Introduction

The Ministry of Road Transport and Highways (“MoRTH”) manages the National Transport Repository (“NTR”), a centralised repository that contains vehicle-related information, such as vehicle registration certificates, driver licences, e-Challans, Electronic Detailed Accident Reports (eDAR), and FASTag details. The MoRTH has now introduced a new policy on NTR data sharing (“Policy”), aimed at meeting rising demand for access to this data from citizens, academia, industry, and government agencies, while safeguarding privacy-related rights in compliance with the upcoming Digital Personal Data Protection Act, 2023 (“DPDPA”). At present, vehicular data under the NTR is shared with private entities and educational institutions for an annual fee of INR 3 crore (~USD 340,000) and INR 5 lakh (~USD 5,700), respectively – without any obligation imposed to delete the data after the purpose of its processing is complete. The commercial sale of citizens’ personal data, in the absence of sufficient safeguards, raised concerns about risks such as unauthorised disclosures and commercial exploitation. With the 2019 bulk data-sharing policy (“2019 Policy”) withdrawn and the current NTR mechanisms in place, the Policy moves government data-sharing closer to DPDPA compliance.

The Policy regulates two main groups: first, the MoRTH, which serves as the primary custodian of NTR data and is responsible for establishing and overseeing the data sharing processes, and second, the data recipients, who are entities that formally request access to NTR data. These data recipients may include law enforcement agencies, government departments, academic institutions, citizens, transport service providers, and other private sector organisations such as identity verification service providers. Under this framework, the MoRTH oversees the setting up of necessary procedures and controls for NTR data sharing. Each data recipient is considered a data fiduciary for the purposes of the Policy – accordingly, obligations under the DPDPA may apply to them in addition to their obligations under this Policy.

Methods of Data Sharing

The Policy intends to enable the sharing of NTR data through multiple modes. The Policy’s preferred mode is API-based sharing, which is implemented through authentication, IP whitelisting, and requires audit certificates and other documentation from the data recipient. Login-based sharing via secure portals is available to government agencies, the private sector (on the basis of consent and subject to daily data access limits), and to citizens (limited access, on the basis of OTP authentication). Bulk data sharing is enabled under exceptional circumstances, usually via secured physical media or secure FTP links. Mobile app access through platforms like mParivahan and DigiLocker allows citizens to access their own data, with authentication protocols in place. Aggregated and anonymised datasets are made publicly available via government open data platforms for research and academic purposes.

Access to data is provided through a formal request and approval process. Government departments and agencies applying for API or portal access must designate authorised officers and technical support heads, identify a legal basis under the DPDPA, and submit required undertakings regarding data security measures. Curiously, the Policy does not explicitly set out detailed request and approval procedures for other categories of data recipients, such as the private sector. For bulk data, the MoRTH evaluates requests individually and shares data only via secure physical or network transfers.

The MoRTH also requires data recipients to obtain security audit certificates from CERT-In-empanelled auditors before granting API access and to renew these certificates annually. They must maintain detailed logs of data access and keep API credentials confidential, restricting their use to approved IP addresses and applications.

In the event of a reported data breach, the MoRTH may request access logs, and it has the power to suspend the data recipient’s access to NTR data.

Alignment and Tensions with the DPDPA

A data fiduciary under the DPDPA determines the purposes and means of processing personal data. In contrast, a data recipient under the Policy accesses NTR data according to terms and limitations set by the MoRTH. While the Policy labels these recipients as data fiduciaries – imposing obligations such as security audits and breach reporting – it simultaneously restricts their usage. Data recipients must justify their purposes of processing to the MoRTH and use personal data only in the manner approved by the MoRTH. Essentially, the MoRTH, and not the data recipient, often determines the scope of data processing. This may have practical implications. If data recipients have limited autonomy to repurpose or combine data beyond the MoRTH’s defined scope, it can be argued that they should be considered data processors, rather than data fiduciaries. Further, data recipients such as KYC and ID verification service providers generally collect NTR data from the MoRTH in their capacity as data processors acting on behalf of their B2B customers. The Policy’s explicit designation of these entities as data fiduciaries may conflict with their actual operational role in their business engagements under the DPDPA. Given this inconsistency, it may be useful to reconsider the categorisations under the Policy to ensure alignment with the DPDPA and to clarify data processing roles and responsibilities.

Data Security

Under the Policy, security obligations underpin all data-sharing activities. All data must be hosted and processed within India, with strict controls on access, multi-factor authentication requirements, and regular vulnerability assessments. Data recipients must limit the processing of data to their purposes of collection, and any data breaches must be promptly reported to the MoRTH and affected individuals, and as prescribed by the DPDPA. To ensure accountability, data recipients are required to submit undertakings and update them annually. Failure to comply with the Policy or the DPDPA can lead to debarment from accessing NTR data, and legal action.

Although the Policy recognises the risks of sharing large datasets, it permits bulk data sharing on an exceptional basis through physical transfer of password-protected hard disk drives or secured FTP links. This approach could, if not adopted responsibly, expose data to loss, theft, or unauthorised copying, as physical security measures are known to be fallible and reliance on recipient network security lies outside the MoRTH’s direct control. Additionally, once bulk access is granted, it provides for incremental updates containing new personal data, increasing exposure without mechanisms for automatic expiry or data purging. Overall, the data security measures under the Policy, while improving over past practices such as in the 2019 Policy, may still not be sufficient to address the inherent vulnerabilities of large-scale bulk data sharing.

Conclusion

The Policy represents a necessary effort to regulate and secure access to a vast and critical dataset that is vital to India’s transportation ecosystem. It establishes formal procedures, security requirements, and provides varying levels of access based on the category of data recipient, aiming to balance the provision of data access with privacy concerns. However, the Policy also exposes gaps that require attention – particularly the inconsistency between its designation of data fiduciaries under the DPDPA and potential vulnerabilities in data security measures. While the Policy is a positive step towards more responsible data governance, its current form calls for stronger safeguards to align with India’s evolving business operations.