Privacy-Policy

This chapter will look at different legislations, projects, and policies pertaining to identity that India has put in place, and examine both the strengths and the weaknesses of these, through the lenses of privacy.

Identity In India, currently there are at least eighteen documents that are recognized as acceptable proofs of identity. 1 These range from the passport, to the ration card, to the voting card. Each of these identities serves a specific function, and none act as one comprehensive national identifier. Government issued identification is essential to the effective functioning of a State, and to the mobility of individuals in the formal structures of a country. Governments use identification to assess populations for the delivery of services, and to monitor populations within its borders. Though on one hand identification provides governments with the ability to assess population, the expansive nature of identification technologies provides governments with the ability to gather, track, retain, combine, and share personal information with ease. Thus, in recent years there has been an increase in privacy concerns surrounding identification schemes, as citizens worry that governments are reaching too deeply into their personal lives, and using identification for invasive purposes. Though technology is most readily pointed to the root cause of privacy concerns in identity schemes, privacy violations also arise from poorly crafted legislation and project design.

Penalty for Identity Theft& Fraud: Any person who fraudulently or dishonestly makes use of an electronic signature, password, or unique identification feature, or uses a communication device or computer resource to impersonate another individual is held criminally and civilly liable. Any person who uses a communication device or computer resource to cheat by impersonation is also held criminally and civilly liable.

The Indian Citizenship Act53 establishes the legal basis for citizenship to India. The issuing of National Identity Cards is legalized under the Citizenship Act. To implement the issuance of identity cards the Act creates the National Registration Authority, which is filled by the Registrar General (the Registration of Births and Deaths Act, 1969).54 The National Register of Indian Citizens is a collated database containing information of citizens residing in and outside of India. Information from five smaller databases is inputted into the database. The five data bases include: the sub-district Registrar of Indian Citizens, State Registrar of Indian Citizens, the population registrar, Local Registrar of Citizen Registration, and the District Registrar of Indian Citizens. The Act requires that each register contain an individual‘s name, father's name, mother's name, sex, date of birth, place of birth, residential address, marital status, visible identification mark, date of registration of citizen, serial number of registration, and national identity number.55 The Citizenship Act and Rules establish a Tribunal for hearing complaints and answering questions asked by individuals.56 The Act prescribes criminal and civil penalties for contravention of its provisions. Aspects of the Act which pertain to privacy include:

• Identity: The Central Government will register every citizen of India and subsequently issue national identity cards. In doing so the government may maintain a National Register.57 This provision does not directly protect or violate privacy, but allows for the issuance of a card that contains information requiring privacy protection.

• Collection: For the purpose of an identity card, the relevant data is meant to be collected through house to house enumeration. Further procedures for preparing the National Register will be determined by the Register General.58 This provision establishes how information will be collected, but does not fully protect privacy as it does not ensure against the over collection of information by officials conducting the house to house enumeration.

• Reactive Disclosure: Every Citizen is held legally responsible for registering himself/herself with the Local Registrar of Citizen Registration and for providing accurate information.59 It is also the duty of every individual to inform the District Registrar within a period of thirty days if they have ceased to be citizens of the country.60 This provision impacts privacy by placing the burden of registration and accuracy on the individual.

• Proactive Discovery: All persons must furnish to the appropriate authority information within his/her knowledge pertaining to the status of an individual‘s citizenship. The District Registrar, Sub-district or Taluk Registrar or the Local Registrar of Citizen Registration is given the authority under the Act to require that individuals furnish this information.61 This provision establishes circumstances for when individuals are required to disclose sensitive information to officials. Though the Act establishes who has the authority to require disclosure from individuals, it does not require any further safeguards such as an order or a request in writing. This lack of safeguard could potentially violate the privacy of individuals.

• Transparency: As a form of verification, the draft of the Local Register of Indian Citizens will be published with the invitation for objections or for inclusions of any name or particular information62. If there is an objection against a particular entry or a need for the inclusion of an entry, this may be submitted to the Local Registrar for correction within 30 days of the publication. 63 Though this provision works to bring transparency to the process of registration, it has the potential to violate the privacy of an individual as it takes away the right of anonymity surrounding an individual‘s citizen status.

• Inspection: Any Registrar or Officer who has been authorized by the Registrar General of Citizen Registration may examine any record, and issue directions regarding inclusion or exclusion of particulars from the population register or local register of Indian Citizens.64 This provision protects privacy by requiring that officials obtain authorization from a higher authority before accessing sensitive information.

