Wake-up call on data security

The alleged theft of personal information of over 810 million Indian citizens from the Covid testing database of the Indian Council of Medical Research (ICMR) is a matter of serious concern. It is claimed that personal details including names, addresses and phone numbers were accessed from Aadhaar cards provided by those who had taken vaccines or underwent tests during the pandemic. The attack happened last month. There was also an attempt to sell the data on the ‘dark web’. It is not the first time that mass violations of personal data have taken place in the country. There were reports of a breach of CoWin data in June, which the government could not satisfactorily explain. It said the CoWIN portal was not “directly breached”. Last year, five servers of the All-India Institute of Medical Sciences (AIIMS) were affected by a cyberattack which was considered to be a ransomware attack. There have been other incidents, too, of different scales.   

An American cybersecurity firm made the latest disclosure. The government has not confirmed or denied the report but has said that an investigation would be made. In the case of an individual, health data is most sensitive because leakage of it and unauthorised access to it can have serious consequences. Insurance firms or private health sector players can misuse it to the disadvantage of citizens. It can also lead to extortion and other criminal activities. While health data was involved in the ICMR case, other kinds of data are also often targeted for various illegal purposes. These may lead to identity theft, financial losses, and other troubles. Problems arising from data breaches can also make people distrustful of digital systems. They have many benefits like speed and efficacy, and the world cannot go back on the technological advances made in the areas of data collection, storage and use. But maintaining the integrity of data is crucial for public trust. 

India has a digital personal data protection law which seeks to collect, process and use digital personal data respecting the need of individuals to protect their data. While that is the declared purpose of the law, it is deficient because the government reserves the power to override individual rights in unjustifiable ways, rendering citizens’ right to privacy secondary to government’s purposes and surveillance. The reports of breach of data show that personal data that is entrusted to public agencies is also not safe. Data protection needs to be enhanced in the country and all systems, including the Indian Computer Emergency Response Team (CERT-In), should be strengthened. For that, the government’s sincerity of purpose should shine through, rather than the instinct to hush up and deny failures.