The government issued on Monday a set of protocols for how data collected from people through the Aarogya Setu contact tracing mobile application will be used and shared, attempting to address privacy concerns raised by activists and experts about the way the tool functions, the information it stores and the lack of clarity around who has access to it.
The data can be retained for 180 days, the document says, significantly longer than the 45 days (for uninfected people) and 60 days (for infected persons) that it retains at present, according to officials in Niti Aayog who gave this information previously.
A user can, however, request for their demographic data – defined as name, mobile number, age, gender, profession and travel history – to be deleted. “Demographic data of an individual that has been collected by NIC shall be retained for as long as this protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier,” the document said.
Officials said the protocol was necessitated by the increased criticism. “User data on the app is safe, and of the 98 million downloads, the data of only 12,000 people have been stored on the servers,” said Abhishek Singh, CEO of MyGov, adding that the protocol will allay concerns of privacy violations.
Entrusting the National Informatics Centre for the collection, processing and managing of the data collected by the Aarogya Setu, the Centre also specified that only the data of those who are infected, are at high risk of being infected or who have come in contact with infected people are most likely to be collected.
The data can be shared between any government department or ministry, which can also pass it on to third parties as long as the sharing of such information is specifically for the purpose of government’s health responses.
“NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared,” the rules state, adding that any entity processing such data shall do so “in a fair, transparent and non-discriminatory manner”.
The protocol — which will stay in force for six months — also allows for data to be shared with different agencies and wings of the Central government as well as state governments in “de-identified” form to assist in the formulation or implementation of a critical health response.
The app, which was launched to trace the contacts of individuals who have contracted the coronavirus disease (Covid-19), has now been expanded to issue e-passes, provide telemedicine and is mandatory for travel to work.
The app has been criticised by digital rights activist for its tracing of location histories and, last week, a French computer programmer said that vulnerabilities in the tool’s design could allow attackers to access data of millions of Indians.
Violations of the data security protocols by any entity will be punishable under section 51 to 60 of the Disaster Management Act, 2005, which invites jail term for up to two years.
The protocols also allow research institutes to study the data collected by the app after it has undergone hard anonymisation – a process to scrub it of personally identifiable information.
Divij Joshi, a lawyer and tech policy expert, said that while the protocol specifies the security guidelines better than the app’s privacy policy, it might not have enough legal teeth since it is not a legislative action.
The protocol attempts to give a legal basis to Aarogya Setu, as required by the Supreme Court but it is not a clear legislative basis. It introduces some accountability by limiting data collection and sharing to that which is ‘strictly necessary’ and by allowing individuals to complain to Disaster Management Authorities under the law as well. However, the protocol does not address issues of efficacy of contact tracing, and the issues of discrimination and exclusion by making it mandatory,” Joshi said.
