How to Use RTI to Know What Data Government Has About You

I disagree with the people who say we need to wait for the DPDPA's data access rights to become operational before we can find out what personal information the government holds about us. We've had a tool for that since October 2005. It costs Rs 10. It works on any public authority in India. And it has a legally mandated response deadline of 30 days. It's called the Right to Information Act, and the fact that almost nobody thinks to use it for personal data questions tells you more about awareness failures than about the law itself.

The RTI Act wasn't written with data protection in mind. It was designed to make government transparent and accountable -- to let citizens ask questions about how public money is spent, why a road contract was awarded to a particular company, how many vacancies exist in a government department. But its scope is broad enough that it covers personal data too. If a government body holds information about you, you have the right to ask for it. That includes your personal records, the purpose for which they were collected, and who else has had access to them.

Let me walk through how this works, because I've done it myself and helped a few others do it, and the process is simpler than most people expect.

What You Can Actually Ask For

The RTI Act gives you the right to request any information held by a "public authority" -- which includes every government ministry, department, statutory body, and government-controlled entity. The scope of what you can ask about your personal data is genuinely wide. Here's the kind of thing you can file for:

You can ask UIDAI what authentication logs they have for your Aadhaar number. Every time your Aadhaar is authenticated -- at a bank, a telecom store, a government office -- UIDAI records it. You can ask how many times your Aadhaar was authenticated in the past year and by which entities. This is particularly useful if you suspect unauthorized use of your biometric data.

You can ask the Income Tax Department what personal data they hold linked to your PAN, whether it's been shared with other government agencies, and what their retention policy is for old tax filing data. You can ask your state's RTO what information they have associated with your driving licence number and whether any third-party requests for that data have been processed.

You can ask IRCTC what personal data they retain from your booking history -- and how long they keep it after you cancel an account. You can ask the Passport Office what data processing happens when you apply for a passport and which external agencies access that data during verification.

You can even ask about data breaches. If a government department's database was compromised (and several have been), you can file an RTI asking whether your data was affected, what the department did in response, and what measures they've implemented to prevent future incidents. They don't always answer these honestly -- I'll get to the limitations -- but you have the legal right to ask.

How to File: The Practical Steps

There are two ways to file an RTI: online and offline. For central government departments, the online route is by far the easier one.

Online Filing (Central Government)

Go to rtionline.gov.in. Create an account if you don't have one -- it takes about two minutes. Select the public authority (ministry or department) you want to query. Write your questions in the text box provided. Pay Rs 10 through net banking, debit card, or credit card. Submit. You'll get a registration number for tracking.

A few tips from experience. Be specific in your questions. Don't write "please tell me everything you know about me." That's vague and gives the Public Information Officer (PIO) an excuse to send back a non-answer. Instead, write something like: "Please provide details of all personal data held by [Department] linked to my [Aadhaar number / PAN number / application reference number], including (a) the categories of data held, (b) the date of collection, (c) the stated purpose of collection, (d) whether the data has been shared with any third party or other government department and if so, the details of such sharing, and (e) the data retention period applicable to this information."

That's specific enough that the PIO can't dodge it easily, and it mirrors the kind of data access request you'd make under the DPDPA.

Offline Filing (State Governments and Some Central Bodies)

For state government departments, you'll usually need to file on paper. Write your RTI application on a plain sheet of paper addressed to the Public Information Officer of the relevant department. Include your name, address, and contact number. State your questions clearly. Attach a postal order or demand draft for Rs 10 payable to the Accounts Officer of the public authority (some states accept court fee stamps instead). Send it by registered post or submit it in person at the department's reception/filing counter.

BPL card holders are exempt from the Rs 10 fee -- just attach a copy of the BPL certificate.

Some states have launched their own online RTI portals. Maharashtra, Karnataka, Kerala, and a few others have functional online systems, though they tend to be clunkier than the central portal. Check your state's IT department website to see if online filing is available.

The 30-Day Clock and What Happens After

Once you file, the PIO is legally required to respond within 30 days. If the information involves a matter of life or liberty, the deadline shrinks to 48 hours. In practice, most PIOs respond within the 30-day window, though the quality of responses varies wildly. Some PIOs are thorough and provide exactly what you asked. Others send back vague, partial answers designed to technically comply without actually being useful.

If the PIO decides your request falls outside their department's purview, they're supposed to transfer it to the correct department within 5 days and inform you. This happens automatically for well-organized departments and not at all for poorly organized ones.

You'll receive the response either through the online portal (if you filed online) or by post. For online filings, you'll get an email notification when the response is uploaded.

When They Don't Answer (or Answer Badly): The Appeal Process

This is where most people give up. They get a vague response, or no response, and assume that's the end of it. It isn't. The RTI Act has a two-level appeal process, and it has teeth.

First Appeal: If you're unsatisfied with the response (or didn't receive one within 30 days), you can file an appeal with the First Appellate Authority of the same department. This must be done within 30 days of receiving the response (or within 30 days of the response deadline, if no response came). The First Appellate Authority has to decide on your appeal within 30-45 days. In my experience, this stage resolves about half the cases where the initial response was inadequate.

Second Appeal: If the First Appeal doesn't work, you can approach the Central Information Commission (for central government departments) or the State Information Commission (for state departments). This is the final appellate authority, and they have the power to impose penalties on PIOs who have unreasonably denied information -- up to Rs 25,000 per case. The mere prospect of a CIC hearing tends to motivate departments to take RTI requests more seriously. Wait times for CIC hearings vary -- it can take months in some cases -- but the fact that it exists gives the system its enforcement backbone.

The Limitations (And They're Real)

The RTI Act isn't a magic key that opens every door. Section 8 lists categories of information exempt from disclosure, and several of them are relevant when you're asking about personal data held by the government.

