NITI Aayog, the government's think tank for public policy, has urged the government to clarify how information gathered by Digi Yatra, a facial recognition-enabled flight boarding system, will be handled.
It has also urged the government to adopt a facial recognition model that is free of bias, which might result in incorrect decisions and, ultimately, exclusion from access.
This comes at a time when concerns have been raised about the use of facial recognition technology, particularly in terms of privacy, surveillance, discrimination, and digital divide.
It has often been pointed out that the country still lacks a data protection law to protect against the misuse of sensitive data such as biometrics and so on.
While facial biometrics would be erased after 24 hours, NITI Aayog seeks further details on how passenger information will be deleted or stored. The planning body made these suggestions in a draft discussion paper released on November 3.
"The Digi Yatra Policy states that facial biometrics are deleted from the local airport’s database 24 hours after the departure of the passenger’s flight. However, the rules related to deletion of other information collected from the passengers, as well as any facial biometrics that are stored in other registries, must be clearly set out in the Policy," NITI Aayog said.
The government's planning body also said that if the Ministry of Civil Aviation plans to allow any security-based exceptions regarding data usage, an ethics committee should clearly define it and standard operating procedures should be established.
"This should be a continuous process that is updated regularly as deemed necessary. The Ethics Committee can undertake this periodic review," it added.
3rd party data usage
It also urged the government to ensure that consent obtained for the use of biometrics for value-added services is clearly defined for consumers.
The Digi Yatra policy mentions that user data may be shared with other parties such as cab companies and other commercial entities.
"There must be specific care taken to ensure that such consent is meaningfully provided and is not bundled by default. This may require such consent to be provided as an 'opt-in' instead of an 'opt-out," NITI Aayog said.
"This would set the default to a passenger’s data not being shared with a third party, unless they authorise and consent to such sharing through the opt-in. Opt-in mechanism reduce the chances of consent being provided under ignorance of the implications," it added.
NITI Aayog advised vendors offering value-added services to make sure that facial data and other relevant subject data are protected.
"This may be achieved by setting out clear licensing requirements between Digi Yatra Foundation and third-party vendors prior to sharing any sensitve personal data," Niti Aayog said.
Need for cybersecurity audits and accountability
In regard to information security, NITI Aayog recommended that cybersecurity audits and vulnerability testing of the Digi Yatra platform be conducted on a regular basis.
"In addition to cybersecurity audits, it is imperative to establish a mechanism for performing algorithmic audits by independent and accredited auditors, prior to system deployment at periodic intervals," the discussion paper read.
In addition, NITI Aayog said that the Digi Yatra ecosystem should have a grievance redressal mechanism, as well as a complaints framework and an appellate process.
Biometric collection under SPDI Rules
NITI Aayog explained that the Digi Yatra Policy processes are currently governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011, or SPDI Rules.
"The SPDI Rules define ‘biometric information’ as ‘sensitive personal data or information’. Consequently, a higher degree of protection applies to such data and must be adhered to. Therefore, the collection of data under Digi Yatra must satisfy the requirements of Rule 5 of the SPDI rules," the discussion paper said.
The planning body noted that in the future the Personal Data Protection Bill will establish principles, rules and standards related to such usage of data.