The private company has been collecting precious biometric data from poor citizens, but the state has put no safeguards in place, according to highly placed sources and the owner of the company himself.

Chennai corp lets pvt agency collect citizens biometric data without a contractBiometric enumeration of residents of Kannapar Thidal by Impact Technologies
news TNM Investigation Thursday, December 29, 2022 - 18:49

The Greater Chennai Corporation has engaged a private agency to collect biometric data such as fingerprints and retina scans of thousands of residents in the city belonging to the lowest strata of society, without any discernible safeguards to protect this data. For several years, a firm called Impact Technologies has been engaged in collecting this sensitive data from poor and homeless residents who are potential beneficiaries of the Resettlement and Rehabilitation scheme of the Tamil Nadu Urban Habitat Development Board (TNUHDB). It has now emerged that the government has not framed any legal terms of reference for how the data is to be collected, stored or destroyed. What's more, the DMK-led civic agency does not even have full access to the data of citizens collected by the private company. As per an informal arrangement, Impact Technologies simply gives a copy of the data collected to the GCC, who hand it over to the TNUHDB. The private agency also authenticates the beneficiaries of the scheme, which clearly indicates that it has access to a large database of citizen data. 

The company was first hired with a contract in 2011 for a data enumeration project for the JNNURM project. But in later years Impact Technologies was repeatedly engaged for various schemes on an informal basis by state government agencies without any contract in place. 

This informal, and arguably illegal arrangement, was confirmed to TNM by none other than the company's Managing Director, Parthasarathy MG. When we visited his office in Chennai based on a tip-off about these deals, Parthasarathy was candid enough to admit that he has the biometric data of 25,000 people from economically weaker sections stored in his ‘back office server'.

We then visited highly placed officials in the GCC to confirm these claims and whether there were any contracts signed with Impact Technologies, they confirmed that there has been no contract signed after 2015. 

To engage a private contractor for any work by a government agency, it is mandatory to follow the tender process to promote healthy competition and to eliminate bias, interference and corrupt practices. There are different types of tenders and the preferred mode of tendering is to invite open tenders by giving wide publicity on tender bulletins so that firms that are interested can participate. For urgent requirement or small value works, a limited tender is floated. 

In the case of Impact Technologies, the last time GCC signed a formal contract was in 2015, and after that the firm has been engaged by the GCC without an agreement, sources tell TNM. In the absence of a formal contract between the government agency and the private contractor, the private player can’t be held accountable for any acts of omission or commission. Engaging a private player without any terms and conditions is a violation of Tamil Nadu Transparency in Tenders Act 1998 and The Tamil Nadu Transparency in Tenders Rules 2000. According to the TNTIT Act ‘98, the only scenario when a private firm may be engaged without tender is during instances of natural calamities and/or emergencies declared by the government.

So what measures are in place to ensure that this data is not misplaced, misused, or sold to anyone? It appears the entire enterprise hangs on the word of Parthasarathy MG. “Only I have access to the data, not the corporation or the TNUHDB," he said during our meeting, “We send a report to the Greater Chennai Corporation (GCC) listing the names of the authentic beneficiaries.” A top official from the GCC confirmed this claim — that the corporation only receives the list of beneficiaries which is then sent to the TNUHDB to commence the process of providing housing. 

The most recent data collection by Impact Technologies was done on September 28, when the private company went with the police, GCC, and TNUHDB officials to the Zonal Office V near Sowcarpet where they collected biometrics from residents of a homeless shelter in Chennnai’s Kannapar Thidal. The 128 families here have been waiting for 20 years and have filed several petitions to be provided a permanent home; that was a promise made in 2001 by the then J Jayalalithaa government, and the residents were told they'd be given homes within three months. The residents were mostly pavement dwellers occupying Chennai Metro Water property near the Ripon Building. Most residents of the homeless shelter are from Scheduled Caste communities, and have not been informed why their biometric data is necessary for home allotments. 

Kannapar Thidal residents confirmed the biometric collection, that is, fingerprints and retina scans that were taken on September 28. Resident D Selvam said, “It has been one and a half months since the biometrics collection but no token number has been given to us.”

A company for printing IDs, now guardian of data

Founded in 2004, Impact Technologies has mostly undertaken work as printers of Voter ID cards and plastic membership cards, while also helping public and private institutes for the conversion of collated data, according to the company profile available online. The company is a manufacturer and service provider with the legal status of a partnership firm. The firm has been engaged in the collection of biometric data with government agencies since 2011 in Chennai. 

