The Ministry of Road Transport (MoRTH) and Highways has released a Bulk Data Sharing Policy & Procedure in which it states who can buy bulk vehicle data of Registration Certificates (RCs) and Driving Licenses (DLs), what it can do with it and how much the data will cost. MoRTH says that it shares data with enforcement agencies, automobile industries, banks, finance companies etc at specified rates for each data set.
Note that the ministry did not hold any public consultations before releasing this policy, neither does it go into specific details about the need for it, the demand, or how it will ensure that the privacy of individuals is conserved.
On the need for the policy, MoRTH says that “It is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry… help in service improvements… benefit the country economy. (sic) There has been growing demand to share the data for wider benefits.” (Note: does not specify the ‘wider benefits’.)
However, it also adds that the ministry is not in a position to “ensure the sanctity of the data which would be made available on “as-is-where-is” basis” due to to the digital and analog divide of the available data.
“Free access to the vehicle’s basic data is available to all the registered users through mParivahan App or through the web portal of the Ministry…. The purpose of this information is to promote statutory compliances and also facilitate individual hiring/ renting or purchase/ sale of vehicles and hiring of drivers.”
Who is eligible to buy bulk data
- The company should be India registered with at least 50% Indian resident or Indian company ownership
- All bulk data it accesses should be processed, stored in data centres and servers in India, and cannot be transferred to servers outside India
- The Analytics firm (unclear if MoRTH means the same “company” buying the bulk data or otherwise) “should submit a security pre-audit report from Cert-In empaneled security auditor. The report should ensure that:
(i) Proper access control mechanism is in place. Information is maintained about any individuals accessing the data. (Note: The Ministry does not specify how this should be done.)
(ii) Audit logging of all access of the data is maintained.
(iii) All data is maintained in central location in a secure manner and is accessed through an application over LAN or WAN over secure channel.
(iv) The application shall be free from top 10 OWASP vulnerability.
(v) Data Loss prevention mechanism shall ensure the following:
- Monitor and block data transfers – Monitor, control and block any sensitive data being transferred from the data processing organization network. This includes e-mails, files, browser any application etc. This is to be achieved through content & context aware protection.
- Cross Platform security – Through policies to be ensured that sensitive data is not residing in desktops running over Windows, Linux or Mac OS. Discover any such information, which shall be deleted or encrypted.
- End Point Protection – Protection of data in all forms of end-points either desktops, laptops, mobile devices against loss and theft.
- Device Control – Through policies control and set rights for removable devices and ports at the endpoints.
- Audit trail & activity logger – Maintain activity report to ensure that data is not being leaked.
- The DLP shall be achieved through deployment of proper solution (software & hardware) in the organization while handling the data. All sensitive data to be in encrypted format while stored in disk and only to be decrypted while accessed through proper mechanism.”
The price of bulk data
Companies can buy data for one calendar year at any time – this data will be provided in 4 data dumps on 1st January, 1st April, 1st July and 1st October of each calendar year. These dumps will have data up to last day of the previous month.
- Bulk data will cost Rs 3 crore for FY 2019-20.
- “Educational institutions can use this data only for research purposes for internal use only and would be provided the bulk data one time on payment of an amount of Rs 5 lakh only for the FY 2019-20.”
- Educational & Research institutions using the data for any commercial purposes will pay Rs 3 crore for FY 2019-20.
- “There shall be an annual increase of 5% from the FY 2020-21 onwards.”
How the data will be provided
- “Data in bulk will be released in encrypted format.. with the public key of the nodal person of the purchasing organization who will manage the data securely.
- Data will be provided on as-is-where-is basis. No claims will be entertained in case some information/data is found to be missing.”
- Companies wanting the data will have to provide a “security audit report”. The company has to “make sure the integrity of the data and security of data is protected. Correct use of data, including restrictions on de-anonymizing, is strictly enforced through proper access control.” “Any non-compliance of Data Loss prevention or handling of sensitive information will result in termination of the contract.”
- “The second quarter of data will be provided after receipt of security audit compliance report for the past data.
- All Data provided will be non-transferable and cannot be re-sold on as-is or record basis. However, organization can sell analytics reports, forecasting, any other reports based on this data.
There is possibility of ‘Triangulation’ (matching different data-sets that together could enable individuals to be identified and their privacy compromised). It is the responsibility of the organization that any such activity, which result in identifying individuals using the RC data-set, shall not be undertaken.
- MoRTH by itself or through its authorized agency reserve the right to carry out inspection/audit at any time on how data is stored and accessed and associated security controls built into the system. Intimation for any such inspection will be provided at least one week in advance.
- All non-compliances raised in security audits or inspections shall be closed within a week of raising of such non-compliances.”
Consequences of misuse of data
The person, agency or company “shall be liable for any action permissible under the IT Act/ any other applicable law besides debarring of such agency from access to this data for a period of three years.”