Data Security cannot be an afterthought
CoWIN data breach raises serious security concerns, which may be addressed through regulatory frameworks and technological interventions. Even when collected in times of emergency, data must be secure for it to build trust and provide effective solutions.
In June this year, there were reports of a major data breach from the Ministry of Health and Family Welfare’s portal — CoWIN. The national government portal was launched in January 2021 to facilitate the vaccination for COVID-19 for the country’s 1.2 billion people. The personal information collected through this portal was reported to be “leaked” on June 12. Media reports and posts on various online platforms revealed that this information, which was intended to be protected, was now available to all. It is a very large-scale breach and has put into question the whole reliability of such portals that are intended for the public good and promise security to their users.
Over the last two decades, we have seen an increasing amount of personal information fed into private and government-owned platforms to enable digital ease. However, this has always been a point of concern for users, as most individuals would not like all their information to be available online. It can lead to physical, financial and other threats to individuals.
Here, it is important to point out what exactly is personal data. It is data that pertains to information about or relating to a natural person, which can directly or indirectly, or in combination with other information, identify the said individual. It could be the name, location, identification number, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The data collected through the CoWIN portal was personal in nature, more specifically it was collected in a crisis situation and included health-related information about the citizens of India. This made the information even more critical and necessary to secure.
Since the breach the authorities, specifically the Minister for Electronics and Technology (MeitY), have assured us that the cause of the CoWIN breach has been identified and some people have been arrested for the same. But there continue to be some glaring gaps in ensuring data security in the country.
How can one ensure data security?
A policy and regulatory framework needs to be in place to ensure that data security is paramount when developing digital platforms. The recognition of both governance and penalty in case of a breach of personal data is needed. India has a draft bill, titled ‘Digital Personal Data Protection Bill, 2022’, pending in the parliament for over a year. The bill mandates that the data fiduciaries (any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data) do not retain any information once the purpose of that information is served. However, it is not applicable to government agencies.
An extremely effective framework for personal data security is that of the European Union — the General Data Protection Regulation (GDPR). These guidelines are globally considered the strongest and most robust data privacy laws because they strengthen the rights of the individual over their data. Many countries are formulating their data security policies and regulations along the lines of GDPR. It not only provides the definition of personal data but also provides details on how to process and handle personal data.
To secure personal data it is also essential that the potential harm of breaches is assessed even before such information is collected. A working example of this would be how universities have a Research Ethics Review Committee, which thoroughly assesses the ethics of the proposed research activity and its potential negative impact on the research participants. There can be a similar institutionalised mechanism to assess the potential impact of personal data before the data is even collected.
There is an urgent need for a governance and regulatory framework for content published on different digital media platforms. In the instance of CoWIN, allegedly the personal details were made public on Telegram. And currently, Telegram does not have any policy for content regulation, but they might terminate the user or the bot if someone raises a concern. Therefore a media platform policy becomes critical in regulating the content that is being shared and exchanged.
Another way to safeguard against data breaches is to build and design the technical architecture of the platform in a way where if personal data is collected, and/or stored, different functionalities are organised in different layers, these layers would be given very specific permissions based on their use-case to interact with the database, which can restrict the access to information.
These guidelines, legislations and governance models may appear tedious or expensive to implement universal digital platforms that use citizen information for public good, especially in a densely populated country like India. But that is not the case. We, at CivicDataLab (CDL), have been developing, updating and maintaining PetaBencana.id, a citizen-centric platform for reporting disasters and enabling relief and rescue in equally densely populated nations of Indonesia and the Philippines. The platform is developed based on privacy-by-design principles, which means that data privacy is holistically embedded in the system right from the development stage. Individuals feed personal data like the location but are secure from this data becoming public — as the design of the platform is just to store the location data and nothing apart from it.
The platform is developed using open-source software which allows only specific data points to be accessed through a number of public and private endpoints (APIs). We believe that ensuring the security of personal data is key to enabling the impactful use of digital platforms.
