Days after privacy concerns were raised regarding the Indian Railways Catering and Tourism Corporation's tender to monetise its digital data, IRCTC officials told Moneycontrol that the company would encrypt data before sharing it with consultants.
"A unique identification code with travel patterns will be shared with a consultant," a senior company official said.
The official added that the unique identification code will not let consultants identify customers or have access to any sensitive customer information.
"Only IRCTC will have access to customers' sensitive information and the company will not let consultants have access to our encryption software," the official added.
Another source said that many data points in the tender such as name, login and password will be removed from the list of data points that may be used for studying and coming up with monetisation plans.
"There is no need for name. Data such as how many have travelled to a certain place; how many people between a certain age group travel in trains can be shared with the consultant, who will then provide products based on this data," another source said.
At the time of publishing, queries over email and texts sent to IRCTC remained unanswered.
A rethink?
The second official also clarified that IRCTC is bound to follow laws such as the IT Act 2000, European Union's General Data Protection Rules (GDPR) and other regulations as required. The consultant will be guiding IRCTC in this regard.
On its portal, IRCTC also offers options to book hotels, buses and so on.
"For offerings such as this, data is shared with service providers after signing an NDA that the shared data will not be reshared anywhere else," the second source added.
Moneycontrol has also learnt that IRCTC will rework the tender based on responses received in the pre-bid meeting.
As of now, further action on the tender (in its present form) has been postponed. A pre-bid meeting planned for August 24 has been delayed "till further advice" from IRCTC.
Privacy worries
In July, IRCTC floated an expression of interest for appointing a consultant who will study customer data including "name, age, mobile number, gender, address, email-id, no. of passenger, class of journey, payment mode, login/password" and identify a business model for monetisation of railways data.
This move raised concerns of privacy, with digital advocacy groups decrying the move. Recently, the Parliamentary Standing Committee on IT also summoned the IRCTC in this regard.
A notice issued by the Lok Sabha Secretariat said IRCTC officials would brief members of the Standing Committee on Communications and Information Technology on August 26.
The call for the briefing comes days after the Indian railway's ticketing arm floated a tender to generate Rs 1,000 crore from the monetisation of its data assets.
The plan to monetise customer data led to outcry and invited criticism from experts given the absence of rules regarding personal data protection.
Lawyers also pointed out that the personal data provided by customers to IRCTC at the time of booking their rail tickets "was not explicitly for the purpose of monetisation".
Since then, it has been reported that IRCTC will allow passengers to opt out of the data monetisation plan, with The Economic Times reporting on August 23 that the process was only at a preliminary stage and any decision would be strictly within "the confines of the law".
It is to be noted that India has no data protection rules and a draft Bill was recently withdrawn by the government from Parliament.
The data protection Bill that IRCTC has mentioned in the tender document is not even the latest version of the Bill that was withdrawn. The Ministry of Electronics and IT (MeitY) did not respond to a query on the potential privacy risks of IRCTC’s proposal.
In a statement, digital rights group Internet Freedom Foundation last week had said that IRCTC, a government-controlled monopoly, must not prioritise perverse commercial interests over the rights and interests of citizens. And given the recent withdrawal of the Data Protection Bill, 2021, such monetisation becomes even more concerning”.
It added that a “profit maximisation goal” will result in “greater incentives for data collection, violating principles of data minimisation and purpose limitation”.