Govt cracks down on unauthorised PAN use ahead of data protection law

With the Digital Personal Data Protection Act set to roll out, the government intensifies scrutiny on unauthorised Permanent Account Number data use by technology firms, aiming to protect citizens' pe

As the Union government prepares to enforce the Digital Personal Data Protection Act 2023, law enforcement agencies are intensifying efforts to curb the unauthorised use of personally identifiable information by technology companies, according to a report by The Economic Times.

 

In a recent move, the Ministry of Home Affairs, through its Indian Cyber Crime Coordination Centre, has instructed technology companies to halt any unauthorised use of Indian citizens' Permanent Account Numbers by financial technology and consumer technology firms. This mandate aims to restrict unapproved data practices that exploit Permanent Account Numbers for commercial purposes, the report said.

“PAN enrichment” services under fire

These unauthorised activities often involved “Permanent Account Number enrichment” services, used by loan distribution companies to profile customers based on Permanent Account Number data for targeted credit offers and financial products. The report quoted an executive from a financial technology company as saying that Permanent Account Number data was also occasionally used to verify customer information provided in loan applications.

 

According to industry insiders, disruptions in these services have become frequent over the past weeks due to government intervention. Many companies previously accessed customers' full names, addresses, phone numbers, and other sensitive details via backend systems linked to the Income Tax department using Permanent Account Number data. Although this practice was not technically a data breach, it involved unauthorised use of government-maintained backend systems, the report said.

Authorised services unaffected

Notably, authorised services remain uninterrupted. For instance, the National Securities Depository Limited provides a legitimate Permanent Account Number verification service that only indicates whether details match the database without disclosing personal information. This authorised channel, unlike unauthorised alternatives, operates in adherence to regulatory standards, the report added.

 

The report quoted an executive as saying that this crackdown aligns with the government’s broader strategy to secure citizens’ data and limit access to personally identifiable information. The Digital Personal Data Protection Act mandates that citizens' data be processed only with explicit consent and through authorised channels, ensuring that sensitive data is protected from unauthorised exploitation.