Guess who can see your tax data

Believe it or not, it has been turned over to a private firm

A few months ago in April, a number of news reports announced that the Government has ‘decided to set up a special purpose vehicle (SPV) to provide information technology support to various stakeholders under the proposed Goods and Services Tax (GST)’. The GST is a value-added tax that is expected to replace all indirect taxes on goods and services imposed by the Centre and Indian states. The SPV, termed the GST Network (GSTN), is seen as an important step in ushering in a little understood but much touted reform, because it will make it possible to bring together taxation data from the Centre and states that was so far processed separately.

But the innocuous language hides the fact that we are soon headed for an entirely different paradigm as far as our tax data is concerned. The GSTN is already in place as a private limited company despite strong opposition by senior officials of the Central Board of Excise and Customs (CBEC), and Naveen Kumar, former chief secretary of Bihar, has been appointed chairman. The body will control all new indirect tax data from the Centre and states and will have access to past data as well. The charges it will impose for processing this data will be the revenue that sustains its operations.

Since the Finance Ministry has recently directed the CBEC and Central Board of Direct Taxes (CBDT) to sign an MoU for the sharing of data, GSTN will be able to access and process the entire tax data of the country, both of direct and indirect taxes. Obviously, this should have been a matter for far more public debate than it has evoked, but the actual process of setting up GSTN is far more alarming than this broad outline. Since it will have to be in place before the GST is rolled out, the Finance Ministry has asked the CBEC to hand over the processing of data for tax surveillance to GSTN, which would ensure it a revenue stream as soon as it takes over these functions.

As a result, this innocuous sounding body will be the sole information hub for linking and processing all of India’s tax data, something that has never been attempted by the Government, leave alone a private entity. And this approach appears to have no parallel anywhere in the world. This is being done in the absence of any security or privacy provisions in place. In fact, no serious discussion or planning of any sort on security or privacy implications has been undertaken. Some of the most sensitive financial data in the country—for individuals, firms and the Government—will soon be in the hands of a private entity which has not even conceptualised its approach to data security.

In January 2011, the Technology Advisory Group for Unique Projects (TAGUP) headed by Nandan Nilekani recommended the setting up of five infotech intensive financial projects—for the Income Tax Department, National Pension Scheme, Reserve Bank of India, and for tracking government expenditure and GSTN for the GST. A similar structure for each of the five was proposed, a not-for-profit Section 25 company, with a self-sustaining revenue model, where the Government’s holding would be restricted to 49 per cent and private institutional holding set at 51 per cent.

While Nilekani did not want to go on record on the issue, I did meet GSTN Chairman Naveen Kumar at Hotel Janpath in a room at the end of a long corridor that serves as GSTN’s office premises. He was quite open about the need for such a private body: “We are basically an IT company. We will build infrastructure, operate and maintain it. This sector requires very high salaries and we can hire the best people from the sector. Then there is the question of the number of rules and regulations in government. Financial management norms have to be observed. These are quite time consuming. Doing anything takes time. We need to make records, observe rules, follow procedures, follow tendering methods, undergo vetting by the CAG, CVC and be under the CIC. Here we are not bound by rules, we can work faster, be more efficient.”

Whatever the efficiency argument, the not-for-profit structure means that before the company can sustain itself by levying user fees, it needs funds to hire the staff Kumar needs. Private investors—Housing Development Finance Corp Ltd, HDFC Bank Ltd, LIC Housing Finance Ltd, ICICI Bank Ltd and NSE Strategic Investment Corp Ltd—have no incentive to provide the necessary money. Thus, GSTN has been set up on equity of just Rs 10 crore and the Government has provided it a one-time grant of Rs 315 crore. Effectively, then, the Centre has funded a start-up that it does not even have majority control of.

Despite the money, since GSTN is already in place as a self-sustaining body, it needs sources of revenue other than those that would be eventually generated from receiving and processing GST data. These according to the [Empowered Group on IT Infrastructure for GST headed by Nilekani ], will include registration—‘…there is an urgent need of national ‘Unique and Shared’ Tax Payer registration database. For this purpose, the existing registration details kept at various tax systems can be shared using one existing identifier i.e. PAN. The use of PAN as a common identifier will go a long way in inter-linking various tax systems and in ensuring higher compliance and increased tax revenues’—and a Tax Payer Profiling Utility (TPU) which would ‘leverage registration information based on common PAN’ to offer such services.

In November 2011, when the CBEC was brought fully into the picture, Sheila Sangwan, then Member (Budget and Computerisation), had summarised the problems with the EG’s proposals: ‘…a meeting was held on 14/15 November 2011 in the Chairman’s office to discuss the structure and functions of the proposed GSTN… Dr Nandan Nilekani has mentioned as minuted that there is need to go in for the SPV even without GST being introduced. He further stated that it is based on PAN data and inter-departmental sharing of return data which will generate substantial additional revenue because of cross matching of data. He mentioned that the data matching between the Maharashtra VAT department and that with CBEC has generated additional revenue of about Rs 500 Crore. Here it is important to mention that the successful Tax 360 is a pilot initiative implemented in house by the Directorate of Systems, CBEC where data on registration, returns and payments was collected from the Central Excise, Service Tax, Customs, Income Tax and Commercial Tax Departments of the State of Maharashtra. Having implemented a successful Tax 360 programme, which has detected an evasion of about Rs 500 Crore, it is but natural that the Department of Systems can claim the capability to undertake Tax 360. Besides this, Tax 360 is a core function of the Tax Departments. There was unanimity amongst the officers present that the sovereign function to be performed by the tax administration should be kept out of the purview of the GST.’

