Image credit: News laundry
The privacy of a person is very much more important than everything. So what happens when a
massive group of people’s privacy is violated by the government itself? The Covid-19
pandemic has created a pretty much-shaken situation all over the country. Article 21 of the
constitution of India provides for the protection of life and personal liberty which is a
fundamental right. Basically, the right to life includes the right to privacy also1
This research paper aims to understand the alleged data leak on the CoWin portal. Cowin is a
government-possessed web gate set up in 2021 to administer and manage India’s COVID-19
vaccine rollout. The researcher is using doctrinal research using primary and secondary
data. The paper is also trying to find out how the data has leaked out, what are steps taken
by the government to protect the privacy of its citizens and what will happen when the data is
leaked. The study also aims to strike a balance between data protection and the right to privacy
and the need for new laws to clear the grey area between data protection and the right to privacy
to prohibit further data leaks.
The paper also analyses how the government ensure the digital privacy of 150 million
people and how will the public respond to this issue. Moreover, it also analyses the current
situation of the issue and suggestions for the better implementation of data protection laws in
Keywords: Data protection, Right to privacy, COVID-19, Personal Data, Data leak.
A data leak occurs when an internal source disclose information. Data is information such as
facts and numbers used to analyse something or make decisions. In the digital era, there is a
need to protect everyone’s data safely. In order to protect the sensitive information of its
citizens, the government must act wisely. Because there are hackers everywhere who can collect all
the personal information of people and sell it. So it is the duty of the government to
secure the data otherwise it will be a breach of fundamental rights of its citizens by the
government itself. While looking back 3-4 years ago, the outbreak of the coronavirus on
November 2019 had a great impact on people’s lives. From there onwards there is a
new normal experienced by people not only in India but all around the world.
The arrival of lockdown and the number of people tested for Covid had increased. There felt
a need to codify the information of people who had tested positive in order to prevent the
spread of the virus. Moreover, personal details are collected via the Co-Win portal for taking
vaccination. The details given for vaccination include name,age, residential address, gender,
and blood group. Basically, these are sensitive information collected by the government. But the
surveillance by the government was itself a violation of Article 21 which says that “ No
the person shall be deprived of his life or personal liberty except according to procedure
established by law”. The better implementation of data protection laws is yet to be looked
REVIEW OF LITERATURE
WHO IS THE MASSIVE BREACHER? Analysing the alleged data leak from Co-Win
portal For the purpose of registration for vaccination, the government started its own web
portal in 2021 named CoWIN. Even though there are legislations for securing one’s personal
information,it is not seen as taking effect properly.
The above image shows the sensitive information of a person which has been leaked through
a telegram bot. This was collected for vaccination purposes by the government. But it is
seen that the same information was provided by a telegram bot when the person’s name was
entered on it. The data breach also includes information of high profile political leaders4
The same was reported on the news on the 12th of June 2023. According to reports, the data leak includes
personal information of Indian citizens including PAN number and Aadhaar number.These
data, that was streamlined by Covid vaccine heirs on the CoWIN platform, have allegedly been
made available on the instant messaging service Telegram. On the 13th of July, the Indian Computer
Emergency Response Team (CERT-IN) asserted that there was no direct breach of
data.Rajeev Chandrasekhar( Minister of State for Electronics and Information Technology of
India ) tweeted that the telegram bot was throwing up information from “previously stolen
data”.According to the Health Ministry, data stored in the CoWIN portal can be accessed at three
levels:- by the beneficiary, by third-party applications who have been provided authorised
access to the CoWin API’s.On 22nd June the Delhi police arrested a man from Bihar for
gaining unauthorised access to the CoWin database. The police have not yet disclosed the motive
behind the accused’s actions.It is said that the accused has been charged under relevant
provisions of the Information Technology Act and Indian Penal Code pertaining to data
theft, unauthorised access and violation of privacy.
5Well, this isn’t the first time that security
concerns around CoWIN have become the talk of the town. Back in 2021, a website claimed
that the particular data of over 150 million Indians was blurted onto the dark web. Indeed
also, the Health Ministry, still, refuted the claims and said that details participated with
CoWIN are secured. Now, it’s possible that someone had taken the same data that was
floating on the web and had erected a Telegram bot for it to make it fluently searchable . On
23rd of June police revealed that a Bihar man and his brother were using their mother’s ID
credentials to access the data on CoWin.They have only access to a limited number of people
and does not have much sensitive information either. They created a bot and circulated the
information on their Telegram channel to gain further followers.
