Passenger data will be encrypted before being shared with consultant: IRCTC officials – Moneycontrol

IRCTC | CMP: Rs 735.15 | The stock price added over 9 percent last week. The Railways' catering and ticketing arm IRCTC floated a tender to engage a consultant for monetisation of its "digital data", including the bank of passenger data, the railway ministry is now reviewing the revenue generation plan. The IRCTC's plan to generate Rs 1,000 crore revenue from two sets of monetisation of data came under criticism amid concerns over data privacy, according to media reports. Sources in the ministry said the government would prefer to wait for the passage of the Data Protection Bill in Parliament before going ahead with this plan.

Days after privacy concerns were raised regarding the Indian Railways Catering and Tourism Corporation's tender to monetise its digital data, IRCTC officials told Moneycontrol that the company would encrypt data before sharing it with consultants.

"A unique identification code with travel patterns will be shared with a consultant," a senior company official said.

The official added that the unique identification code will not let consultants identify customers or have access to any sensitive customer information.

"Only IRCTC will have access to customers' sensitive information and the company will not let consultants have access to our encryption software," the official added.

Another source said that many data points in the tender such as name, login and password will be removed from the list of data points that may be used for studying and coming up with monetisation plans.

"There is no need for name. Data such as how many have travelled to a certain place; how many people between a certain age group travel in trains can be shared with the consultant, who will then provide products based on this data," another source said.

At the time of publishing, queries over email and texts sent to IRCTC remained unanswered.

A rethink?

The second official also clarified that IRCTC is bound to follow laws such as the IT Act 2000, European Union's General Data Protection Rules (GDPR) and other regulations as required. The consultant will be guiding IRCTC in this regard.

On its portal, IRCTC also offers options to book hotels, buses and so on.

"For offerings such as this, data is shared with service providers after signing an NDA that the shared data will not be reshared anywhere else," the second source added.

Moneycontrol has also learnt that IRCTC will rework the tender based on responses received in the pre-bid meeting.

As of now, further action on the tender (in its present form) has been postponed. A pre-bid meeting planned for August 24 has been delayed "till further advice" from IRCTC.

Privacy worries

In July, IRCTC floated an expression of interest for appointing a consultant who will study customer data including "name, age, mobile number, gender, address, email-id, no. of passenger, class of journey, payment mode, login/password" and identify a business model for monetisation of railways data.

This move raised concerns of privacy, with digital advocacy groups decrying the move. Recently, the Parliamentary Standing Committee on IT also summoned the IRCTC in this regard.

A notice issued by the Lok Sabha Secretariat saidIRCTC officials would brief members of the Standing Committee on Communications and Information Technology on August 26.

The call for the briefing comes days after the Indian railway's ticketing arm floated a tender to generate Rs 1,000 crore from the monetisation ofits data assets.

The plan tomonetise customer data led to outcry and invited criticism from expertsgiven theabsence of rules regarding personal data protection.

Lawyers also pointed out that the personal data provided by customers to IRCTC at the time of booking their rail tickets "was not explicitly for the purpose of monetisation".

Since then, it has been reported that IRCTC will allow passengers to opt out of the data monetisation plan, with The Economic Times reporting on August 23 that the process was only at a preliminary stage and any decision would bestrictly within "the confines of the law".

It is to be noted that India has no data protection rules and a draft Bill was recently withdrawn by the government from Parliament.

The data protection Bill that IRCTC has mentioned in the tender document is not even the latest version of the Bill that was withdrawn. The Ministry of Electronics and IT (MeitY) did not respond to a query on the potential privacy risks of IRCTCs proposal.

In a statement, digital rights group Internet Freedom Foundation last week had said that IRCTC, a government-controlled monopoly, must not prioritise perverse commercial interests over the rights and interests of citizens. And given the recent withdrawal of the Data Protection Bill, 2021, such monetisation becomes even more concerning.

Originally posted here:
Passenger data will be encrypted before being shared with consultant: IRCTC officials - Moneycontrol