‘…If the purpose of setting up the proposed structure for this SPV with the proposed equity is to give operational and financial independence, it is suggested that this operational freedom could be better achieved for a Government SPV through appropriate legislation… There are certain concerns regarding the privacy of tax payers’ data if the proposed GSTN as a private entity were to be made a national repository of data including direct and indirect taxes. The Chief Information Security Officer for CBEC has expressed reservations about the national repository of tax data resting in a private entity, should the GSTN be designated to perform the analytics of data from all agencies including the income tax and Customs… Across the tax administration in the world, the privacy of taxpayer data is accorded utmost priority and it is the practice to house this data in Government hands …Specific attention is also initiated to the fact that the Directorate of Income Tax (Systems) is proposing to create a SPV in the public sector given the sensitivity of their Income Tax returns and payment data.’

Sangwan was pointing out that if the CBEC could implement the pilot project by outsourcing computation functions to vendors of its choice, there was little reason for GSTN. Much the same could be done through a government-controlled body that would outsource computing requirements but would not lose control over the data. This would have the advantage of retaining the security and privacy safeguards and legal controls that already exist for such data.

The apprehensions of senior officers of the CBEC at the time were set aside by its then Chairman SK Goel, who did not address the essential question of who would be the repository of the data, and instead wrote that, ‘With regard to the concern of IT Security, it is not connected to the ownership of the management—Government or non-Government. In fact, the level of security is dependent upon the standards, safeguards and control processes that are put in place by the management. The GSTN could be asked to build necessary safeguards for ensuring the security and privacy aspects…With regard to the legislative route to set up SPV as Government entity, it is in complete contrast to the decisions taken in the past and it would jeopardize the consensus achieved so far and bring the discussions back to square one.’

In other words, security at GSTN was really someone else’s worry, and since no one had earlier objected to private control, it was too late to do so now, whatever the apprehensions.

The same TAGUP that conceived of GSTN while discussing the Tax Information Network (TIN) for the Income Tax Department had conceded that ‘The Department holds the personal and financial data of taxpayers in a fiduciary capacity and carries out a sovereign function of the State. Therefore, it needs to have control on strategic assets including the software, hardware and the databases as well as exclusive control over use and dissemination of data. It is recommended, therefore, that TIN should adopt the best practices for transparency and privacy as discussed in this report.’ It is difficult to imagine that the same principle does not apply to indirect tax data, given that this is sensitive information too. But the structure and functioning envisaged for GSTN implies that neither the CBEC nor CBDT would retain exclusive control over the use and dissemination of its data.

To ensure there was no misunderstanding, I asked Naveen Kumar about control of the data. For the GST, he said, “We will start from scratch with our own servers and beginning with a list of dealers we will start building a database of transactions on our system. For this, we do not need additional data from the Customs or any other department.” Clearly then, this data would lie on GSTN servers. They would not be a processing house for data that would be eventually stored on CBEC servers.

What, I asked, if tax profiling was also to be carried out by GSTN? “We could allow each state and the Centre to access our data and connect it to the data they already have. This would mean that we would need 30 different procedures. That is not efficient, we can do much better. In practice that would mean that we have access to their data.” Earlier this month, the Revenue Secretary directed the Member (Computerisation) of the CBEC and the Additional Secretary (Revenue) to work out a date by which phase II of the pilot project mentioned by Sangwan in her letter is handed over from the CBEC to GSTN. This includes business data profiling—in other words, control over indirect tax data has to go over to GSTN. Moreover, as mentioned earlier, the sharing of data between the CBEC and the CBDT has already been approved by the Finance Minister and an MoU is shortly to be signed.

Asked how issues of security and privacy are to be dealt with in such an eventuality, Naveen Kumar said, “Security will be set up and rules will be put in place. As for which government laws and legislation or other controls will apply to us, that will be part of the GST legislation.” It is not clear when the GST legislation will be passed, but it is clear that tax profiling and surveillance will be handed over to GSTN within the next few months.

Because of the sensitive nature of such data, the EG report on the GSTN had a separate section on Security which states that ‘various international standards and best practices may be customized to define a comprehensive certification framework for GSTN SPV. The certificate may include ISO 27001, ISO 15048 (Common Criteria) and BS 25999, which may be made mandatory for GSTN SPV under the agreement between the Government and GSTN SPV.’

However, in another 2011 note, Sangwan had said, ‘Any new agency which is going to be set up will take time to evolve security systems across people, processes and technology. CBEC’s ISO 27001 certification process began in 2008 and the final certification was awarded in July 2011. ISO 27001 is an assurance to all stakeholders that CBEC follows a formal information security management process. It took three years for the security paradigm to be in place. It is therefore likely that there is going to be a considerable time lag before such an agency would be in a position to guarantee security standards for such data.’

Clearly then, there seem to be two options: one, that GSTN as a private entity dealing with the processing of all tax data as envisaged now should be set aside till the matter is discussed in detail and the requirements of security and privacy are adequately dealt with, or that we are heading towards a regime where the country’s entire tax data—yours, mine, the Tata Group’s, Reliance’s et al—will be accessible through a body which will be in no position to guarantee security standards. The latter is the choice the Government seems to have made. It is a frightening prospect, but it does not seem to worry this government, or, for that matter, the opposition.

About The Author

Hartosh Singh Bal