The company has been engaged with the GCC for the process of enumerations since 2011. This was the first time they were employed on a contractual basis, according to the Managing Director, Parthasarathy MG. He added that the agency undertook work for the Jawaharlal Nehru National Urban Renewal Mission (JNNURM) on the basis of a contract to authenticate identities for Aadhaar Cards that year. “The government employed us during the floods for some activities without a tender for the first time in 2015,” Parthasarathy told TNM.

Apart from Kannapar Thidal, they have conducted biometric data collection for ‘Project Affected Families’ along Cooum and Adyar rivers — where people living in river restoration project areas are being relocated — and also in Govindasamy Nagar along the Buckingham Canal. 

Explaining the process of data collection, Parthasarathy said that the agency, on a given date, goes to the venue of the corporation’s choice where police are also deployed. The data collected is compared and checked for duplicates based on demographic data and biometrics.

“For a person, they (Corporation) used to give Rs 1,800 per biometric collected when it was based on a contract,” said Parthasarathy, “However, the government was unable to pay the amount. Now we work on an ‘everyday basis’.”

The process of biometric data collection is done under the supervision of the GCC, the TNUHDB and the Land Owning Department. According to a highly placed source in the GCC, the collection of biometric data is done to authenticate the identity of slum dwellers. The GCC official mentioned that the TNUHDB requests the private company to start with the biometric enumeration process.

Govinda Rao, the Managing Director of TNUHDB, explained the procedure of employing private agencies. “The agency is fixed by the Land Owning Department or the local body through an agreement, which they have to adhere to,” he said, “The agreement stipulates the conditions to be followed by both the person giving the order and the person receiving the order. If there is any violation, it will be handled accordingly as per the agreement.” Govinda Rao said that the private agency also has access to the biometric data. However, sources in the GCC confirmed to TNM what Parthasarathy claimed — that there has been no contract between the state agencies and Impact Technologies since 2015. 

When asked about why the agency was being engaged without a contract, GCC commissioner Gagandeep Singh Bedi said, "I will have to talk to DC Education about the process and then get back to you. I don't know anything about it." Deputy Commissioner of Education D Sneha has taken on some work in the resettlement scheme as a special project. 

Srikanth L, a data privacy activist from the Cashless Consumer, said that the worst case scenario of a biometrics leak is limitless. “The bounds of identity theft have not been exploited yet. What we know from past cases is that wiping of bank accounts is one real possibility,” he explained.

The SPDI Rules explicitly state that the concerned government body, in this case GCC, has to mandatorily have the privacy policy concerning the usage of the sensitive data in the public domain and made aware of to the person who is providing the biometric or other sensitive data. 

Anushka Jain, a policy counsel at the Internet Freedom Foundation, said that the lack of a national data protection law limits accountability. “What we have are the Sensitive Personal Data Information Rules (SPDI Rules) — which say that biometrics come under sensitive personal data and reasonable security safeguards should be taken while collecting,” she said, adding that a privacy policy should also be made available in the public domain, which has not been done in the Resettlement and Rehabilitation process. 

Anushka said that the right to privacy is fundamental and hence, it is important that the amount of data about someone that is in the public domain is minimised to protect privacy. “If your biometric is on record with someone since 2015 for no purpose, then data minimisation is not happening,” she said.

She added, “There is the potential for misuse. The entire exercise (of biometric data collection) is happening outside legal constraints that the government could put on the private actor. The private actor has no liability against the government because there is no contract.” Talking about the recent Data Protection Bill, Anushka mentioned the data principles that point to the roles of the data fiduciary and the data processor. The data fiduciary is the one that authorises or uses the data, and the data processor processes the data. “The private actor is just the data processor. The government, which is the data fiduciary, should be held liable,” she explained. 

Problems with resettlement policy 

In 2021, the TNUHDB released a Draft Resettlement and Rehabilitation Policy for slum dwellers. The draft stresses the procedures to be followed prior to and post resettlement. However, the policy is yet to be implemented. 

The draft, on the other hand, just states a line about the collection of biometrics. It says that the biometric data collection should be done at the same time as the enumeration by the “GCC in Chennai, and Land Owning Departments in other districts; wherever possible.” 

Vanessa Peters, founder of the Information and Resource Centre for the Deprived Urban, called the Draft Resettlement and Rehabilitation Policy 2021, “vague.” She added, “The Standard Operating Procedures are unavailable in the public domain.” It is these guidelines that help maintain uniformity in the resettlement procedures. Govinda Rao said, “SOPs are circulated among the departments but are not available in the public domain.”