IRCTC moves to monetise passenger data
In a first of its kind move, the Indian Railways Catering and Tourism Corporation (IRCTC), the ticket booking arm of the Indian Railways, is looking to monetise its bank of passenger data while conducting business with private and government companies.
IRCTC has a large bank of data related to every online railway ticket ever generated as it is the country’s only railway ticketing platform, an IRCTC official told Business Standard.
The public sector undertaking, which has sought the services of a consultant to assist with the monetisation process, plans to raise Rs 1,000 crore through this exercise.
In its tender document for hiring the consultant, IRCTC has cited a variety of sectors, such as hospitality, energy, infrastructure and health, as potential customers for the passenger data.
“Indian Railways desires to monetise the data in customer/vendor applications and internal applications of Indian Railways by conducting various businesses with both government and private sectors, viz tours and travels, hotel, financing, infrastructure development, insurance sector, health sector, manufacturing sector, shipping, aviation, port developers, container operation, mining, energy, etc. for generating revenues and also to enhance facilitation and further improve the services,” IRCTC said in its tender inviting bids, which has been reviewed by Business Standard.
IRCTC in its tender has specified that the consultant for this monetisation drive would need to iron out the implementation issues on account of potential privacy concerns with respect to consumer data.
IRCTC has said that a thorough analysis of rules like the European General Data Protection Regulations and the now-shelved Personal Data Protection Bill, 2018, will be undertaken by the consultant to ensure that the proposed monetisation is in line with legislative and Supreme Court’s directives on data privacy.
Sources in the company said that the monetisation move is at a nascent stage, but there is a push from the railway board to get it executed.
Given that the Indian Railways is struggling to monetise its physical assets, monetising digital assets and the data bank is clearly an attempt to generate additional revenue to meet its ambitious monetisation target for the fiscal.
Highlighting privacy concerns, Amol Kulkarni, Director (Research) at CUTS International, said that the sharing of personal data of the passengers creates the risk of breaching consumer rights.
“The data needs to be aggregated, anonymised and protected.
“There is the possibility that IRCTC will share personal data with different service providers without anonymising it.
“There is a greater risk of breach, violation of privacy, and misuse of data if that happens.
“We do not have a data protection bill in place, and neither do we have adequate protection available in case of misuse of non-personal data.
“Given this scenario, it would be really unfortunate,” Kulkarni said.
Kulkarni pointed out that currently, there is nothing in the law that can deem this move illegal.
“The information security guidelines under the IT Act has some indication about consent.
“But practically, it is not informed consent nor is the purpose limitation practised.”
He added that IRCTC would need to ensure that it has robust data protection practices in place and the third parties also follow these best practices.
Moreover, customers would have to have the opt-out option at every stage of the data sharing.
Another concern echoed by digital rights advocates is on account of the element of user captivity, since users have no other option than IRCTC to book railway tickets.
Prateek Waghre, Policy Director at Internet Freedom Foundation said, “Even if the Railways plans to do this in a privacy preserving way, concerns would still be there, as we don’t have a necessary legal framework for the protection of user data.
“This is the reason so many civil society organisations are pushing for a Data Protection bill in India.”
He added that such an action from a department of the union government is a huge cause of concern, especially when the government has withdrawn the data protection bill.
Given that IRCTC is a monopoly in this space, there is a coercive element.
There is no way the users can avoid the monetization of their data.
According to the company’s figures, the platform was used for booking almost 430 million tickets in the financial year 2021-22, with almost 6.3 million daily logins and more than 80 million users of its online services.
Over 46 per cent of its ticket bookings come through the mobile app, which has the highest quantum of data stored from a user.
The consultant will have access to customer data for the purposes of this preliminary analysis, which includes basic data of individual passenger/customers of freight, parcel and other public facing applications like name, age, mobile number, gender, address, e-mail ID, number of passengers, class of journey, payment mode, login/password, etc., the tender document said.
Source: Read Full Article