The Government of India is committed to ensuring a safe and accountable internet for its citizens. Recently, the Ministry of Electronics and Information Technology (MeitY) discovered that certain websites were exposing sensitive personal information, including Aadhaar and PAN card details of Indian citizens. Recognizing the seriousness of this issue, the government has prioritised cybersecurity practices and the protection of personal data, leading to prompt action to block these websites, an official statement read.
In a phone conversation with Express Computer, Bhuvnesh Kumar, Additional Secretary at MeitY, noted that Section 46 empowers state secretaries to address complaints and compensation related to data privacy violations. Section 43 of the IT Act protects sensitive personal data. Since there was no DPDP Act previously, SPDI rules were established under the IT Act, which prohibit the exposure and sharing of sensitive personal data. According to Kumar, sensitive personal data must not be exposed or shared, and individuals can approach state IT secretaries if these violations occur.
While sharing his views on strengthening the security of Aadhaar, Kumar emphasised that UIDAI’s data vault is very secure and has never been breached. The Aadhaar database holds biometric data and personal details, and an authentication mechanism has been developed for KYC checks without exposing this data. “Many organisations, schools, colleges, private companies, and even government websites collect information from individuals, including their PAN and Aadhaar. Unfortunately, many of these organisations often do not understand the seriousness of protecting this data, leading to its exposure. This is exactly what happened with the websites that have been blocked; they made all the information publicly available. Similarly, many institutions, like schools, share such information publicly. If this information includes Aadhaar, it violates Section 29(4) of the Aadhaar Act, which states that no Aadhaar number, demographic information, or photograph can be published, displayed, or posted publicly except as specified by regulations.”
According to the release, the Unique Identification Authority of India (UIDAI) has filed a complaint with the relevant police authorities for violations of Section 29(4) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, which prohibits the public display of Aadhaar information. In the case of the blocked websites, both SPDI and DPDI violations have occurred, Kumar informed.
Commenting on the steps the government is taking to educate citizens about their rights under the Digital Personal Data Protection Act, Kumar explained that the Puttaswamy judgement unanimously confirmed that the right to privacy is a fundamental right under the Indian Constitution. The Court stated that this right is essential to the freedoms protected by various fundamental rights and is a core element of dignity, autonomy, and liberty. Following this judgement, the Digital Personal Data Protection Act has been passed, solidifying privacy as a fundamental right. However, as a country, we are not yet fully sensitised to the importance of privacy.
Regarding digital data, new rules are currently being developed, and the IT ecosystem will need to comply and implement significant changes. Once these rules take effect, key stakeholders will be responsible for securing data. While the rules are being finalised, the ministry has initiated a project to educate various stakeholders about the importance of privacy.
“We have consulted with many experts in the field, including IT companies from European countries. We have learned from their experiences, which will help us draft significant rules,” adds Kumar.
The press note further states that an analysis conducted by the Indian Computer Emergency Response Team (CERT-In) revealed security vulnerabilities in the websites in question. The owners of these websites have been provided with guidance on necessary actions to enhance their ICT infrastructures and resolve these vulnerabilities. CERT-In has also issued “Guidelines for Secure Application Design, Development, Implementation & Operations” aimed at all entities utilising IT applications. Furthermore, CERT-In has provided directions under the Information Technology Act, 2000 (IT Act) regarding information security practices, procedures, and protocols for the prevention, response, and reporting of cyber incidents.