• Breach Notification: There are three instances when the government is required to inform an individual that their records have been accessed, or give justification for the Governments actions. 1. If the government intends to withdraw Citizenship from an individual they are required, before making the order, to give notice in writing and give the individual the right to make an application for his case.65 2. With regards to information stored in the National Registrar, if an individual‘s record is examined, the individual should be informed of the reasons for such examination and the results. 3. If an individual‘s particulars are deleted from the National Registrar because of death, the relatives of the individual will be informed.66 This provision protects privacy by ensuring that individuals are notified when their data is examined, altered, or deleted.

• Fraud: If registration or certificate was obtained by fraud, false representation, or concealment of any fact – the Central Government will withdraw citizenship.67 Any person who knowingly makes a false representation for procurement of anything under the Act will be held criminally liable.68 Any person who knowingly makes a false representation of any material will be imprisoned for up to five years and a fine which can extend to Rs. 50,000.69This provision protects privacy by penalizing the use of fraudulent information.

• No notification required: If the Central Government refuses a normal application for citizenship, the officer is not required to give reason for the denial.70 This provision does not protect privacy as it does not ensure that an individual is fully informed as to the reasons that they have been denied citizenship.

• Verification and Identity: The Local Registrar is required to verify and scrutinize the collected particulars of every family. If the Local registrar finds any information provided doubtful, it will be noted, and the individual will be informed. 71 This provision protects privacy as it verifies the accuracy of the information collected.

• Appeal: If an individual‘s particulars are found doubtful, they will be given the right to be heard by the Sub-district Registrar.72 Additionally, any person aggrieved by the order of the sub-district or Taluk Registrar may make an appeal within thirty days of a specific order.73 Any person who is harmed by an order made under the Act may, within 30 days of the order, may apply for a review of the order by the Central Government. These provisions protect the privacy of individuals by giving them the right to appeal and seek revision for any decision made with concern to personal information about their citizenship.

• Deletion: Individual details will be deleted from the National Register by an order from the Registrar General if an individual ceases to be a citizen, in the event of a death, if Page | 11 an individual‘s Citizenship is revoked, or the particulars provided are incorrect.74 This provision protects privacy by creating clear circumstances for when information can be deleted.

• Maintenance: The Registrar General will be responsible for maintaining the National Register of Indian Citizens in electronic or some other form and up to date on the basis of extracts from various Registers specified under the Births and Deaths Act.75 This provision protects privacy by creating an authority who is responsible for maintaining information that is collected and stored up to date.

• Modification: The sub-district or Taluk Registrar may, on application by the concerned person and after due verification, modify an entry in respect to the particulars of an Indian Citizen including: change of name, change of parent‘s name, change of address, change of marital status, change of sex.76 This provision protects privacy by clearly designating an official who is responsible for making changes to stored information.

This Act77 provides for the regulation of registration of births and deaths in India. The database of births and deaths is used by both for the census and for the National Indian Database. Privacy is relevant to this Act when understanding how records are registered, maintained, and accessed. The Act creates the Registrar of India as the overseeing Authority in charge of implementing the provisions of the Act. Authorities under the Registrar General include the Chief General, the District Registrar, and Registrars.78 Civil penalties are prescribed by the Registrar General for offenses committed under the Act.79

• Access: Any individual may search any entry in a register of births and deaths or obtain an extract.80 Privacy is protected as no extract relating to any death may give detail of the particulars regarding the cause of the death entered into the register.

• Copy of records: The Registrar will give to the person registering a birth or death a copy of the extract free of charge.81 This provision protects privacy as it allows individuals to freely access information.

• Correction, accuracy, and cancellation: Only the registrar, if satisfied that an entry in the register is incorrect or fraudulent, may correct, alter, or cancel entry.82 This provision protects privacy by designating an official who is authorized to change or delete entries in the register.

• Collection: The Chief Registrar is responsible for compiling and standardizing the prescribed forms for registration.83 This provision protects privacy by designating an official responsible for creating a standardized procedure for the collection of information. To further protect privacy the procedure for compilation and collection should be laid out in Rules under the Act.

• Inspection: Registration offices and registers are to be inspected and examined by the District Registrar.84 This provision protects privacy by putting in place an accountability mechanism.

• Aggregation: The Chief Register will be responsible for compiling and publishing the collected information in a statistical report.85 This provision protects privacy by designating an official who is responsible for the aggregation of data. The Act could further protect privacy by establishing standards such as anonymization that must be followed when aggregating data.

• Proactive Discovery: The Registrar may orally or in writing require any person to furnish information that is in connection with a birth or death. The individual is required to comply with such a request. Failure to do so results in a fine.86 This provision impacts privacy by creating a standard for when information must be disclosed to officials.

