Data leak: Govt must stop living in denial

The leakage of personal information, seemingly from the CoWin database, may be yet another proof of the weakness of the country’s data protection system and another reminder of the need to tighten it up. According to reports, personal data stored on the CoWin portal, including the name, gender and birth details, Aadhaar numbers, PAN cards, passport numbers, voter IDs, and vaccination details, were all leaked by a Telegram bot on Monday.

The government has, as usual, denied any leak, before ordering an enquiry. The denial by junior IT minister Rajeev Chandrasekhar has only added to the concern. The minister said that the details that are public are from some other source and not from the CoWin portal, and that at least some of the personal details revealed are fake. If that’s the case, it must be answered as to how the breach also contained people’s Covid vaccination details, which can only have been on the CoWin database.

Read | MPs call for better cyber security amid multiple data breaches

There have been many cases of leakage of confidential data of both personal and public importance from many e-platforms. These have commercial, security-related, and other implications. When the leakage happens from public platforms, public authorities like the government are answerable for it. The Employees’ Provident Fund (EPFO) suffered a serious data breach last November. There was a serious cyberattack on the AIIMS last year. Railway ticketing and credit card data have also been leaked. The whole gamut of personal data allegedly leaked from the CoWin portal can be misused in many ways. It is only for a specific purpose that the data was shared with the authorities, who had the responsibility to ensure that it is safe. The results of the investigations into past incidents have not been made public.

Six years after the Supreme Court declared that the right to privacy is a fundamental right, the idea has not been recognised and accepted by the authorities. The government has itself been criticised for violating the right to privacy of citizens by surveillance of their words and activities in many ways. There is still no legal framework for data protection, five years after the Srikrishna Committee prepared a draft data protection legislation. This becomes particularly important with increasing digitalisation of all aspects of life. Digitalisation is necessary for reasons of efficiency and convenience. But the government, which is driving the Digital India programme, has the responsibility to ensure that the personal data of citizens is not compromised and misused. The National Cyber Security Stra­tegy, proposed in 2019, has not yet been finalised. Incidents of data breach should be probed thoroughly and action taken to fill all gaps and loopholes. But for all that, first, the government must accept that there is a problem.