Privacy prick-point: IRCTC bid to monetise passenger information

In what raises questions of privateness over industrial use of railway passenger information, the Indian Railways Catering and Tourism Corporation (IRCTC) has chalked up plans to monetise its financial institution of passenger information for doing enterprise with authorities and personal entities.

IRCTC, the ticket reserving arm of the Indian Railways, has floated a young to empanel a consulting agency to arrange a highway map to monetise the info. As per a PTI report, the tender could also be withdrawn over privateness considerations given {that a} information safety Bill has not been finalised. However, on the time of publishing, the tender was nonetheless stay on IRCTC’s web site.

According to the tender, buyer information that might doubtlessly be monetised contains passengers’ title, age, cellular quantity, gender, e-mail tackle, fee mode, “login/password”, amongst different issues. The chosen guide will even must segregate monetisable information, establish its market potential and put together a remaining roadmap for the monetisation of this information. The Economic Survey 2021-22 famous that in FY21, Indian Railways carried 1.23 billion tonnes of freight and 1.25 billion passengers.

“IRCTC is a reservoir of huge amounts of digital data which opens several opportunities for IRCTC for monetisation. IRCTC wishes to leverage its data assets and market position to drive strong growth in revenues,” the Corporation mentioned within the tender. “IRCTC envisages a revenue generation potential of Rs 1,000 crore through monetisation of its digital assets. IRCTC wishes to engage a consulting firm to help in identification, design, and development and roll-out of data monetisation opportunities.”

Incidentally, the tender doc says that the chosen guide ought to put together the monetisation roadmap retaining in thoughts the “current Personal Data Protection Bill, 2018” together with different legal guidelines just like the Information Technology Act, 2000 and EU’s General Data Protection Regulation (GDPR).

It is to be famous that India presently has no information safety guidelines and a draft Bill was lately withdrawn by the federal government from Parliament.

The information safety Bill that IRCTC has talked about within the tender doc is just not even the newest model of the Bill that was withdrawn. The Ministry of Electronics and IT (MeitY) didn’t reply to a question asking the potential privateness dangers of IRCTC’s proposal.

The proposal has drawn the ire of privateness activists who’ve complained that IRCTC is trying to monetise passengers’ information within the absence of a privateness framework within the nation. In a press release, Delhi-based digital rights group Internet Freedom Foundation mentioned, “IRCTC, a government-controlled monopoly, must not prioritise perverse commercial interests over the rights and interests of citizens. And given the recent withdrawal of the Data Protection Bill, 2021, such monetisation becomes even more concerning”. It added {that a} “profit maximisation goal” will end in “greater incentives for data collection, violating principles of data minimisation and purpose limitation”.

Alerting the inventory exchanges of its monetisation plan, IRCTC mentioned that as a industrial entity, it explores enterprise alternatives for brand spanking new areas. “As other business tenders, this tender has also been floated merely to appoint a consultant,” it mentioned, including that “The consultant will guide IRCTC and the Indian Railways on monetisation activities and advise on monetisation value of digital assets … Further, being a government company, it is a regular practice to float tenders.”

The Indian Railways has beforehand explored monetising the huge quantity of information it collects. In 2016, then Railways Minister Suresh Prabhu had mentioned that the organisation was exploring the potential of monetising its information, software program and a few of the free providers offered by Indian Railways, resembling PNR enquiry.

In the previous, there have been efforts to monetise authorities information, a minimum of two of which have been scrapped over privateness points. In 2020, the Ministry of Road Transport and Highways scrapped its Bulk Data Sharing Policy, beneath which it used to promote automobile registration information (Vahan) and driving licence information (Sarathi) to personal and public entities. The coverage was scrapped over potential misuse of private data and privateness points.

More lately, the MeitY had floated a draft India Data Accessibility and Use Policy that proposed that information collected by the Centre that has “undergone value addition” may be bought within the open marketplace for an “appropriate price”. This draft was withdrawn after it confronted extreme criticism over its proposal to monetise authorities information.