Nothing seems private anymore Strong data-protection laws should have preceded Aadhar
It is ironic that a technological solution, that could have plugged India’s porous welfare delivery system, is itself proving to be extremely leaky. On Sunday, thanks to a programming error, names, addresses, Aadhar numbers and bank account details – or digital identities – of a million beneficiaries of Jharkhand’s pension scheme surfaced on a government website. When HT reporters logged onto the site, they could drill down to get transaction-level data on pension paid into scores of pension accounts. This major privacy breach comes at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned the Modi government’s policy to make Aadhar mandatory to get benefits of a variety of government schemes and services.
Aadhar, if implemented in the right way, could have lessened corruption and put each Indian on the official map when it come to rights and benefits. But, the breach reminds us that the security of our information is in the hands of authorities who don’t know how to secure it. In Jharkhand, for instance, cyber security experts had long warned that many websites maintained by the state government were insecure.
Despite such critical data privacy issues, there are no legal safeguards in case of a data breach. The Aadhaar Act and Rules don’t limit the information that can be gathered by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you. But if identity theft is committed, individuals may never come to know as the law does not require the UDIAI to inform citizens about a data breach. What India requires today is a strong data-protection law. It should have preceded the Aaadhar roll-out but unfortunately it did not. Such a law can also ensure that data are not misused by private companies. Aaadhar, however, requires greater scrutiny because of its scale, because it is mandatory, and because so many who are registered have neither the knowledge nor the means to protect themselves, or get recourse in case something goes wrong.