Does Lakshman have a right to know?

Earlier this week, I decided to scratch an itch that had been bothering me for a while. I took out some time in my calendar after work, dimmed the lights in my room, opened Netflix and started playing Main Hoon Na. I was halfway through the movie; at the point where Lakshman (Zayed Khan) is hanging from a ledge, all my knowledge about data protection came rushing at me.

For those who don’t remember, at around this point in the movie, Major Ram (Shahrukh Khan) finds out that his brother, Lakshman, studies in the same college where he is also ostensibly studying (but actually working as an undercover agent). So, Ram goes to the student services department with nothing but a name, ‘Lakshman Prasad Sharma’, to find out who his brother is.

What about privacy?

While the student department says it is not its policy to freely give away students’ information to anyone who asks for it, Percy, one of Ram’s friends, says he might know of a better way. While Percy is helping Ram hack into the student database to find out who Lakshman is, Lakshman is very publicly hanging from a ledge and is about to fall and die. Of course, he is saved by Major Ram eventually, but his privacy is not as fortunate.

Lakshman has been the subject of a personal data breach, as defined in the Data Protection Bill. Ram’s activities lead to an unauthorised disclosure of Lakshman’s personal data (his photo). Had the bill been a law, a chain of events would have been set in motion.

Firstly, the body managing the student database containing Lakshman’s details would need to reach out to the Indian Data Protection Authority (DPA) with a notice involving the following details:

Nature of personal data, which is the subject-matter of the breach

Number of data principals affected by the breach

Possible consequences of the breach

Action being taken by the data fiduciary to remedy the breach.

The DPA would have then taken a call on whether or not this breach should have been made public. So in essence, while all of this is happening, Lakshman does not know that his data has been compromised.

That is problematic on two levels. For someone who has built his own identity around the name Lucky, there is a personal loss that he incurs when his real name is made public.

Secondly, Lakshman was lucky that the person behind the breach was his brother. Had it been Raghavan (the villain, played by Sunil Shetty) accessing these details, Lakshman would have been in physical danger as well.

This brings me to my question. Does Lakshman have a right to know that his data has been part of a breach? We are all Lakshman in a sense.

Our data, including our photos, finger prints, shopping histories, locations, addresses, passwords and chats are being stored in different databases. It is rare that these databases are compromised by benevolent actors and certainly not so rare for the unkind of this world to get hold of them instead.

We often get news of data breaches, but how frequently are we informed of it as regular users? Facebook has been subject to them, as have been Twitter and Google. One of the goals of the Personal Data Protection Bill has to be to give some power back to the user.

The first step in doing that has to be for the bill to provide more information in the hands of the user. Considering that a breach is possibly one of the worst things that can happen to your personal data, that step has to begin with notifying users when their data has been compromised. It is not just Lakshman who has a right to know, it is all of us.

The writer is a policy analyst working on emerging technologies.

Tech-Tonic is a monthly look-in at all the happenings around the digital world, both big and small.