A comparison of state-level data policies

This blog post aims to compare and contrast the data policy for seven Indian states, namely, Punjab, Odisha, Karnataka, Tamil Nadu, Sikkim, Telangana and Chandigarh. While India still lacks a national-level data protection or governance framework, many states have come up with a state-level data policy which largely deals with accessibility, use, sharing and exchange of data. In this post, we attempt to analyse these policies through a lens of data protection and privacy.


This is a companion discussion topic for the original entry at https://internetfreedom.in/a-comparison-of-state-level-data-policies/
1 Like

This is good work, but here is my early reaction:
Have you looked into the current status and legal basis of State Resident Data Hubs (SRDH) in Tamil Nadu and other states? These typically use Aadhaar as the binding identifier to create a 360deg view of each resident.

In TN, you need to use this :point_down: portal for many essential services (NOT subsidies) and it is mandatory to give your Aadhaar number and register first. Are you aware of any legislation (state or central) that provides the legal basis for this?

“For applying these services, the citizen have to register their profile by clicking ‘sign up’ and create their own user Id and Password(one time registration).” :point_down:
Thanks!
@tejasi_panjiar @Anushka @prateekwaghre (also copying @srikanthlogic for any insights that he may have)

2 Likes

The State Aadhaar acts / “Good governance rules” provide questionable statutory backing for these “online eGov services” used by both State / Centre (Jeevan Pramaan for life certificate for instance).

The SRDH (obsoleted) / SRDH+ (Some states use - where data collection manual) / SRDH++ (Latest upgrades where data is pulled across through cross talking APIs are a different beast altogether. I try and maintain a list of these along with available / stated statutory backing that is in place. https://docs.google.com/spreadsheets/d/e/2PACX-1vQVpFTeVy9E-zj8T7x_tJ0DZrwYVZjR5GefIgs3__wblDu6_-gsuF-5gpPUsL7jzK3jTCc1bA0z6G31/pubhtml?gid=999491917&single=true

The current study deals with policy levels distinctions / thinking of states towards data governance and we need a seperate implementation level (state-wide special projects like SRDH as well vertically linked projects such as health / education run by states and their approach to data governance) comparison study / policy - implementation reality check studies too.

1 Like

Thanks @srikanthlogic for your detailed response. I agree that this is a thorough policy-level comparative study and that we need a separate implementation reality check.

Also of interest is how state governments deal with instances/allegations of data breaches. For example, after a flat denial, I don’t know if this alleged massive data breach of the TN PDS (a year ago) was ever properly and transparently investigated:

Thanks again to you and the good folks at IFF!
@tejasi_panjiar @Anushka @prateekwaghre

1 Like

Thank you @v.visvanathan sir and @srikanthlogic for your valuable insights on the matter. I concur that further research and analysis on the implementation aspect of the policy will uncover the reality of the data governance in these states. Additionally, as you suggested sir, it might be worthwhile to explore the state of cybersecurity posture as well as data security practices in the states. Moreover, your suggestion to look at the SRDH prompted me to research the use of Aadhaar as the common identifier to integrate departmental datasets. Not to my surprise, such state level hubs (TSCOP in Telangana and SRDH in Gujarat) exist in many other states in the absence of a data privacy law and in non-compliance with internationally recognised principles of data minimisation. Furthermore, there is no transparency with respect to information regarding who has access to such sensitive information and for how long. Despite SRDH Institutional Framework, published in 2012, restricting collection of data to demographic data, Gujarat SRDH is reportedly holding biometric resident data as well.

Good read - This article talks about Aadhaar based profiling.

1 Like