• Maintenance of Records: The State and Central Government is enabled to: o make rules concerning the manner in which records of births and deaths are to be given in, o grant the search of the birth and death register, o allow for extracts from the registers to be copied o determine the form in which the returns and statistical report will be published, o determine the custody, production, and transfer of registers and other records, o provide for the correction of errors and the cancellation of entries of births and deaths.87 This provision establishes that the Central Government has the authority to make rules that will impact the protection of the data.

In April 2011 the Electronic Service Delivery Rules to the Information Technology Act88 were notified. The Rules enable state governments to deliver public services through electronically enabled kiosks and other electronic service delivery mechanisms. In doing so the Rules maintain that state governments must create a system for the electronic delivery of services, and the appropriate authorities must create and maintain repositories of electronically signed records. Aspects of the Rules that pertain to privacy include:

• Encryption of sensitive records: The Rules allow the appropriate government to determine the manner of encryption and confidentiality for sensitive electronic records.89

• Data Retention: All authorities that issue a license, permit, certificate etc must create a repository of the signed records and retain these records. The manner that these documents must be retained will be established by the appropriate government.90 Additionally, the appropriate government has the authority to direct any service provider to retain records of the transactions, receipts, and vouchers collected from payments.

• Reactive Disclosure: Records maintained by Service Providers must be disclosed to any agency or person nominated by the appropriate government for inspection and audit.

• Security Procedures: The appropriate government must specify the security, management, and storage procedures for maintenance of electronic data, information, applications etc. stored in the repository.

• Changes to records: All changes made to records in the repository, including updating or correcting the record, must be signed by the person authorized to make the changes along with time stamps of the original creation and modification.

• Confidentiality of Data: All service providers etc. must submit a declaration stating that the data of every individual transaction and citizen will be protected. If unauthorized disclosure without consent takes place, the service provider will be debarred from providing that service any further.

• Missing Safeguards: o Interoperability Distinct categories of information Breach notification Anonymization/obfuscation and deletion policies Accountability for accuracy of data Appropriate uses of databases Individual access, updation and control of personal information.

The Unique Identification Bill 96 was proposed to Parliament in 2010. If passed, the Bill will legalize the issuance of a 12 digit unique number (Aadhaar number) based on an individual‘s biometric data. The Aadhaar number along with an individual‘s biometrics will become a form of authentication in transactions. Along with establishing the UID Authority, the Bill establishes enrolling agencies, registrars, and a review committee. Additionally, the Bill legalizes the creation of the Central Identities Data Repository – a centralized database that will contain both Aadhaar numbers and the corresponding biometric information of enrolled residents. Aspects of the Bill that are relevant to privacy include:

• Sharing: With consent, the Authority will be responsible for sharing the information of Aadhaar number holders with the relevant businesses engaged in delivery of public benefits and public services.

• Security: The Authority will be responsible for developing security protocols to follow by registers and enrolling agencies. The Authority will ensure the security and confidentiality of identity information and authentication records. This includes protection against unauthorized access, use, or disclosure.

• Redress: The Authority will be responsible for establishing facilitation centers and grievance redress mechanisms.

• Unlawful Disclosure: The Authority, officer, employee, or agency who maintains the Central Identities Data Repository will not reveal any information stored in the Central Identities Repository. This standard is not withstanding to any other law in force or as otherwise provided for under the Act.

• Lawful disclosure: Information is permitted to be disclosed under the Act through a court order or disclosed in the interests of national security upon an order made by any officer not below the rank of Joint Secretary.

• Proactive Discovery: The Authority will be responsible for calling for information and records, conducting inspections, and audit of information from the Central Identities Data Repository, Registrars, enrolling agencies, and other agencies appointed under the Act.

• Accuracy: The Aadhaar number holder will be responsible for ensuring that his/her demographic information is correct, and must request the Authority to make the necessary changes.

• Data Retention: The Authority will retain the details of every transaction (request for authentication and response) for a period of time and in a manner that will be specified by regulations. Every Aadhaar number holder will be entitled to obtain these details from the Authority.

• Penalties: The following are offenses under the Act. Individuals who commit these offenses are held criminally liable: impersonation at the time of enrollment, impersonation of an Aadhaar number holder, disclosure of identity information, unauthorized access to the Central Identities Data Repository, tampering of data in the Central Identities Data Repository, manipulation of biometric information.

• Investigation: A police officer not below the rank of Inspector Police will have the e power to investigate any offense committed under the Act.15

• Maintenance: The Central Identities Data Repository is permitted to be maintained by multiple entities.108 These entities will be appointed by the Authority.

• Collection: The Authority will be responsible for developing procedure for the collection of demographic and biometric information.

• Authentication: The Authority will be responsible for developing procedure for the authentication of Aadhaar numbers.

• Deletion: The Authority will be responsible for the deletion of an Aadhaar number.

