Context: the Ministry of Electronics & Information Technology issued a data-sharing and knowledge-sharing protocol for the Aarogya Setu app, laying down guidelines for sharing such data with government agencies and third parties.
- Concerns were expressed by a number of experts over the efficacy and safety of the app.
- Vague nature of protocol: On the one hand a decision of such nature should be backed by a personal data protection law, the loosely worded nature of the protocol too is an area of concern.
- Currently, India’s personal data protection bill is in the process of being approved by Parliament.
Arogya setu App
- The Government of India launched ‘Aarogya Setu’ an app to track the cases of COVID-19 and alert the citizens of the country to keep safe.
- Aarogya Setu app has been launched by the Ministry of Electronics and Information Technology.
- It will calculate risk based on the user's interaction with others, using cutting edge Bluetooth technology, algorithms and artificial intelligence.
Why has the government issued these guidelines?
- To formulate appropriate health responses for addressing the COVID-19 pandemic, data pertaining to individuals is urgently required.
- Individuals means persons who are infected, or are at high risk of being infected, or who have come in contact with infected individuals.
- To fulfil this purpose, and ensure that data collected from the app is gathered, processed and shared in an appropriate way, the government has issued these guidelines.
- In order to ensure effective implementation of advisories and social distancing, there is a need to ensure efficient data and information sharing among the different Departments and Ministries of the Government of India as well as those in the State/Union Territory Governments.
What data can be collected and shared by Aarogya Setu?
- The data collected by the Aarogya Setu app is broadly divided into four categories — demographic data, contact data, self-assessment data and location data. This is collectively called response data.
- Demographic data includes information such as name, mobile number, age, gender, profession and travel history.
- Contact data is about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals, and the geographical location at which the contact occurred.
- Self-assessment data means the responses provided by that individual to the self-assessment test administered within the app. Location data comprises the geographical position of an individual in latitude and longitude.
What entities will be able to access this Aarogya Setu data?
- According to the protocol, the response data containing personal data may be shared by the app’s developer — National Informatics Centre (NIC) — with the Health Ministry, Health Departments of state/Union Territory governments/ local governments, National Disaster Management Authority, state disaster management authorities, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments.
- The protocol also lays the ground for sharing the data with any third parties — “only if it is strictly necessary to directly formulate or implement appropriate health responses”.
- Also, for research purposes, the response data can be shared with Indian universities or research institutions and research entities registered in India.
What are the checks and balances?
- The protocol says the response data that can be shared with ministries, government departments and other administrative agencies has to be in de-identified form.
- It must be assigned a randomly generated ID: except for demographic data, the response data must be stripped of information that may make it possible to identify the individual personally.
- NIC shall, “to the extent reasonable”, document the sharing of any data and maintain a list of the agencies with which data has been shared.
- Limitations on storing data: the agency can not retain the data beyond 180 days from the day it was collected. In case of violation penalties will be imposed as per Disaster Management Act 2005.
- Sunset clause: It calls for the empowered group to review the protocol after six months; unless extended, it will be in force only for six months from the date of issue.
What are the concerns being raised?
- No personal data protection law to back the government’s decision to make the app mandatory for everyone.
- It cannot be done via an executive order, especially since there are a number of privacy concerns with the app.
- Open ended with possibility of misuse: Data sharing with third parties is one of the major concerns without listing the names of third parties.
- The process of de-identifying the data should be detailed, given that reversing de-identification was not difficult.
- If any person knowingly or unknowingly, takes any action which has the effect of such data no longer remaining anonymised, any rights granted to them under this protocol shall stand terminated, and they shall be liable for penalties under applicable laws for the time being in force.
Image Source: economic times