Digitization of Transport Data and Securing Personal Information

September 9, 2025
Securing Personal Information

Anuradha Gandhi, Rachita Thakur and Prateek Chandgothia

Introduction

The Ministry of Road Transport and Highways (hereinafter referred to as ‘MoRTH’) has introduced a comprehensive data sharing policy for National Transport Repository (hereinafter referred to as ‘NTR’), marking a significant milestone in India’s approach to balancing data accessibility with privacy protection. The ‘Policy for Data Sharing from the National Transport Repository’[1] (hereinafter referred to as ‘the Policy’) governs the sharing of transport related data from critical databases including Vahan, Sarathi, e-Challan, eDAR, and FASTag systems, which collectively hold records of over thirty nine crore vehicles and twenty two crore driving  licenses.

What is NTR?

The National Transport Repository (hereinafter referred to as ‘NTR’) is a centralized database maintained by MoRTH. It consolidates various forms of transport-related data. The NTR serves as a unified system to manage and access critical information related to vehicles, drivers, and road incidents. It is maintained in compliance with the Motor Vehicles Act, 1988 (hereinafter referred to as ‘MV Act’), specifically under Sections 25A and 62B, which mandate the creation of such a repository for effective administration and enforcement of transport laws.[2]

Legal Framework and Compliance Architecture

Scope of Personal Data in NTR

The Policy adopts the DPDPA’s definition of Personal data as “any data about an individual who is identifiable by or in relation to such data”. This broad definition encompasses virtually all transport – related information that can be linked to specific individual including vehicle registration details, driving license (hereinafter referred to as ‘DL’) information, and e-Challan records.[3]

Integration of Data Protection Framework

The Policy establishes MoRTH as the primary data fiduciary of the NTR data, making it responsible for determining how and when personal data is processed or shared. This designation carries significant legal implications, as data fiduciaries under the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’) bear substantial compliance obligations and potential liability for data breaches.

Multi-tiered data fiduciary structure

The Policy creates a complex multi-tiered structure of data responsibilities:

  1. MoRTH – It is designated as the primary data fiduciary under the Policy and shall be responsible for formulating the data sharing policies and ensuring implementation. MoRTH shall act as the data fiduciary for the purpose of sharing NTR data with State Governments, Central law enforcement agencies, Organizations seeking National – level Transport data, and inter-state/ Pan-India data sharing.
  2. State Governments – MoRTH will share state – level NTR data with Transport Departments of respective states. State Governments shall act as data fiduciaries for the purpose of sharing State – level transport data with Police, Transport, Health and Road-owning agencies who will be considered as co-data fiduciaries for such data.
  3. Data Recipients – These are the organizations which will receive the NTR data under the Policy. The Policy states that, where the mode of data sharing is API based, Portal based and Bulk data sharing, the data recipients will also be considered as Data Fiduciaries as per DPDPA.

Modes of Data Sharing

The Policy prescribes four modes of data sharing – Application Programming Interface (hereinafter referred to as ‘API’) based, Portal Based, Bulk data sharing, and Citizen sharing. The Policy prescribes ‘Memorandum of Data Compliances’ (hereinafter referred to as ‘Memorandums’) for each mode of data sharing which shall be executed and submitted by the relevant organization while requesting access to NTR data.[4]

Execution of Memorandum of Data Compliances

The Memorandums put obligations and responsibilities on data recipients and data fiduciaries, as determined on the basis of DPDPA.[5] Some of the obligations are:

  1. Duty of Confidentiality: The API credentials, Secret Key, Portal credentials shall be kept confidential and not be shared with any third party. There is also a duty to ensure the safety and security of the data received. This duty is applicable on the basis of the mode of data sharing adopted.
  2. Implementation of security measures: The Memorandums prescribes tight binding of API access to the approved application through access control mechanisms like secret keys, user-id/ password authentication, Internet Protocol (hereinafter referred to as ‘IP’) whitelisting and token exchange mechanisms to prevent access by third party entities. Log records related to the Data access particulars shall be maintained and shared with the National Informatics Center (hereinafter referred to as ‘NIC’)
  3. Password and Authentication related Practices: Adherence to the password policy and guidelines of the NTR portal and the use of Multi-factor authentication is also mandated by the Policy.
  4. Software related mandates: The Policy mandates an up-to-date operating system and robust security systems like encryption, intrusion detection systems, other application Software, and employee training, to safeguard the systems and data.
  5. Purpose Limitation: The data recipient or the data fiduciary must declare, to MoRTH, that the data shared with them under this agreement will only be used for the specified purposes.
  6. Security Certifications: An integral part of the data sharing request is a Security Audit Certificate from CERT-IN empaneled security auditor for the application/app for which the required data access is being requested. This certificate shall be renewed annually.
  7. Data Deletion Obligations: The Policy allows MoRTH to request the data recipient or the data fiduciary to stop processing the personal data shared under this Policy and the same shall be binding on the parties involved.

