As IRCTC Mulls Data Monetisation, There Is an Urgent Need for Data Privacy Rules

IRCTC has a huge tranche of data and monetising it raises questions about what the data would be used for.

5 min read

Online ticketing agency, the Indian Railway Catering and Tourism Corporation (IRCTC) under the ministry of railways, in which the Union government has 76 percent stake, recently issued a tender on recruiting a consultant that could advise them on data monetisation and suggest to them what type of data could be monetised, keeping in mind the data privacy factors and the concomitant laws and regulations.

An indication has been provided that IRCTC is thus planning to raise an estimated Rs 1,000 crore through this effort.

IRCTC has further indicated that through the consultant, it plans to analyse and review all data related to public facing and vendor applications, websites of all Indian Railways, PSUs, and other units to provide a road map and effective monetisation business strategies for monetisation of digital data.

What Are the 3 Data Monetisation Strategies?

IRCTC has a huge tranche of valuable data, and as the saying goes – ‘data is the new oil’ – it raises basic questions about what the data would be used for.

Generally, three data monetisation strategies are witnessed globally:

a) selling data

b) performing analytics around products and services and

c) improving business processes.

Clearly, IRCTC cannot venture into the first domain of selling data but definitely would want to take the advantage of the latter two strategies. The question thus arises – is there enough public confidence in the country today for a transparent approach where data is handled and analytics performed, and a consumer friendly legally binding end result is ensured?

Also, data security standards and practices remain skewed across sectors.

Just a week back, the Central Board of Indirect Taxes and Customs (CBIC) made it compulsory for all the airlines operating international flights to share the PNR details of passengers with the respective authorities along with names of the passengers, date of intended travel, contact details, payment and billing information, confirmation and check-in status, baggage information, seat information, and travel agent details from where the tickets were purchased.

Data Privacy Issues

Both these moves have sparked a new line of debate about the data privacy issues. The recent withdrawal of the Personal Data Protection Bill by the government, citing more comprehensive legislation, has also triggered concerns as data privacy remains guided by the provisions of the Information Technology Amendment Act 2008 and the related rules of 2011, and are found to be wanting in many places due to the progress in data capture technology and the susceptibility of misuse.

Incidents of data theft from various organisations despite the security measures also create a sense of fear among consumers.

Ever since the judgment in the Justice KS Puttaswamy vs Government of India case, delivered in August 2017, where privacy has been enshrined as a fundamental right under articles 14, 19, and 21 of the Constitution of India, the realisation has been there among citizens to seek clear definition of how data would be collected and handled.

Further data security concerns within the establishment also have titillated the government to push for data localisation provisions which are already being implemented as far as financial data is concerned.

This is not the first time when Indian Railways wanted to embark on the route to data monetisation.

Back in May 2017, under the leadership of the then Railway Minister Suresh Prabhu, Indian Railways announced that it would use analytics to find ways to monetise the data available with it. But this plan was eventually dropped because of the issues related to data privacy and data violation factors even after government’s repeated assurance that it would comply with the laws and regulations.

Suresh Prabhu had said at the time that the large volume of data which is with Indian Railways needs to be used wisely and data analytics is a way forward.

Closely following that move, there were also reports about the Union government planning to privatise IRCTC in 2018, but that too was stopped due to the data privacy concerns. Although the government had very clear thoughts for using analytics for optimal management of data.

Clearly, IRCTC contains a huge bunch of personal data which will actually prove to be a gold mine for anyone who takes control of it, and the propensity for the misuse the data has to be controlled with technology and regulations.

In 2019, there were reports of more than 9 lakh users information from the IRCTC database being available on the dark web.

There are many types of data which is available with the railways, including reservation data of trains, passengers, earnings, utilisation of trains, class wise occupancy, waiting lists and RAC lists, and passenger profile, and they have to be managed with the most stringent data privacy standards.


Digital Privacy Laws Must Ensure Full Privacy

Clearly, the most prudent steps would be for all ministries and agencies to wait for the government to announce the new bill with a ‘comprehensive framework’ and ‘contemporary digital privacy laws’ as claimed by the Union IT minister.

The new legislation has to ensure that like corporates, government agencies also have to follow prudent measures while handling personal data. These include taking consent before any personal data is shared and using the data only for the particular purpose for which it seeks the consumer’s approval.

In the run up to the Personal Data Protection Bill, it has been witnessed how many provisions from the draft bill proposed by Justice Srikrishna committee on data protection norms had been diluted to what was brought before the Parliament and in the face of growing concerns around privacy, the new bill has to be very deftly drafted to ensure full privacy.

Definitely the huge tranche of data available with IRCTC or other agencies or even with the body corporates cannot be perpetually kept away from analytics for better business and management gains.

However, having the laws and the regulatory framework would be very crucial for public confidence to be strong in allowing such data usage.

As Artificial Intelligence tools along with predictive analysis and recommendation systems gain more traction across disciplines to provide better management potential, one has to be careful that the data here has to be protected from misuse and manipulation.

After all privacy is the most important asset today in an ever increasing digital footprints led world.

(Subimal Bhattacharjee is a commentator on cyber and security issues around Northeast India. He can be reached @subimal on Twitter. This is an opinion piece and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
Read More