GSTN data breach a possibility: EAS Sarma

Former Union secretary EAS Sarma, who championed a complete government takeover of the Goods and Services Tax Network, speaks to SW. on what is needed to make it a robust & reliable institution

On May 4 the Goods and Services Tax (GST) Council formally approved the 100% government takeover of the GST Network (GSTN), the no-profit company with majority private shareholding set up to provide the cyber infrastructure for administering the new unified tax regime introduced on July 1 last year.

From the very outset, there were objections from several quarters to handing over the management of sensitive GST data to GSTN. Those questioning the government decision to float the company cited the following reasons:

*GSTN required an authorized capital of only Rs 10 crore. So, there was no need to allocate majority stake (51 %) in the company to a consortium of five private entities – HDFC, HDFC Bank, ICICI Bank and National Stock Exchange Strategic Investment Company – to raise funds.

*Some of the private players had foreign investments in their company and its directors were on the board of other companies. They were themselves tax payers under GST. So, there was clash of interest.

*The data being handled by GSTN was of a sensitive nature and could be stolen by vested interests. A Parliamentary Committee looking into the GST Bill had noted in its report that an organization like GSTN should be in government hands since its “work is of strategic importance to the country and the firm would be a repository of a lot of sensitive data on business entities across the country.”

Among those who actively campaigned against the ownership structure of GSTN was former Union Expenditure secretary EAS Sarma. He responded to questions posed by Ajith Pillai after the GST Council formally approved the government takeover last week:

Now that the government takeover of GSTN has been approved by the GST Council, what must be borne in mind while restructuring the organisation?

As a 100% government controlled organisation, GSTN should have the support of a slim, professional body comprising of experts who have no conflict of interest. One of the IIMs can be commissioned to suggest restructuring of the body, keeping in view the likely trends over the next decade or so. The objective should be to minimise the cost of administration and simplify the filing of tax returns with minimal data breach possibilities. The system of GST Suvidha Providers (GSPs) needs a relook as many of the companies (eg PwC, Gamut Info Systems) have track records that do not inspire confidence.

[Sarma had written to then Revenue Secretary, Hasmukh Adhia, on September 23, 2017 on “due diligence” not being show in the selection of Suvidha Providers who act as intermediaries between GSTN and tax payers. Among those chosen was PricewaterhouseCoopers (PwC) with a questionable record globally and in India. PwC, Sarma pointed out, “figured prominently in the scams surrounding Satyam, Global Trust bank and DSQ Software.” Globally, the company was linked to scandals surrounding North Rock, JP Morgan, Tesco, MF Global, and Tyco, among others.]

Former Union Expenditure secretary EAS Sarma actively campaigned against majority private shareholding in GSTN

Should there be an independent audit of operations till now to determine if there have been any data breaches? GSTN has been repeatedly stressing that data is secure but similar misleading assurances was given by UIDAI and others…

Yes. In the absence of a strong data protection law, it is possible that some data breaches have already taken place. A thorough audit is necessary to inspire confidence among the traders. Also, data breach possibility should be subject to continuing audit.

Why do you think the government took so long to listen to critics who pointed out inherent flaws in allowing private participation in an organization like GSTN which handles sensitive information which can be exploited by vested interests?

One gets the impression that those in authority were not open to discussion and debate which are essential for taking decisions that are prudent. A wider public debate and a discussion in the Parliament would have enabled the government to come to the same decision that they have arrived today the hard way!

Was there ever any need to bring in the private players on a project with an authorized capital of Rs 10 crore? Even the technical IT support was outsourced to Infosys, so what did the private players bring to the table?

I do not find any justification to have private players owning and controlling an organisation that is entirely of a public nature.

Some may argue that there is no guarantee that GSTN will be secure under government control. What is your answer to such critics?

I partly agree, if the government fails to put in place a strong data protection law and if it also fails to remove elements of conflict of interest referred to earlier.

Before going in for centrally linked digital systems like Aadhaar and GSTN, should the government have first put effective cyber security and privacy laws in place? Are these typical examples of putting the cart before the horse?

I agree. The latest decision to have a 100% government control seems to be once again a knee jerk reaction without any planning. By now, the government ought to have put in place not only a strong data protection law but also the necessary cyber security systems.

Do you think the IT Ministry is not doing enough to secure data even as the government is pushing the country towards a digitally connected world?

I get the impression that the Information Technology Minister (Ravi Shankar Prasad) is more anxious to criticise the Opposition and blame them for all the ills of data thefts than ensure that his Ministry fulfilled its own responsibility of bringing in the necessary legal and institutional mechanisms to prevent data thefts. I would also find fault with the Department of Revenue for not having anticipated the problems likely to arise from a GSTN partly controlled by private players, from some Suvidha Providers having conflict of interest and from using cyber systems which are vulnerable to hacking.

Also an institution such as GSTN has a huge interface with the public. As such, the Finance Ministry should have an open mind in interacting with the public on a continuing basis so that GSTN may evolve into a robust, reliable institution.

Aadhaar verdict whittles down Modi’s Digital India ambition
The temple door is now open, but how many knocks did it take?
‘Shocking that finance minister is working towards restoring access of private parties to Aadhaar’
Editor’s Pick More