increasingly being used for purposes other than those including government schemes, the security of such data, including Aadhaar, has been in question for years now. Instances of data leaks and financial frauds including Aadhaar Enabled Payment Systems have exposed the vulnerability of biometric data. However, the government has been denying such data breaches.
At a time when India does not have a data protection law, the conditions for data collection and processing by private and government firms remain unclear, thereby exposing people’s personal data to privacy issues and threats of surveillance without a set remedial recourse.
(This story was updated on 7/1/2023 at 11.40 to include the latest development.)
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Aadhaar Now Mandatory For Pension And All Government Schemes In Tamil Nadu
- Chennai Corporation Leaks More Than 30k People’s Personal Data, Including Aadhaar; Patches Issue
- CCE-Andhra Pradesh Leaks Students’ Gender, Caste, Quota, Aadhaar Data On Website
- Haryana Police Bust Gang Stealing Money From Bank Accounts Using Aadhaar Enabled Payment System
- Gujarat Bleeds Biometrics, UIDAI Says Aadhaar Biometrics Secure