. At present, we haven’t found any other motive,” said a senior police officer from the Special
Cell.6On 12th June itself the Union Ministry of Health and Family Welfare issued a press
release stating that the Telegram bot wasn’t using CoWIN’s operation programming
interface. If the government cannot protect the data they should not collect the data. The
government is still not sure about where the data has been leaked out. First, they should
find out the source from where the data has been leaked. Because whether the data was leaked
in the distant past or recently, it is the sensitive data of its citizens and should be strictly
protected by the government. In this issue where the telegram bot provides health data of
people, MEITY along with CERT-IN said that the data was not stolen from the CoWin database
and that was previously stolen data.Isn’t this a fair enough response provided by the
government? Will this take out the responsibility of the government from breaching the
fundamental rights of citizens? Before answering these questions one should acknowledge the
fact that the legal regime of personal data protection is still missing in India. India is still
lagging behind in the drafting of data security laws amid COVID-19.7
It is worth noting that
the Persona Data Protection Bill,2018, Information Technology Act,2001 and Indian Penal
Code,1860 should be read together and reviewed properly to make the existing laws more
effective. For having proper rules, guidelines and regulations, the Data Protection Bill is a way
to go forward.
● How did the data leak?
● What will happen when the data leaked?
● What are the steps taken by the government to protect the privacy of its citizens?
● How will the public respond to this issue?
- Aims to understand the alleged data leak on the CoWin portal
- Find out how the data leaked out
- Aims to strike a balance between data protection and the right to privacy
- Need for new laws to clear the grey area between the protection of data and privacy
- Suggestions for the better implementation of data protection laws
WHAT WILL HAPPEN WHEN THE DATA IS LEAKED?
According to the collected data -:
Looking from a legal perspective,it is simply a violation of the right to privacy. However
looking rationally on the matter the results of leaked data include:
- Sale of sensitive information and making money
- Identity theft
- Hospitals and big conglomerates can make use of this information for organ
HOW DID THE DATA LEAK?
The government itself said that data was leaked when the outbreak started and was not leaked
from the Cowin portal. In that case from where did the data leak? Did the government
make any efforts to find out the source of data leakage? How come they can make sure the
data of 150 million people are safe in their hands? If personal information is not protected
by the government, the only option left to people is to refuse to give their information
About 76% of people are aware of the data leak issue and people know that there
personal data is not safe.
CONCLUSION AND SUGGESTIONS
Apparently, the public has not reacted properly against the issue. To strike a balance between
the right to privacy and data protection better encryption methods can be used. The public can
respond to this issue by giving Public Interest Litigation and trying to find the source of
a data leak. The government says that sensitive information is protected in their hands. But
somehow it was leaked which means by anyway it is not protected properly. To find out the
source of leakage and prevent further happening of the same is the need of the hour. More
time and effort are to be put into digital privacy. Data protection laws should have
transparency otherwise no one can prohibit further data leaks in the future world. With the
help of technology experts, the data can be stored in robots. Only a person who is authorized
with the permission of the person who owns the sensitive data can have access to it. By using
Artificial Intelligence specially programmed robots should be constructed to manage the
digital privacy of citizens. It is the best decision to manage the data and privacy both hand in
hand. The protection of digital privacy is as important as protection from coronavirus.
● Writ Petition (Civil) No. 494 of 2012, (2017) 10 SCC 1
● The Constitution of India,1950,Art.21.
● Dar, Mohamad Ayub, and Shahnawaz Ahmad Wani. “COVID-19, Personal Data
Protection and Privacy in India.” Asian bioethics review vol. 15,2 125-140. 27 Oct.
https://www.vocabulary.com/dictionary/data Accessed 7 August 2023.
–Venugopal, Vasudha. “Cowin Portal Safe, Says Centre, Calls Data Leak Reports
Accessed 9 August 2023.
–Biswas, Sayantani. “Cowin data leak: Govt sources say breach ‘old data’, assure ‘we are
still verifying it.’” Mint, 12 June 2023,
re-we-are-still-verifying-it-11686560653362.html. Accessed 9 August 2023.
–saha, sneha. “CoWIN data leak: Delhi police arrests Bihar man for uploading personal data
of vaccinated Indians on Telegram.” India Today, 22 June 2023,
Accessed 9 August 2023.
–Sinha, Jignasa. “2 Bihar brothers used mother’s CoWIN ID to leak data: Delhi Police.” The
r-arrest-telegram-8679180/. Accessed 9 August 2023.
–“Press Information Bureau.” Press Information Bureau, 12 June 2023,
https://pib.gov.in/PressReleasePage.aspx?PRID=1931691. Accessed 9 August 2023.