National security: Information that would prejudicially affect the sovereignty and integrity of India, the security of the state, or India's strategic, scientific, or economic interests is exempt. In practice, intelligence and security agencies listed in the Second Schedule of the Act (RAW, IB, NTRO, and others) are entirely exempt from RTI. You can't file an RTI with RAW asking what data they have on you. They'll simply respond saying they're an exempt organization.

Third-party privacy: Information that would cause an invasion of the privacy of another individual is exempt unless the PIO is satisfied that a larger public interest justifies disclosure. This comes up when you ask about data sharing -- a department might tell you they shared your data with "another agency" but refuse to identify the agency or the individuals involved, citing the other party's privacy.

Cabinet papers: Records of deliberations of the Council of Ministers, including papers submitted to Cabinet, are exempt. This matters less for personal data queries but can be relevant if you're trying to understand policy decisions about data collection programmes.

There's also a practical limitation: government departments sometimes claim they "don't maintain" the information you're asking about. Your data exists in their systems, but they say they can't extract it in the format you've requested. This is frustrating but hard to challenge unless you can prove the information exists and is accessible.

Success Stories That Should Encourage You

An RTI activist in Hyderabad filed a request with the Telangana police asking how many times facial recognition technology was used during a specific period, what databases were queried, and whether any matches resulted in arrests. The initial response was denied on security grounds. On appeal, the State Information Commission ordered partial disclosure, and the police were forced to reveal the number of queries made and the error rate of their facial recognition system. That information was used by civil society groups to challenge the expansion of facial recognition in the state.

A journalist in Delhi used RTI to discover that UIDAI had processed over 10 billion Aadhaar authentication requests in a single financial year, and that a non-trivial percentage of those authentications failed. The data she obtained formed the basis of a widely cited investigative piece about Aadhaar authentication failures and their impact on welfare beneficiaries.

Closer to the personal data angle: a software developer in Bangalore filed an RTI with the Karnataka RTO asking for all data linked to his driving licence, including who had queried it. He discovered that a private insurance company had accessed his driving record without his knowledge or consent, through a bulk data sharing arrangement between the RTO and the insurance industry. His RTI filing led to a public interest discussion about government-to-private data sharing practices and eventually contributed to the state government revising its data sharing protocols.

Combining RTI with DPDPA Rights

Here's where things get interesting going forward. The DPDPA grants Data Principals (that's you and me) the right to access personal data held by Data Fiduciaries (which includes government agencies). Once the DPDPA's data access provisions are fully operationalized -- and we're still waiting on the detailed rules and the Data Protection Board to be fully up and running -- you'll have a second channel for requesting your personal data from the government.

The RTI Act and the DPDPA aren't mutually exclusive. They serve different but overlapping purposes. RTI is about transparency and accountability -- you can ask about policies, procedures, and systemic practices, not just your individual data. The DPDPA is specifically about personal data rights -- access, correction, erasure, grievance redressal. Using both together gives you a more complete picture.

For example: you could file an RTI asking a government department about their overall data collection practices, retention policies, and sharing arrangements. Then separately, under the DPDPA, request a copy of your specific personal data and ask for corrections to inaccurate records. The RTI gives you the systemic view; the DPDPA gives you the individual one.

Whether the DPDPA's data access mechanism will work better or worse than RTI for personal data questions remains to be seen. The DPDPA has the advantage of being specifically designed for data protection, with a dedicated enforcement body (the Data Protection Board). RTI has the advantage of 20+ years of operational history, an established appeal process, and a culture of compliance (however imperfect) across government. My guess is that for the foreseeable future, RTI will remain the more reliable tool for getting answers out of government, simply because the infrastructure and precedents are already there.

A Template You Can Adapt

If you want to file an RTI about your personal data, here's a template you can modify for your specific situation. I've used variations of this for several filings:

"To the Public Information Officer, [Department Name]. Subject: Request for information under the Right to Information Act, 2005. I, [Your Name], bearing [Aadhaar/PAN/Reference Number], request the following information: (1) All categories of personal data held by your department linked to the above identification number. (2) The date(s) on which this data was collected and the stated purpose of collection. (3) Whether this data has been shared with any other government department, private entity, or third party, and if so, the name of each recipient and the date of sharing. (4) The data retention policy applicable to this data and the scheduled date of deletion, if any. (5) Details of any data breaches affecting your department's systems in the past two years, including whether the applicant's data was potentially impacted. I am enclosing the prescribed fee of Rs 10. Please provide the information within the statutory period of 30 days."

Adapt the identification number based on which department you're filing with. For UIDAI, use your Aadhaar number. For the IT Department, your PAN. For the RTO, your driving licence number. Be polite but precise. Don't include unnecessary background information or personal opinions -- just clear, numbered questions. One practical tip: if you're filing online, save a screenshot or PDF of your submitted application and the payment receipt. The rtionline.gov.in portal occasionally has technical issues, and having proof of filing protects you if the system loses your request.

What Comes Next

India's relationship with personal data transparency is at an interesting juncture. The RTI Act gave us one set of tools. The DPDPA is giving us another. Neither is perfect on its own. Together, they offer something approaching real accountability -- the ability to ask what data the government holds, why they hold it, and what they're doing with it, with legal consequences if they refuse to answer.

Whether that accountability is sufficient will depend on how actively citizens use these tools, how seriously the Data Protection Board takes its enforcement mandate, and whether the courts continue to uphold privacy as a fundamental right in the face of government pushback. The tools are there. The question, as it always is in Indian democracy, is whether enough people will pick them up and use them. I'd like to think so, but then, I've been filing RTIs for years and I know how many of them end in non-answers and frustrating silences. The system works, but it works best for people who are persistent enough to push through the first refusal and file the appeal. That shouldn't be the price of transparency, but for now, it is.