Thursday, March 3, 2011

99 - Not much on privacy safeguards in UID draft bill by SAMIR SACHDEVA

Not much on privacy safeguards in UID draft bill
Body will be renamed National Identification Authority of India (NIDAI), will circumvent privacy laws if retained in current form

Author Profile: SAMIR SACHDEVA
Samir has over ten years of experience with organizations like TCS, GOI, HCL, NISG , EY. He is working as assistant editor with Governance Now

The Unique Identification Authority of India (UIDAI) will soon be styled the National Identification Authority of India (NIDAI) - that is as soon as the UID Bill is passed by the Parliament.

The Bill, if passed in the current form, would however do precious little to safeguard privacy. The NIDAI may not directly give out personal information of those registered for the identification numbers, but would confirm such details if asked.

The section 5(2) of the proposed bill provides for the NIDAI confirming or refuting such data in response to queries. The Section 33 of the draft bill, however, empowers the authority to disclose the personal data on an order of a court or in case of national security on directions of an officer not below the rank of joint secretary.

This provision appears to be a watering down of spirit of the Supreme Court judgment in Peoples' Union for Civil Liberties (PUCL) vs Union of India, the privacy laws under the IT and Telgraph Acts - all three of which state that such orders can be passed only by the union or state home secretary. Further provisions have also evolved consequent to the Supreme  Court judgment and the proposed privacy provisions in the NIDAI Bill do not match up to the same.  There is also no mention of the penalties if an authorised person by NIDAI makes unauthorised use of the UID data.

The draft Bill also has no provision defining recruitment details of NIDAI employees apart from the chairman, members and the CEO. It is important that the authority must recruit individuals in its rolls rather than have a temporary staff available on deputation or outsourced from private agencies

It, however, has clauses for penalising various offences like giving wrong information, impersonation, disclosing identity information , tampering with Central Identities Data Repository (CIDR)  or manipulating information.  These invite a fine of upto Rs 10,000 or a two-year prison sentence. The fine can go upto Rs 1 Cr for unauthorized access to CIDR.  The bill also makes the directors, managers, secretaries of companies liable in case of offences by the company. The penalties / punishments under the Act are also applicable to offences committed from outside India, irrespective of nationality.

The Bill also prohibits provision of data pertaining to race, religion, caste, tribe, ethnicity, language, income or health.