No privacy impact assessment for biometrics at Indian exam centers

The National Testing Agency (NTA) of India failed to carry out an impact assessment study for two facial recognition projects to be implemented at school examination centers, according to a MediaNama report (subscription required and recommended).

The agency told MediaNama in response to a Right to Information request that it did not need to seek any legal opinion before going ahead with tenders for the biometrics project.

In response to another question on whether it carried out a privacy and data assessment study for the projects, the NTA referred the media outlet to a section of the tender document which has to do with appointment of successful bidders.

But MediaNama reports that a look at the portion of the tender document it was referred to by the NTA shows that all of the responsibility for protecting the data of subjects rests with the technology provider or vendor, and not with the NTA.

A comparison between the NTA’s clause in the tender document and what a proposed Personal Data Protection Bill says about data protection are at variance, and suggest that if the Bill was in force the NTA would have been required to carry out a data and privacy impact assessment.

The Personal Data Protection Bill (which is still pending at the level of a Joint Parliamentary Committee) says an impact assessment for such a project should include “description of the proposed processing operation; the purpose of processing and nature of personal data being processed; assessment of potential harm that may cause the subjects, as well as measures of removing, minimizing and managing risk of harm.” The outlet holds this was never done.

The NTA recently announced two tenders for the provision of a facial recognition and biometric verification systems in thousands of examination centers across India.

One of the tenders calls for the installation of 100,000 CCTV surveillance cameras of 2 megapixels each across 4,000 centers in a bid to check malpractices and ensure the legitimacy of examinations, while the other is seeking the same biometric services for the monitoring of online versions of the National Eligibility Entrance Test (NEET) and the Joint Entrance Examinations (JEE).

MediaNama said the NTA also declined giving information regarding details of individuals or organizations permitted to operate and use facial recognition technology, this on the excuse that such information is confidential and cannot be disclosed.

There have been concerns in India since the launch of calls to tender for the face biometrics projects, with activists urging the NTA to ensure greater transparency in the collection, processing, storage and even sharing of students’ biometric data, given that the exercise will involve millions of school children, some of them minors.

The NTA has said the biometric verification will be mandatory for all candidates sitting the concerned exams.

Article Topics

biometric identification  |  biometrics  |  data protection  |  facial recognition  |  identity verification  |  India  |  privacy  |  tender