Defence Ministry Asks ECHS for Details on 'Theft' of Data of 50 Lakh Ex-Servicemen

New Delhi: The Ministry of Defence has now asked the managing director of its Ex-Servicemen Contributory Health Scheme (ECHS) to provide details to it on the media report on a private vendor taking away the personal data of nearly 50 lakh ex-servicemen and related issues. But while the ministry has noted in the letter that “data regarding ex-servicemen is a sensitive issue” and its safety and security has to be ensured by the commanding officer of ECHS, the nature of questions clearly shows that ministry is not certain if the vendor has returned the data, stored or retained a copy of it, or worse, shared it with a third party. “All due diligence in this regard is a must,” it added. The Wire had earlier on March 23 reported how the Ministry of Defence had admitted that it was unsure whether or not a private vendor has fled with the personal data of about 50 lakh ex-servicemen and noted that it “cannot comment whether a copy of the same has been retained by the company or not”.

The report was based on queries filed under the Right to Information Act (RTI) by activist Commodore (Retd.) Lokesh K. Batra. It had noted how while responding to the questions about the maintenance of data on ex-servicemen at ECHS, its joint director (information technology) had said that in the “system of Smart Card which was in vogue till May 2015, the biometric data (left & right thumb impression only) of the individual was stored in the Smart Card”.

The ECHS had further stated that “the Smart Card was in the custody of the individual” and that “no biometric data was stored in the system”. ECHS was unsure if vendor had retained a copy of data However, it was the remaining part of the reply which had was a cause of concern. The data pertained to ex-servicemen of all ranks and the ECHS official had admitted: “The other personal data as per the contract stipulation was handed over to the ECHS on termination of contract. ECHS cannot comment whether a copy of the same has been retained by the company or not.”
The ministry has in its letter of April 2 noted how Batra had raised the matter with it on March 26 following media reports. It said Commodore Batra has enclosed a few links of media reports regarding his apprehension of “breach of trust by M/s SITL, the private vendor, for taking away the personal data of nearly 50 lakh ESMs with whom an agreement was signed by ECHS for preparation of the smart cards for ECHS beneficiaries”. Agreement was signed in 2004, renewed in 2010 The letter by the ministry has now pointed out that the initial memorandum of agreement (MoA) was signed with M/s SITL on January 27, 2004 and the MoA for the contract was renewed on May 31, 2010. In light of the issue at hand that concerns the safety and security of the data pertaining to lakhs of ex-servicemen, the Ministry has now asked ECHS to submit its response on four major points of concern.
However, as each of these points illustrate, neither the ministry nor ECHS are certain if the vendor had returned all the data on termination of the contract, if it had copied the data and most worryingly, if it had shared the data with a third party. ‘Get confirmation that all data handed over to ECHS on termination of contract’ First of all, it has asked the ECHS, which comes under the Department of Ex-Servicemen Welfare, to “get confirmation that no biometric / personal data of ECHS beneficiaries is available with M/s SITL and all the data as per the contract agreement was handed over to the ECHS on termination of the contract.”

ECHS told to confirm from vendor if it had retained a copy of the data It has also asked ECHS to “get a confirmation from M/s SITL that a copy of the above data has not been retained / stored by their company”. The ECHS has also been directed to ensure that a copy of the agreement signed between ECHS and M/s SITL and the renewed agreement was made available to the Department of Ex-Servicemen Welfare. Vendor to also be asked to confirm that information was not disclosed to a third party Finally, the ministry has also asked ECHS to get a confirmation from M/s SITL that they have not disclosed information relating to biometric/personal data of ECHS beneficiaries to any third party and there is no breach of trust on the part of M/s SITL as per the provision of both the MoAs.

Interestingly, instead of ordering a probe in the matter, the MoD has only asked ECHS to “get a confirmation” on each of these points from the vendor itself. It is indeed difficult to fathom if the vendor would disclose the factual position considering violation of any of the norms would amount to breach of trust. However, as the letter shows, the ministry believes that the vendor would make a truthful disclosure.