New Delhi: An empowered government group formed to help tackle the COVID-19 pandemic on Monday released a set of rules that govern the manner in which the Aarogya Setu app handles and shares the data of millions of Indians.
Called the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol’, the rules come a week after privacy experts and civil rights advocates called for more transparency over how the contact tracing app collects and uses the personal data of its users.
At a press conference on Monday afternoon, IT ministry secretary Ajay Sawhney said that Aarogya Setu had helped detect nearly 700 potential hotspot areas.
“We combine the movement history of positive patients with the self-assessment data submitted by others, this enables us to identify potential hot spot areas and take preventive action. Info on 697 such spots have been sent to states/districts,” Sawhney, who doubles up as chairman of the empowered group on technology and data management.
The IT ministry secretary added that out of nearly 10 crore users, around 1.4 lakh people had been alerted “via bluetooth contact tracing about possible risk of infection due to proximity to infected patients”.
While the app’s privacy policy and terms of service already laid out how Aarogya Setu’s data collection and storage practices worked, the new data sharing protocol sheds some light on the questions that experts had been asking regarding the app.
Here are the most important parts:
Who does my data get shared with?
As The Wire pointed out last week, the Aarogya Setu app collects a range of information, some of which is uploaded to a central government server if the user is deemed to be at risk. This can then be shared with government entities to help stop the spread of COVID-19.
According to the data sharing protocol, any response data that is shared will be done by the National Informatics Centre.
The NIC can choose to share a user’s response data, which contains personal data, with the following entities when it is “strictly necessary to directly formulate or implement an appropriate health response”:
1) Union ministry of health and family welfare
2) The departments of health of all state/UT governments.
3) NDMA/SDMA
4) Any other central ministry or state government department
5) Other public health institutions of Centre, state governments and local governments where such sharing is strictly necessary to directly formulate or implement an appropriate health response.
The NIC can also choose to share response data in a in ‘de-identified form’, which is stripped of any personally identifiable indicators, with the same agencies when it becomes “necessary to assist in the formulation or implementation of a critical health response”.
“NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared,” the protocol says.
Aarogya_Setu_data Access an… by The Wire on Scribd
How do we trust all these government agencies to keep this data secure?
The protocol says that any ministry, department or government agency that processes response data should do so in a “fair, transparent and non-discriminatory manner.”
It also places the following obligations on any department that NIC shares the data with:
1) The data accessed and used by such entities should not be retained beyond the period necessary to satisfy the purpose for which it is shared. In any circumstance, such data shall not ordinarily be retained beyond 180 days from the date on which it was accessed, after which such data shall be permanently deleted. [Emphasis added by The Wire].
2) Any Ministry, Department of the Government, NDMA, SDMAs or public health institution shall also implement reasonable security practices and procedures as prescribed under any law for the time being in force.
So, does the data get shared only with government entities?
The protocol says that response data “shall ordinarily not be onward shared with any third party”. However, it also goes onto state that data may be shared with third parties “only if it is strictly necessary to directly formulate or implement appropriate health responses”.
Who is a third party in this scenario? Is it an information intermediary/data processor? Or any other stakeholder?
Also read: Government Suggests That Schools, Students Download Tracking App, Harness ‘Power of Light’
The protocol notes that any government agency that shares the Aarogya Setu data with a third party will be responsible for making sure the latter adheres to the rules.
“Any third party with whom data is onward shared under this para shall be subject to the same obligations as under para 7(a) of this Protocol. In addition they shall not re-use the data for any other purpose or disclose the data to any other entity and remain subject to audit and review of their data usage by the Central Government,” it notes.
In addition to this, the new rules also introduce a provision for sharing Aarogya Setu data for research purposes, provided it goes through a process of “hard anonymisation”. This data can be shared with Indian universities and research institutions registered within the country.
Are there penalties for not complying with these rules?
Yes. Any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable. This could lead to fines and potential imprisonment of anywhere between 1 to 2 years.
This is welcome, considering that the app’s terms of service absolved the government of liability even if a user’s personal data was accessed in an unauthorised manner.
How long do we need Aarogya Setu? Is there a sunset clause?
The rules state that the data access and sharing protocol shall be in force for a period of six months from the day in which it was issued (May 11).
This does not mean that the app goes away after six months though. The rules merely says that the empowered group shall review this protocol after six months (or even before), at which point it may be extended if the pandemic is still continuing.