Privacy compliance on Indian government portals

Data Privacy Insights > Posts > COVID-19 > Privacy compliance on Indian government portals
Photo by Darshak Pandya from Pexels
Raksha HR

Penultimate year law student, School of Law, CHRIST(Deemed to be University), Bengaluru

Introduction 

The right to privacy and government surveillance for security are contradictory. The seed of right to privacy as a constitutional right vis a vis surveillance by the government was planted by the minority judgement given by Justice Subba Rao in the Kharak Singh case, wherein it was stated that privacy was within the purview of Article 21 which is the right to life and personal liberty. The government seeks to collect personal information of its citizens for the purposes of preserving the integrity and safety of the nation. This compromises data protection of citizens which is a constitutionally guaranteed right post the Puttaswamy judgement in 2017.  From the Indian judicial perspective, this right has been derived from the constitutional provisions of right to be left alone as implicit under Article 21 and the tortious right to seek damages for wrongful violation of one’s privacy.  

There is a lack of legislative clarity in terms of the manner in which the government may collect data, the reasonableness of the cause and the procedure to be followed. The source of balancing these conflicting issues have been derived from the judiciary through precedents since the courts have been forthcoming in recognizing privacy as a constitutional right. 

With the development in technology, the devices can collect personal information with minimal human intervention which can be processed and used by the people in control of the software or device. Most government departments have their own websites that provides information to the public about the services they provide, notifications and procedure for compliance. This article examines the current developments in the policy requirements of prominent government websites regarding data protection and if they have been incorporated into the portal.   

Privacy guidelines for government websites in India  

The National Informetrics Centre (NIC) which is a part of the Ministry of Electronics and Information Technology(MeitY) has drafted the “Guidelines for Indian Government Websites”, which has been revised in 2018. The scope and objectives of these guidelines is to recommend changes and standards for both state and central government websites to make it more citizen centric, uniform and to overcome the practical challenges. It uses the term “visitors” to comprehensively define all the persons who visit a portal for the services. The privacy policy is included under chapter 3 which is about ‘building confidence.’ It states that the government websites ‘should’ follow an ‘extremely cautious approach’ when dealing with the personal information of the visitors and only necessary information must be solicited. The word used is ‘should’ which is defined as the requirements that are advisory and expected to be complied with. Further, it states that if any government website collects personal information, it ‘must’ display a privacy statement that lays down the procedure and purpose for which it is collected. The use of the word ‘must’ states that it is mandatory. It also provides a sample privacy policy that can be incorporated by the websites.  

The Personal Data Protection Bill, 2019 which is in the process of being enacted into law provides some clarity about collection of personal information by the government. Chapter 3 states grounds of processing the data without consent. It clearly states that the state can collect data if any service is being provided by the government to a person. This includes providing certification, licenses, enforcement of any law and decision by court or tribunal or providing medical services during an epidemic. Furthermore, according to chapter 8 of the bill regarding exemptions, it states that the central government can direct that the provisions of this act are inapplicable if it is required in the sovereign interests of the nation and to prevent the occurrence of a cognizable offence, by recording the reasons in writing. The exemption is also provided if the data is necessary for research or statistical purposes and anonymizing the data does not fulfil the objective of the research. Hence, the bill has provided ambiguous indemnity to the government for processing data in the national interest or even if services are provided which is invariably the purpose of every portal. It is questionable whether this is in consonance of the constitutional right to privacy and the developing international consensus on data protection. It is also pertinent to note that the approach of the bill towards data protection has provided exemptions and leeway for the government when compared with the guidelines.  

The status of privacy compliance in prominent government websites  

Some of the prominent Indian government websites have been explored to check whether they adhere to data protection norms. These portals are chosen based on the amount of traffic they attract and importance of the services in terms of targeting a large chunk of the population.  

The National Portal of India, was established by the MeitY under the National E-Governance Plan with the objective of providing a single window access to information about India and as a channel to access other government portals for various services. It acts as a gateway to most of the services provided. There is no privacy policy that is displayed upon entering the website. The policy is provided under the website policy and it briefly states that the portal does not automatically collect any personal information such as name, contact details or email and associate it with an individual person. If any personal information is solicited, the purpose for which it is collected is informed and no data is shared with third parties. Further, the website stores information about the IP address, domain name, browser type, operating system, date and time of visit and pages visited. 

