Home   »   CoWIN Data Leak & Data Protection...

CoWIN Data Leak & Data Protection Regime in India

Context: There was an alleged breach of personal data of beneficiaries who received COVID vaccination from the CoWIN portal, including Aadhaar, passport details, gender, date of birth, etc.

More on the news

  • The data was leaked through a bot on Telegram. The Telegram bot showed the name of the person, the government ID they used while getting the vaccination and where they got their vaccination.
  • After the alleged leak, the Union Health Ministry said such reports were “without any basis and mischievous in nature”. The CoWIN portal was completely safe with adequate safeguards for data privacy, it maintained.
  • The ministry said that the Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report.

About the CoWIN (Covid Vaccine Intelligence Network) portal

  • CoWIN is the Indian government’s cloud-based IT solution for planning, implementation, monitoring, and evaluation of Covid-19 vaccination in India.
  • This allows the system to monitor the utilization, wastage, coverage of Covid-19 vaccination at national, state, district and sub-district level.
  • The platform is owned by the Ministry of Health and Family Welfare and was earlier the platform used for conducting Pulse Polio and other crucial immunization programmes across the country.
  • CoWIN is essentially an extension of eVIN (Electronic Vaccine Intelligence Network).

Biggest personal data breaches in India in the recent past

  • Card Data Breach (October 2022): Cybersecurity researchers discovered a threat actor advertising a database of 1.2 million cards, including State Bank of India (SBI) customers’ data.
  • Dominos India (May 2021): Cyberattack resulted in leakage of data from 180 million orders, including order details, email addresses, phone numbers, and credit card details.
  • Air India (May 2021): Cyberattack compromised personal details of approximately 4.5 million customers worldwide, including names, dates of birth, contact information, passport information, and credit card data.
  • Big Basket (November 2020):Online grocer suffered a data breach compromising personal details of over 20 million users, including email IDs, password hashes, PINs, phone numbers, addresses, dates of birth, and IP addresses.

About Data and Data Protection

  • Data is a collection of facts and figures to be used for a specific purpose such as a survey or analysis. When such data is arranged in an organized form, it can be called information.
  • Data protection is a set of strategies and processes to secure the privacy, availability, and integrity of data. Data protection regulations ensure the security of individuals’ personal data and regulate the collection, usage, transfer, and disclosure of the said data.
  • Key Elements of Data Protection:
    • Confidentiality: The data is retrieved only by authorized operators with appropriate credentials.
    • Integrity: All the data stored within an organization is reliable, precise, and not subject to any unjustified changes.
    • Availability: The data stored is safely and readily available whenever needed.

CoWIN Data Leak & Data Protection Regime in India_4.1

Need for Data Protection in India

  • India as a data-driven economy: As per a report by the Telecom Regulatory Authority of India (TRAI) in 2019, there were 665.31 million internet subscribers in India. This indicates that personal data is becoming available in the public domain due to high mobile internet usage.
  • Younger Generation and Data: Statistics show that 30.5% of Indians are below the age of 25 and extensively use mobile apps to access social media. Therefore, it becomes imperative for the government to protect the personal data of its citizens.
  • Risks to Individual Data: Loss of individual privacy, including the loss of individuals’ control on usage of their personal data, is one of the most significant data risks at present.
  • Financial Losses: Data breaches have become a significant issue in India, resulting in financial losses to individuals. Hackers often target bank account details, credit card information, and other financial identifiers, leading to fraudulent activities and financial harm.
  • Discrimination and Marginalization: Profiling individuals or groups based on their personal data can lead to unfair exclusion, marginalization, or discrimination.

Data Protection Regime in India

CoWIN Data Leak & Data Protection Regime in India_5.1

  • Right to Privacy: In the Justice K.S. Puttaswamy Judgement, a nine-judge bench of the Supreme Court affirmed that Right to Privacy is a fundamental Right covered within the ambit of Right to life and personal liberty under Article 21.
  • Statutory Provisions on Data Protection in India:
    • Information Technology Act, 2000 (IT Act): The IT Act is the primary legislation governing electronic transactions and cybersecurity in India. It contains provisions related to the protection and security of electronic data, including sensitive personal data or information.

CoWIN Data Leak & Data Protection Regime in India_6.1

  • IT (Amendment) Act, 2008: This amendment to the IT Act introduced additional provisions related to data protection. It inserted Section 43A, which imposes liability on corporate bodies for negligence in protecting sensitive personal data, leading to wrongful loss or gain to individuals. It also introduced Section 72A, which deals with the punishment for the disclosure of information in breach of lawful contracts.
  • IT (Sensitive Personal Data or Information) Rules, 2011: These rules, issued under the IT Act, provide specific guidelines for the collection, storage, and transfer of sensitive personal data or information by body corporates. The rules apply to entities engaged in collecting and processing personal data electronically.
  • Draft Digital Personal Data Protection Bill, 2022: It aims to provide comprehensive data protection regulations in line with global standards. Highlights of the bill include:
    • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.
    • It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
    • Personal data may be processed only for a lawful purpose for which an individual has given consent.  Consent may be deemed in certain cases.
    • Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
    • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
    • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
    • The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.

Sharing is caring!