Securing Examination Data: No Child’s Play
The e-commerce giant Amazon, a vendor on the platform named ‘Shastri Nagar Charkya Puri’, two websites, namely, “Students Database India” & “Students Database”, and shockingly a few government and school management officials have reportedly compromised the personal information of Class X and Class XII students across the country. Concerned about the threat to children's privacy and safety caused by such data breaches, in July 2021, IFF sent thirty-two representations to the State and Union Territory Commissions for the Protection of Child Rights in India and filed three Right to Information (RTI) requests with the Central Board of School Education (CBSE), National Commission for the Protection of Child Rights (NCPCR) and the Ministry of Education’s Department of School Education and Literacy.
In June 2021, Ukhrul Times, Nagaland Express, and India Times broke the news of a pan-India personal data breach of Class X and Class XII students. Alarmingly, their names, father’s names, physical addresses, institution names, and even contact details including phone numbers and email addresses were revealed in these databases. The main individuals/entities involved in facilitating the sale of such information are:
A. Shastri Nagar Charkya Puri and Amazon
According to Ukhrul Times, a trader named ‘Shastri Nagar Charkya Puri’ collated the personal data of students to create the ‘Bihar Student Database’, ‘Haryana Student Database’, and ‘Nagaland Student Database’. What’s more concerning is that the e-commerce giant Amazon, which has over 100 million Indian users registered, facilitated ‘Shastri Nagar Charkya Puri’ in selling the databases priced at Rs. 299. The Nagaland Express has also reported that Shastri Nagar Charkya Puri claims that the data is “latest and verified”. In addition, the report suggests that Shastri Nagar Charkya Puri and Amazon have not made any effort to inform the students whose privacy has been compromised. Only after several parents raised concerns and reported the item to Amazon, was the link to purchase the student database taken down.
B. Database and Students Database India
In addition to ‘Shastri Nagar Charkya Puri’, two websites, namely, “Students Database” and “Students Database India” are also selling the personal data of Indian children. The “Student Database” website presents a “record count” of the number of students whose data has been collated to prepare the database. On calculating the All India Class XII CBSE 2020-21 batch’s record count presented by the website, IFF learned that 13,14,756 children’s personal information has been compromised. In addition to the All India databases, this website has also put up region-specific databases for sale, each of which provides “free samples” of the student data. Further, the website also provides sixteen student databases at no cost. This leaves a whopping 9,04,963 students’ personal data freely available.
The database gives purchasers access to extremely sensitive information such as the student’s name, mobile number, gender, email address, and age. While Amazon had taken down the page to purchase the student databases sold by ‘Shastri Nagar Charkya Puri’, the two aforementioned websites are still operating.
C. Government Departments and School Managements
The institutions created to safeguard the data of students are now reported to have partaken in the non-consensual disclosure of personal information themselves. A report published by The New Indian Express on July 21, 2021, claims that the staff and officers in the Tamil Nadu Education Department headquarters and in education departments across the state have been selling the personal information of Class X and Class XII students to colleges. Allegedly, a district education department official charged 2 rupees for each student’s mobile number. Similarly, The Times of India has reported that the administrative staff of schools in Nagpur are now charging anywhere between 2 rupees to 5 rupees per student’s personal data disclosure.
Concerns on the Data Breach
October 25, 2015, FirstPost, in a report, highlighted how sexual predators, on procuring children’s sensitive information such as their names and contact details - which was freely available on a university’s website - began to contact and lure them under the guise of offering career advice. In the current situation, similar possibilities of the critical misuse of examination data to commit such heinous acts cannot be ruled out, as students' personal information has been compromised by the aforementioned websites, vendors and officials. Similarly, in an interview conducted by The New Indian Express, a technology expert highlighted that in instances of such data breaches, there is a possibility of students’ contact numbers being uploaded on pornographic websites.
From a legal perspective, this data breach violates the students’ fundamental right to privacy, as upheld by the Supreme Court in K.S. Puttaswamy v. Union of India (2019) 1 SCC 1. Significantly, the decision highlighted the need to secure children’s right to privacy, bearing in mind that minors lack the legal capacity to give consent. Additionally, the Government of India, in 2005, had accepted two Optional Protocols to the United Nations Convention on the Rights of the Child (UNCRC). As a result, India endeavours to protect children from all forms of exploitation and arbitrary or unlawful interference with their privacy. Hence, if necessary measures are not taken to protect the personal information of children, it would stand in violation of the Puttaswamy decision, and UNCRC’s Optional Protocols.
