This post was originally published on the IFMR Trust blog.
We met Sulekha* in a village in Uttarakhand. She was talking about the information she considered most important to her: her ration card, Aadhaar card, NREGA job card and her phone number. When asked how much she would sell this information for, she visibly withdrew saying she did not want any money for it. What would she need to share this information? She replied simply: a guarantee that it would not be misused.
Sulekha was one of the 50 people we spoke to as part of a small, deeply qualitative study on which the Future of Finance Initiative (FFI) at Dvara Research partnered with Dalberg Design and CGAP. We set out to understand: ‘how do ordinary citizens of India think and act on their privacy and data protection?’ Across four regions of the country (Maharashtra, Uttarakhand, Tamil Nadu and Delhi) we used the Human Centred Design (HCD) method to have discussions to understand not just what people say, but how they think, act and feel. The final report on the study is available here.
Our conversations in the field revealed that contrary to common perception, people in India care deeply about their personal data and privacy. Respondents were surprised that service providers could share their personal information with third parties and wanted to be informed of such sharing. People were also sensitive about sharing their personal data such as photos, messages and browsing histories—even with their family—and were unwilling to sell certain types of personal data like their telephone numbers.
Even the data that they were willing to share in order to receive services came with conditions. People wanted to know how their data was handled. They also, much like Sulekha, wanted an assurance from providers that no harm would come to them through the use of their data. Many of the interviewees recognised their inability to understand standard notice clauses and wanted more visual forms of consent that they could easily understand without relying on others.
Alarmingly, most interviewees had experienced fraud (especially via phone impersonators), and did not know how to protect themselves or seek redressal. Women, in particular, were highly vulnerable to reputational harms, and self-censored themselves (for example by not sharing phone numbers or photos) to protect themselves.
Although the government and its institutions inspired universal trust, people working in government institutions were not trusted with personal data – unless the employees came from the same community group or geographic area. Agents of banks and mobile network providers were also recognised as common perpetrators of illicit disclosures of personal data.
In cases where harm was caused to them as a result of a data breach, the respondents wanted easy access to seek redressal, and wanted to be compensated fully.
We heard individuals asserting their right to have their personal information treated responsibly. They indicated clear and strong preferences for a system that provides them agency and control over their data. Citizens at the grassroots want a data protection regime where providers are held accountable and are obligated to treat personal data responsibly.
*Name changed. Note: The details of the respondents in the main report were included with their permission and after informing them that a report would be released on this topic.