General Data Sharing Practices and Procedures[6]

The Policy prescribes a general code of practices and procedures of data sharing between various stakeholders including MoRTH, State Governments, Central and State Government Organizations and Organizations seeking access to NTR data.

  1. Burden of Proof of Notice: Where consent is the basis of processing personal information, it is the responsibility of the Data recipient to prove that a notice was given to the Data Principal wherever the issue of processing arises.
  2. Masking of Personal Data: The Policy states that Personal data shared through API based sharing will be masked except when shared with Police, law enforcement, national security agencies. This is also
  3. Aadhaar Based Authentication: Data shared with government organizations through Login based sharing shall be secured using Aadhaar Authenticated OTP based system, in addition to login-based access.
  4. Data Access Limitations: The Policy allows MoRTH to fix a daily data access limit on the portal concerned from time to time. The consent mechanism incorporated by the Private organization have to integrate Aadhaar Authenticated OTP based systems to obtain valid consent. The Policy further limits the number of accesses by the citizens per day to three.
  5. Data Breach Obligations: In event of a data breach, the data recipient is required to immediately notify MoRTH and the affected individuals in addition to the data breach reporting mechanism prescribed under the DPDPA.

Penalties for Non-Compliance

In the event of a data breach, if it is observed that the respected data recipient or data fiduciary has failed to comply with the data protection and cyber security requirements under this Policy, it shall result in legal action and penalties under the DPDPA and the Information Technology Act, 2000. Further, non-compliance with the Policy and the provisions of DPDPA may result in debarment from further data sharing, along with legal action or monetary penalties under applicable laws.

How was Personal Information shared prior to this Policy?

Notably, prior to the present Policy, there were no formal or centralized channels for sharing of personal data in NTR with private organizations except a briefly operational ‘Bulk-Data Sharing Policy and Procedure’ (hereinafter referred to as ‘BDS policy’). Under this MoRTH policy any organization seeking access to bulk data from the NTR could obtain the same with a payment of INR 3 Crore for the year 2019-20. Different fee amounts were prescribed on the basis of the nature of the organization and the purpose of seeking data access.

In July 2019, the Union Transport Minister, informed the parliament that Government had provided the access of NTR data to 32 Government entities and 87 Private entities. However, it was clarified that this access did not include any personal information of the owners and that the data shared included the make, model, color, and number of seats across different vehicles. Later, in February 2021, the parliament was informed that the Government provided private companies access to the VAHAN and SARATHI databases in exchange of considerations amounting to INR 111 Crore. The BDS policy was scrapped in 2020, citing privacy concerns of vehicle owners.[8]

The data had been shared with the Home ministry, law enforcement agencies, and insurance, auto, and freight companies including Mercedes Benz, BMW, Bajaj Allianz General Insurance, Axis Bank, and L&T Financial Services etc. under the scrapped policy. The Union transport minister while responding to a question inquiring if the government had demanded the deletion of the shared data after the BDS policy was scrapped in June 2020, stated that no such proposal was under consideration.[9] Though the present Policy reintroduces the bulk sharing of personal data which was previously scrapped citing Privacy concerns, it still seems to be a step in the right direction as it becomes the example of the first comprehensive adoption of the DPDPA.

[1] https://morth.nic.in/sites/default/files/circulars_document/Data-Sharing-policy-20082025-merged.pdf

[2] Pg 1, Policy for Data Sharing from the National Transport Repository

[3] Pg 7, Policy for Data Sharing from the National Transport Repository

[4] Pg 10, Policy for Data Sharing from the National Transport Repository

[5] Pg 32, Policy for Data Sharing from the National Transport Repository

[6] Pg 27, Policy for Data Sharing from the National Transport Repository

[7] Pg 29, Policy for Data Sharing from the National Transport Repository

[8] https://timesofindia.indiatimes.com/india/earned-rs-65cr-by-restricted-sale-of-rc-dl-data-without-compromising-on-privacy-transport-ministry/articleshow/70208908.cms

[9] https://www.indiatoday.in/india/story/govt-shared-vehicle-data-with-private-companies-earned-rs-100-crore-nitin-gadkari-1768607-2021-02-12

More Articles

  1. GST Rate Revisions 2025 and Their Impact on LMPC Declarations
  2. Nepal Blocks 26 Social Media Platforms in Historic Ban
  3. AI Chats Became Public Records: Privacy Crisis Unfolds
  4. Battling Hydra-Headed Piracy: JioStar Secures Dynamic+ injunction from Delhi High Court
  5. First Solar v. Adani’s MSPVL: A Cautionary Tale on FTO Due Diligence as a Shield in Global Markets
  6. Prior Art Sinks Novelty: Jayson’s Design Debacle
For more information please contact us at : info@ssrana.com