Section 43A of the Information Technology (Amendment) Act, 2008, holds bodies accountable if they fail to implement “reasonable security practices and procedures” when handling sensitive personal data. According to Section 72A of the Act, the websites, school managements and individuals involved in the mass student data breach can be imprisoned for a term of up to three years or/and can be fined up to five lakh rupees. However, considering the “Students Database India” website claims that they have been providing “100% genuine” data of students from every state and Union Territory for the past six years, the legal ramifications in place seem inadequate.
It is imperative to highlight that the rampant commercialisation of students’ personal information can be attributed to the exponential growth of ed-tech and remote education amidst the COVID-19 pandemic. Bearing this in mind, the motives of the database purchasers go unchecked as hackers, stalkers, scammers and unwanted marketers are now just a few clicks away from accessing a vast number of students’ personal information. This can leave several students vulnerable to fraud and identity theft, as individuals do not frequently change their personal information, especially email addresses and phone numbers.
IFF’s Proactive Measures
Concerned about the potential threats the aforementioned databases pose to the children’s safety and their right to privacy, on July 16, we wrote to twenty-eight State Commissions for the Protection of Child Rights and four Union Territory Commissions for the Protection of Child Rights to raise our grievances. We urged the Commissions to initiate an enquiry on the infringing websites (“Students Database”, “Students Database India”), the vendor (Shastri Nagar Charkya Puri) and the e-commerce platform (Amazon) and to also forward the case to the Magistrate having the jurisdiction to hear the complaint. The Commissions were also advised to frame and implement remedial measures and guidelines to prevent the leakage of students’ personal data henceforth.
On July 11, 2021, we filed an RTI request with the Ministry of Education’s Department of School Education and Literacy. To our dismay, on July 19, 2021, the Department replied solely to a query on the National Achievement Survey and disposed of our request. The problematic aspects of this reply are twofold. First, this insinuates that the Department has willfully chosen to not disclose the information. Second, even if the non-disclosure of information was not deliberate, it remains concerning as it insinuates that the Department does not have the pertinent information that we sought.
Similarly, on July 8, 2021, we filed an RTI request with the CBSE. We sought information related to whether the CBSE categorised and stored the students’ personal data. We also enquired about whether the CBSE makes privacy impact assessment reports or issues any Standard Operating Procedure (SOP) vis-a-vis students’ personal information protection. Lastly, on July 11, 2021, we filed an RTI request with the NCPCR. We inquired if the NCPCR had received any complaints regarding any incidents of students’ personal data breaches. However, we are still awaiting a response from both of the authorities.
The elixir to the grave concerns on students’ data would be the creation of watertight legal provisions and policies to prohibit such data breaches. This opinion was shared by UNICEF in its report which highlighted the vulnerability of Indian children vis-a-vis data breaches. UNICEF also urged the government to enact stringent laws to tackle the menace of cybercrimes and secure children’s right to privacy. While the Personal Data Protection Bill, 2019 is a welcome step towards data governance, it still falls short on several accounts. Our piece titled “#PrivacyOfThePeople - Why Student Data should be Students’ Data” offers a deep dive into the issues with the proposed law. In sum, the Bill makes no mention of either non-personal data or sensitive personal data. Considering the ubiquity of Indian student databases in the market, the possibility of students’ non-personal or sensitive personal data disclosure seems inevitable. In addition, unlike the comprehensive General Data Protection Regulation and Family Educational Rights and Privacy Act, 1974, the Bill does not discuss data security practices at length.
From a policy perspective, it is essential for Commissions and government bodies to work proactively to combat such data breaches. This includes ensuring data brokers and commercial entities adopt sustainable data security practices. Taking a leaf from the World Privacy Forum report, government agencies also ought to mandate educational institutions to conduct a Privacy Impact Assessment. Additionally, it is imperative to thwart the corrupt practices of government officials. Hence, governments on both - the state and national levels - must set up mechanisms to ensure accountability and transparency of education departments and school managements. To conclude, in light of students’ privacy and personal data being at stake, there is an imperative need to overhaul both - the legal and policy frameworks - to realise child rights in the digital age.
(This blogpost has been authored by IFF intern Deepika Nandagudi Srinivasa and reviewed by IFF staff.)
|Link to the Representations for the Union Territory Commissions for the Protection of Child Rights|
|1.||Andaman and Nicobar Islands Commission for the Protection of Child Rights Representation|
|2.||Chandigarh Commission for the Protection of Child Rights Representation|
|3.||Delhi Commission for the Protection of Child Rights Representation|
|4.||Puducherry Commission for the Protection of Child Rights Representation|
- #PrivacyOfThePeople - Why Student Data should be Students’ Data dated July 22, 2021 (link)