Any user whose demographic data is stored with the government through the Aarogya Setu app can now request for its deletion, the Centre said on Monday as it issued a set of protocols to regulate the definition, collection, processing and storage of data by the contact-tracing app. Data about the user’s name, mobile number, age, gender, profession and travel history come under this ambit.
The move comes as the government has faced criticism of the violation of privacy by digital rights activists as the app has evolved from a contract-tracing app when it was launched in April to take on a larger role of providing e-passes, telemedicine, as well as e-pharma facilities; critics have raised concerns over the government making it mandatory for a host of activities, especially in the movement of individuals.
Last week, a French hacker pointed at vulnerabilities on the app by showing that details of millions of Indians using it could be accessed within a 100-km radius. The app only provides data for a radius of 10 kilometres only for phones in India.
IT ministry officials said that the protocol was necessitated by the increased criticism. The rationale for the protocol, the government said, was to ensure the effective implementation of the government’s health response to Covid-19.
“There is a need to ensure efficient data and information sharing among the different Departments and Ministries of the Government of India as well as those in the State/Union Territory Governments,” the protocol said.
Entrusting the National Informatics Centre for the collection, processing and managing of the data collected by the Aarogya Setu, the Centre also specified that only the data of those who are infected, are at high risk of being infected or who have come in contact with infected people are most likely to be collected. This includes demographic, contact, self assessment and location data.
While contact and location data will by default remain on the device, the government may upload it to its server to formulate or implement appropriate health responses, it said. It added that the data of those infected will not be shared with any third party in usual circumstances, the government may do so if it is “strictly necessary” to formulate or implement health responses.
The rules are applicable for six months, and while the app does not yet have a sunset clause, the government said that a review of the protocol will be taken up after six months.
Contact, location and self-assessment data of individuals will be permanently deleted in 180 days in most cases, but demographic data will remain for as long as the protocol remains in force. If an individual requests that it be deleted, it will do so within 30 days of the request.
The protocol also allows for data to be shared with different agencies and wings of the Central government as well as state governments in “de-identified” form to assist in the formulation or implementation of a critical health response. These entities, responsible for processing the data in a fair manner, will not store it for more than 180 days. However, the protocol said that the NIC will have to maintain a list of such agencies with details of when such sharing was started, people who have access, as well as the categories of the data.
Abhishek Singh, CEO MyGov, said that the protocol will allay concerns of privacy violation. “User data on the app is safe, and of the 98 million downloads, the data of only 12,000 people have been stored on the servers,” he said.
Violations of the data security protocols by any entity will be punishable under Section 51 to 60 of the Disaster Management Act, 2005, which invites jail term for up to two years.
The protocols also allow research institutes to study the data collected by the app which has undergone hard anonymisation.
“The protocol attempts to give a legal basis to Aarogya Setu, as required by the Supreme Court but it is not a clear legislative basis. It introduces some accountability by limiting data collection and sharing to that which is ‘strictly necessary’ and by allowing individuals to complain to Disaster Management Authorities under the law as well. However, the protocol does not address issues of efficacy of contact tracing, and the issues of discrimination and exclusion by making it mandatory,” Joshi said.