The Income tax department, is one of the prominent departments that provide web services to the people for filing income tax returns through registration, important notifications from the Central Board of Direct Taxes, calculation of tax and verification of documents such as PAN and Aadhar. The income earning group accesses this website frequently to comply with the requirements of filing tax returns annually. Similar to the national portal, upon entering the portal there is no display of a privacy policy or a click-wrap seeking consent for the cookies that are being stored. However, the privacy policy of the portal is mentioned in a few lines under the website policy and it states that the department does not sell or share the information shared by the citizens through e-filing with any third party. The website collects data pertaining to the IP address, browser details, operating system and the like. The data is anonymized and not associated with any individual unless any attempt is made to cause damage to the website.  

The website policy of Ministry of Home affairs, also has the same clauses in the privacy policy. It also prescribes that the site does not use cookies.  This similarity is also observed in the privacy policy of the Ministry of Corporate Affairs that provides services related to registration of corporate entities. But, if a person is a registered user of the site, the personal information is collected and stored in a secured server which is not disclosed to any third party.  

The IRCTC which is a portal through which railway ticket reservation for passengers can be made provides a slightly longer policy under the terms and conditions of the portal which is not directly available on the homepage. The language is of this policy is lucid. In addition to the components included by the previous portals, it is provided that cookies will be stored for providing better services. The aggregate anonymized data is disclosed to know the frequency of an average visitor and the age group of the customer base. Further, it is a browse wrap agreement which means that by virtue of visiting the portal the user agrees to the changes in the privacy policy which may be changed from time to time. The privacy policy of the Passport Seva Kendra also provides for a similar policy and it states that no personal information is collected unless it is voluntarily provided by the visitor. The information that is collected is not disclosed to any third party, unless it is so required in exceptionally circumstances to be shared with other government departments. The site does not use cookies.  

The Unique Identification Authority of India that provides the services for registration of Aadhar collects personal information of the citizens to grant an identification number. The privacy policy of the site can be accessed on through specifically searching for the same. It states that the portal uses reasonable security practices and no personal information is collected without informing the purpose of it.  In the FAQs which are not a part of the policy, the UIDAI has stated that it has an obligation to protect the confidentiality of the information collected. It has further provided that sensitive personal information such as the caste, religion, ethnicity and health is not collected to prevent racial profiling. For the purposes of verification of identity, the questions are designed in a yes or no format to prevent any disclosure of personal information. The data is stored in an encrypted server and UIDAI has the obligation to protect the confidentiality and prevent any leaks.  

The government has designed the CoWin portal to register for vaccination against the corona virus. The process is by providing the mobile number and registering for a slot in the nearest hospital. An RTI was filed enquiring into the privacy policy of this site considering it collects information about all the citizens registering for the vaccine. The MeitY did not provide any conclusive reply regarding this by stating that no information was available. The app version of the website redirects the user to the privacy policy stated in the National Digital Health Mission, which provides guidelines for the management of health data.  

A few months into the pandemic, the government also launched the Aarogya Setu application which is for the purpose of contact tracing the spread of the virus and containing it by uploading the details of the persons who have tested positive and the people who have come in contact with them. The privacy policy of the app has been revised twice in response to the concerns raised by experts about the collection and processing of sensitive personal information that is collected by the app. The policy states that when a person registers the name, phone number, age, sex, profession, location details and countries visited in the last 30 days is registered in the government server. A Unique digital ID is created for every user based on the interaction with the app and this ID is exchanged through Bluetooth if there is proximity between two users of the app. The date and time of contact and location of the people who are reported to have tested positive is uploaded to the app. It is stated that the information collected would be anonymized and stored on the server in aggregate to generate report about the overall situation. The unique ID that is linked to the personal information is used for the purpose of calculating the probability of a person being infected by the virus. The information that is submitted during registration is retained until the account is active and the status of being infected by the virus is retained up to 60 days, after which it is removed.  

What are the issues? 

The websites that are observed above indicate common issues with respect to data protection. It is not easy for a common person with little knowledge about the importance of data protection to access the privacy policy. It can be obtained only by searching specifically for it within the website or on the browser. The policy of all the websites except the Aarogya Setu app is very brief with indistinguishable provisions even though the services provided are vastly different. All the portals have adopted the browse wrap method in which the consent to the privacy policy is presumed by entering and browsing the site. Hence, it is recommended that the government must consider the importance of data protection and equip the websites with privacy policies that are tailored to the type of services provided and the information that is collected. The policy must be easily accessible, prominently displayed on the website and it must provide an opportunity for the visitors to provide consent.  

Ayottaz can help you understand more about how to become Data Privacy-aware and become future-ready.

No comments to show.

Leave a Reply

Your email address will not be published. Required fields are marked *