Data breach and masking of data

Citizens in India, are required to share their personal data along with documents such as PAN, AADHAAR Card, and even banking details, for a myriad of activities from applying for a debit/credit card to getting a SIM card, purchasing loans and policies and filling up of insurance claims, while taking hospital admission and while travelling using an wallet service or availing Government services.

The data hunters intend to extract information at any given point, whether taking admissions in schools or while availing promotional benefits in the form of ‘Cash back’; discounts, and also by using certain and preferred banking debit cards or credit cards and so on. The freebies and discounts have many versions in the form of coupons to enjoy a movie, to have food in selected restaurants etc.

The data breach happens and would continue to happen till the much debated data protections laws are in place. Till then we all have to be available subject to the pugmark of well evolved data managers and their command line. I often come across people’s ire of making them aware of personal data breach. Many of them have taken it very lightly while using apps to make payments.

Apps in general take all your personal information as one has agreed upon while installing it. When one uses an App or a debit card and credit card, the incumbent has been sold twice, once for the value he transferred and the second is the information that was part and parcel of the said transaction. Citizens in India are often asked to make payment depending upon seller’s choices through debit card, net-banking or credit cards.

On one such occasion, I have been asked by a company to make payment only through credit card and I was wondering why? In any case, whether debit or credit card, the transaction would take place instantly. To address my inquisitiveness, on further enquiry it has been found that they wanted to find my ‘credit limit’ and to use that information as a lead.

Likewise PAN details of individuals pasted in the reservation list were sold by collectors to be used for cash transactions of by individuals, who prefer not to quote their PAN. Thus the information ecosystem as prevailing here is in a mess.

The students who are intended to take admissions in the degree colleges have been asked by certain universities to give their two ID details like AADHAR and PAN or any other authentic id cards.

Now for a seventeen- eighteen year old wards have been after their parents to get two government ID cards. They also collect information of the parents’ annual income etc. while processing the application of the candidates along with the fees. Thus in absence of Data Protection Law, the institutions, organisations, MNCs going haywire to collect precise personal data as much as possible.

As the saying goes “Data is the new oil”. If we want to get into the genesis of this statement, we need to go back in time, when mineral oil was the most lucrative commodity and almost every nation was running for it. Data has replaced oil to become the most valuable commodity in the 21st-century.

This is apparent from the fact that five of the most valuable companies in the world, namely, Amazon, Google, Apple, Microsoft, and Face-book belong to the data economy. When we observe the two commodities closely, we understand that data and oil are very similar.

As crude oil found in the world is unusable in its raw form and needs to be refined and filtered using different processes to produce Petroleum, Diesel, Kerosene, gasoline and the like, similarly, raw information also needs to be processed and analyzed for converting it into different kinds of usable data namely, health information, geo-location information, financial information, browsing information and the like.

It is in the above context that the masking of personal data becomes inevitable. The Unique Identification Authority of India (UIDAI) has notified masking of AADHAAR number only to withdraw it later. The UIDAI has only spoken about masking the AADHAAR number but for the public at large the concept of data has to be elaborated.

Data can be broadly classified into public data and personal data. Public data is that which is accessible to the public at large, such as, Court records, birth records, death records, basic company details. On the other hand, private data is personal to an individual or organisation or institution and cannot freely be disseminated by anybody without the prior permission of the subject.

It includes financial details, family details, browsing details, preferences, psychological characteristics, locations and travel history, behaviour, abilities, photographs, aptitudes, and the like. It could also be a combination of these features or even inferences drawn from the processed data.

At the moment, India does not have a specific legislation enacted primarily for data protection. India’s regulatory mechanism for data protection and privacy is the Information Technology Act, 2000 (“the IT Act”) and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“the IT Rules”).

Section 43A and 72 A of IT ACT protects to some extent by creating a liability and provisions of punishment to a body corporate for data breach but this is not enough to create an impact on data protection concerns. This is because the IT Act was not enacted with the primary intent of providing data protection. The proposed Personal Data Protection Bill (PDP) is in the consideration and till then people used to cope up with masking their personal data to the extent possible.

A masked AADHAAR number includes a 12 digit ID number that can be shared with others without any risk of being duped. The Masked AADHAAR number replaces the first eight digits of a user’s original numbers with characters like ‘XXXX-XXXX’. When the users share masked AADHAAR number to others the receivers can only view the last four digits of the actual AADHAAR number.

Likewise the masked AADHAAR number every information of one’s personal data can be masked.

Once I was asked by an insurance company background verification agent over the phone , to verify my credentials like date of birth etc. I responded by saying that since you have all my information in front of you, let me know my mm-yyyy or DD-MM and then match with my response of DD in the first case or yyyy in the second case. It took a lot of time for the agent to face masked re-verification!

[Images from other sources]

Mahabahu.com is an Online Magazine with collection of premium Assamese and English articles and posts with cultural base and modern thinking. You can send your articles to editor@mahabahu.com / editor@mahabahoo.com ( For Assamese article, Unicode font is necessary)