IRCTC Floats Tender to Appoint Consultant to Monetise Digital Data, Digital Liberties Group Flags Risks

The Indian Railway Catering and Tourism Corporation (IRCTC) has floated a tender seeking to monetise digital data of the Indian Railways and the IRCTC. The latter is looking to appoint a consultant for ‘digital data monetisation'. The tender, which seeks to utilise the data from passenger, freight, and parcel trains, was spotted by digital liberties organisation Internet Freedom Foundation (IFF) on Friday. It is worth noting that India currently does not have a data protection law to regulate the use of citizens' personal information.

According to the e-tender document (archived version) uploaded on the IRCTC website, titled ‘Consultancy for Digital Data Monetization', the public sector undertaking is looking to appoint a consulting firm for the project, in order to generate up to Rs. 1,000 crore in revenue. The deadline for tender offers is August 29, and the IRCTC has set the earnest money deposit (EMD) at Rs. 2 lakh, according to the document.

The IRCTC states that it is “a reservoir of huge amount of digital data which opens several opportunities for IRCTC for monetization” and that it wishes to “leverage its data assets and market position to drive strong growth in revenues”. The consulting firm will be expected to study IRCTC data including data from the railway's passenger, freight, parcel, catering, tourism, and other operations.

The data that IRCTC has listed out in the tender (page 11) includes customer data captured from the Indian Railways, which includes “basic data” such as their name, age, mobile number, gender, address, email addresses, as well as their class of journey, payment mode, and login information — including their username and password.

According to the IRCTC's tender, the consultant will be expected to aggregate the data captured, segregate the data, and “identify market potential internationally” for specific data sets. They must also establish procedures and protocols for long-term monetisation of the digital data of the Indian Railways, and “handhold” the monetisation process.

In order to propose business models for monetisation of data, the tender states that the consulting firm should study legislation related to information technology, including the IT Act, 2000 and its amendments, as well as data privacy laws such as the General Data Protection Regulation (GDPR) and the “current Personal Data Protection Bill 2018 of India”. However, as the IFF points out, Personal Data Protection Bill was withdrawn by the government on August 3.

The digital liberties organisation has highlighted the risks of monetising customer data, stating that a profit maximisation goal could result in increased data collection, which would be in violation of the principles of data minimisation and purpose limitation. Meanwhile, the monetisation would take place in the absence of a personal data protection law. “Past experiences from the misuse of [the] Vahan database amplify fears of mass surveillance & security risks,” the IFF stated in a tweet.

Gadgets 360 has reached out to the Indian Railways for comment and will update this article when a response is received.

On August 3, the government withdrew the Personal Data Protection Bill, 2021, announcing that it was working on a new comprehensive law. The bill had proposed regulation of transmission of data across borders, while empowering the government to seek data from companies. At the time, Union Minister of Electronics & Information Technology Ashwini Vaishnaw said that the government was hopeful of getting new legislation passed by the Budget session of parliament.