New Delhi: Two years after RTI applications filed by an activist revealed that a private vendor may have fled with data of 50 lakh ex-Servicemen, the central organisation ECHS filed an FIR against the firm at the Sadar Bazar police station in Delhi. The case was registered on December 19 this year against the firm – which ran the Smart Card system – its officials and employees.
In March 2018, The Wire reported that the Ministry of Defence had admitted that it was unsure about whether or not a private vendor had fled with the personal data of about 50 lakh ex-servicemen and noted that it “cannot comment whether a copy of the same has been retained by the company or not”.
Smart cards were in use till May 2015
Earlier, queries filed under the Right to Information Act (RTI) by activist Commodore Lokesh K. Batra (Retd.) on the maintenance of data on ex-servicemen at ECHS, had revealed the “system of Smart Card which was in vogue till May 2015, the biometric data (left & right thumb impression only) of the individual was stored in the Smart Card”.
The ECHS had further stated that “the Smart Card was in the custody of the individual” and that “no biometric data was stored in the system”. However, it was unsure if the vendor had retained a copy of data.
It was also revealed in the ECHS reply that “the other personal data as per the contract stipulation was handed over to the ECHS on termination of contract”. But, it added that “ECHS cannot comment whether a copy of the same has been retained by the company or not.”
Also read: Private Vendor May Have Fled With Data of 50 Lakh Ex-Servicemen, Reveals RTI
Thereafter the defence ministry acknowledged that Batra had enclosed a few links of media reports regarding his apprehension of “breach of trust by M/s SITL, the private vendor, for taking away the personal data of nearly 50 lakh ESMs with whom an agreement was signed by ECHS for preparation of the smart cards for ECHS beneficiaries”.
Agreement signed in 2004, renewed six years later
The ministry also pointed out that the initial memorandum of agreement (MoA) was signed with M/s SITL on January 27, 2004 and the MoA for the contract was renewed on May 31, 2010. In light of the issue at hand that concerns the safety and security of the data pertaining to lakhs of ex-servicemen, the ministry asked ECHS to submit its response on four major points of concern.
But the reply showed that neither the ministry nor the ECHS was certain if the vendor had returned all the data on termination of the contract, if it had copied the data and most worryingly, if it had shared the data with a third party.
Ministry letter showed concern
The ministry letter asked the ECHS, which comes under the Department of Ex-Servicemen Welfare, to “get confirmation that no biometric/personal data of ECHS beneficiaries is available with M/s SITL and all the data as per the contract agreement was handed over to the ECHS on termination of the contract.”
It also asked the ECHS to “get a confirmation from M/s SITL that a copy of the above data has not been retained/stored by their company”; to ensure that a copy of the agreement signed between ECHS and M/s SITL and the renewed agreement was made available to the Department of Ex-Servicemen Welfare; and to ask the vendor to confirm that information was not disclosed to a third party.
Also read: Defence Ministry Asks ECHS for Details on ‘Theft’ of Data of 50 Lakh Ex-Servicemen
However, for some reason, the ministry of defence did not order a probe and only asked ECHS to “get a confirmation” on the points raised by it.
Issue raised in Rajya Sabha
Then on December 17, 2018, while replying to a question in Rajya Sabha by MP Majeed Memon, the Minister of State for Defence Subhash Bhamre said, “there is no known input to suggest that data has been compromised. The data has been handed over to ECHS by SITL. However, some source codes and keys were not handed over. M/s SITL has not given any confirmation regarding retention of a copy of data of ESM despite repeated reminders. Action has been initiated for taking legal action against the firm.”
Legal opinion solicited
Subsequently, information accessed by Batra through RTI queries revealed that legal advice was taken by ECHS in the matter and the lawyer had advised the filing of a criminal complaint in the matter.
A letter, made available, showed that on June 25, 2019, the Joint Director (Stats and Automation) in Central Organisation ECHS wrote to the Ministry of Defence to state that as per the advice, given by Legal Adviser (Defence) to approach the litigation section of Delhi high court for serving legal notice against the firm and other necessary action, the CO ECHS approached advocate Ruchir Mishra in litigation section of the court for legal opinion.
Legal advice was to institute criminal proceedings, get FIR registered
The legal opinion provided in the matter was that CO ECHS “institute appropriate criminal proceedings against M/s Score Information Technologies Limited” and “criminal proceeding against their directors for their act of cheating and criminal breach of trust under the Indian Penal Code by registering a FIR against them.”
The letter also stated that “the advocate Mr Ruchir Mishra has been asked to provide draft legal notice and FIR for further processing the case”.
Also read: Digital India on Steroids: How Aadhaar Infra Enables the NPR and the NRC
Thereafter, earlier this month, the ECHS got the FIR registered in the case.
Concern now around new cards
Reacting to the development, Batra said the main issue is that both ECHS and CSD Canteen are again getting new cards made by private vendors and this time Aadhaar, PAN details, Pension Paying Orders, bank accounts, email ids and mobile numbers are being linked to these.
He said another worrying aspect is that CSD cards also cover serving armed forces personnel and therefore leakage of personal information could have direct implication on national security.