As the digital personal data protection bill reaches parliament, majority citizens allege their data has been compromised by Government departments, telcos and banks

August 3, 2022, New Delhi: A data breach occurs when unauthorized individuals are allowed to read data they are not permitted to access. The stolen data can lead to identity theft, which can have several repercussions including financial fraud. Depending on the type of data involved, the consequences can include destruction or corruption of databases, the leaking of confidential information, the theft of intellectual property and regulatory requirements to notify and possibly compensate those affected.

The latest data breach to create ripples has been the breach of COVID vaccination data of the government, which the Ministry of Health and Family Welfare has tried to downplay while directing the Indian Computer Emergency Response Team (CERT-In), the cyber security arm of central government, to probe how data of people registered on the CoWIN portal were​​ freely available on the Telegram app. Given the lack of action following various instances of data leak from various Central and State governments and organisations associated with them, many citizens are talking about penalties and disincentives as the personal digital data protection bill gets presented in the parliament. The breach of data is not just confined to personal information. In August 2022, the government told the Parliament that Indian banks (both public and private) reported the most data breaches between June 2018 and March 2022 in attacks that stole business and personal information leading to frauds amounting to ₹6,861 crore in the first quarter of the 2022-23 financial year. All this shows India urgently needs an improved and strong data protection legislation that can ensure better privacy of personal information.

The central government’s promised legislation to replace the draft Personal Data Protection (PDP) Bill, 2019, which was withdrawn from Parliament in August 2022, is in fact creating more ripples than a sense of security as the draft Digital Personal Data Protection Bill is likely to be placed in parliament with no changes despite a dissent note by member of the Standing Committee on Communications and IT. What is upsetting the opposition members of parliament and activists is that the draft bill expands the scope of information that can be denied on privacy grounds but is vital in the public interest. This denial can range from trying to find out the true beneficiaries of a government supported scheme like PDS or healthcare, children benefiting through scholarship scheme or even information about big loan defaulters.

However, given the citizens’ concern over the breach of personal data in the last several years through various Government and private organisations, LocalCircles through a survey has strived to find out what all information of citizens is easily available in the public domain and whom do they blame for this information being put in the public domain. The survey received over 23,000 responses from citizens located in 309 districts of India. 67% respondents were men while 33% respondents were women. 45% respondents were from tier 1, 34% from tier 2 and 21% respondents were from tier 3, 4 and rural districts.

7 in 10 citizens surveyed believe one or more of their personal data elements are already in public domain or in databases that have been compromised

The survey first sought to know from respondents if their personal details are in the public domain and what all has been compromised. It asked “What all personal details of yours are already in the public domain or in databases from where it has been leaked?” The query received 11,839 responses with hardly 9% of respondents indicating that “no personal details have been leaked or are in public domain”. However, 72% of respondents indicated that “personal details were leaked or are in public domain”, while 19% of those surveyed did not give a clear response, opting for “can’t say”. In effect, 7 in 10 citizens surveyed believe one or more of their personal data elements are already in the public domain or in databases that have been compromised.

Private information that has been leaked: 72% indicated mobile number; 63% indicated email address; 53% indicated Aadhaar number

Among the 8,524 respondents who shared that their personal information has been leaked, the largest group of 72% indicated mobile number; 63% indicated email address; 53% indicated Aadhaar number; 50% stated PAN card number; 25% indicated Voter ID number; 22% indicated credit/ debit card number; 9% stated annual income/salary; and 19% other details not mentioned above. For some respondents, multiple pieces of their personal information have been leaked as evident in the survey result.

Most citizens shared the view that various arms of the government, telcos and banks are responsible for leak of their personal data

The next question sought citizens’ view on which entities do they hold responsible for their data leaks. It asked them, “What all entities do you hold responsible for leaking or bringing your personal details in the public domain?” Some among the 11,365 citizens who responded to this query indicated more than one option, but most shared the view that various arms of the government, telcos and banks are responsible for leak of their personal data, some of which is in public domain. Among those surveyed, 81% blamed State/Local Government Offices, Databases, Staff (RTO, Municipality, Hospitals, Public Distribution System, Property Registration Office, etc.); 75% Telecom Service Providers; 69% Banks and Financial Service Providers; 56% Central Government Offices, Databases, Staff (EPF, Passport, CoWIN, Aarogya Setu, Aadhaar, Income Tax, Vehicle Ownership, Voter ID, etc.); 44% eCommerce apps/sites; 31% Payment apps/sites; 25% Education institutes/apps; and 25% other businesses/entities.

This survey throws up a worrying scenario where citizens believe that their personal data is getting compromised through a variety of channels. The survey shows that 72% of those surveyed believe that their personal information including ID has been compromised, stolen, or put in public domain. Among such people 72% believe that their mobile number is in public domain or leaked; 63% indicated email address; 53% indicated Aadhaar number; 50% stated PAN card number; 25% indicated Voter ID number; 22% indicated credit/ debit card number; 9% stated even their annual income/salary. Such data leaks leave citizens vulnerable to identity thefts and financial fraud which have significantly risen in the last 5 years. Another key aspect that the survey brings to light is that majority of the people hold various arms of the Governments (both Central and State), banks, telcos and other private organizations responsible for their data breach. One of the asks that was evident in the community discussions on LocalCircles was the need for some very strong disincentives and penalties for both private entities as well as Government entities if they compromise private information of citizens. People want that such clauses must flow down to every member of the staff employed at these organisations as that is where most breaches happen. As the Minister for MEITY presents the Digital Data Protection Bill in the parliament, people want their parliamentarians to ensure that this vital issue is addressed.