• Use: The Authority will determine the use and applicability of the Aadhaar number for the delivery of benefits and services.

• Reactive Disclosure: All individuals who wish to obtain an Aadhaar number must provide his/her demographic and biometric information. Individuals will not be required to provide information pertaining to their race, religion, case, tribe, ethnicity, language, income or health, but through regulation the Authority is enabled to specify demographic and biometric information for enrollment. Individuals, who have enrolled for a UID number, may be required to update their demographic and biometric information by the Authority. There are many aspects of the project design that raise privacy and security concerns including: iinappropriate use of data for tracking, inadequate privacy safeguards, unwarranted data retention, lack of accountability to security of information for all actors, lack of rollback and ombudsman office, insecure project architecture, insecure use of biometrics, and the unnecessary storage of transactional data.

The Draft DNA Profiling Bill was piloted by the Center for DNA Fingerprinting and Diagnostics. The DNA Profiling Bill was first introduced in 2007. In 2012 a new version of the Bill was released to the public and is pending. Both the DNA Profiling Bill 22007 & 2012 look to legalize the collection and analysis of DNA samples for forensic purposes. The following aspects of the Bills pertain to the privacy:

• Collection: The schedule of the Bill lists the offenses and situations for which the collection of DNA is permitted.

• Privacy Principles: The DNA Profiling Board is enabled to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information.

• Storage and retention: The Bill provides for the complete storage of DNA samples of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons.

• Access: The Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes.

• Offenses: Unauthorized access, disclosure, destruction, alterations, and tampering, is penalized under the Bill.

• Redress: The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, only the Central Government or DNA Profiling Board are enabled to bring complaints to the courts.

• Access by law enforcement agencies: The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles.

• Contamination of DNA samples: Laboratories are held responsible for minimizing the contamination of DNA.

• Indices held by DNA Banks: The DNA data bank sets up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations.

• Communicating of DNA Profile with Foreign States: With the approval of the Central Government, the sharing of DNA profiles with Foreign States.

• Definition of DNA: The introduction of the Bill states that with DNA it is possible to determine if the source of origin of one body substance is identical, and establish the relationship between the two without any doubt. This is an incorrect statement as more than one individual can have the same DNA profile as another individual, and system errors when analyzing and identifying DNA can take place.

• Comparison of Profiles: Individual DNA profiles that have been collected will be compared with the stored profiles on the database in order to check if an individual is already on the database. The Bill also requires identifying information to be stored with the DNA profile collected from an individual131 This increases the chance for false matches to occur between newly added individuals‘ DNA profiles and stored individuals‘ DNA profiles. Furthermore, if the DNA database is going to be useful in solving crimes, identifying information beyond a DNA profile will need to be stored to allow for criminals to be traced and identified. The amount of information that will actually need to be stored for the database to be useful poses as a threat to privacy.

• DNA to be used in Civil Disputes: The Schedule hold that the DNA data bank can store profiles used in Civil Disputes and other Civil Matters Including DNA profiles collected for civil purposes on the DNA database will create privacy concerns and add to the number of profiles on the database - thus increasing the possibility for false matches.

• Establishment of identity: The Schedule includes ―Issues relating to establishment of individual identity‖. Allowing the database to be used to establish identity (rather than being restricted to searching for matches with crime scene DNA) allows for potential abuses.

• Removal of profiles: The DNA profiles of persons who are acquitted of an offense. This is a positive step to protecting privacy.

• Individual Access: Individuals should have the right to ask the police for any of their own details held on police databases. This will allow an individual to know if their data is being held against the law.

• Identity: "Identity" and how ―identifying information can be used should be clearly defined. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep is included in the DNA data base.

• Restricted Access: The DNA database should be restricted to the identification of a perpetrator of a specified criminal offense, and consent or a court order must be sought for any other use of the database for identification purposes.

• Destruction of profiles: A requirement for the destruction of individuals‘ DNA samples (usually mouth swabs) stored in laboratories should be provided for in the Bill.

• Probability of error published: With a population the size of India, the number of these false matches could be very high. The DNA board should take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles.

• Restricted Use: The proposed DNA database should be restricted to use for criminal investigations and the identification of body parts only: civil uses should be excluded from the Bill. Any missing persons‘ or elimination databases should be entirely separate from the proposed criminal DNA database.

• Transparency: The DNA board should be transparent about
(i) what identifying information will be stored from individuals to enable them to be tracked in the event of a ‗cold hit‘ between their DNA profile and a crime scene DNA profile;
(ii) the proposed process for removals of innocent persons‘ records;
(iii) the proposed rules for elimination databases, including police officers and laboratory personnel.