ON MONDAY, the Ministry of Electronics & Information Technology issued a data-sharing and knowledge-sharing protocol for the Aarogya Setu app, laying down guidelines for sharing such data with government agencies and third parties. Prior to this, the only legal shield around the mechanism was the app’s privacy policy.
The executive order issued on Monday came amid concerns expressed by a number of experts over the efficacy and safety of the app. Experts have now said that while on the one hand a decision of such nature should be backed by a personal data protection law, the loosely worded nature of the protocol too is an area of concern. Currently, India’s personal data protection bill is in the process of being approved by Parliament.
Why has the government issued these guidelines?
The executive order issued by IT Secretary Ajay Prakash Sawhney, who is also the Chairperson of the Empowered Group on Technology and Data Management (one of several empowered groups constituted by the Home Ministry to deal with various aspects of the Covid-19 pandemic), says that “in order to formulate appropriate health responses for addressing the COVID-19 pandemic, data pertaining to individuals is urgently required”. Here, individuals means persons who are infected, or are at high risk of being infected, or who have come in contact with infected individuals.
To fulfil this purpose, and ensure that data collected from the app is gathered, processed and shared in an appropriate way, the government has issued these guidelines. “Various advisories and statements have been issued by the Ministry of Health and Family Welfare, Government of India and other Ministries of the Government of India and State/ Union Territory Governments on precautionary measures such as social distancing and treatment of individuals who are affected or at-risk. In order to ensure their effective implementation, there is a need to ensure efficient data and information sharing among the different Departments and Ministries of the Government of India as well as those in the State/Union Territory Governments,” the order reads.
What data can be collected and shared?
The data collected by the Aarogya Setu app is broadly divided into four categories — demographic data, contact data, self-assessment data and location data. This is collectively called response data. Demographic data includes information such as name, mobile number, age, gender, profession and travel history. Contact data is about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals, and the geographical location at which the contact occurred. Self-assessment data means the responses provided by that individual to the self-assessment test administered within the app. Location data comprises the geographical position of an individual in latitude and longitude.
What entities will be able to access this data?
According to the protocol, the response data containing personal data may be shared by the app’s developer — National Informatics Centre (NIC) — with the Health Ministry, Health Departments of state/Union Territory governments/ local governments, National Disaster Management Authority, state disaster management authorities, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments, “where such sharing is strictly necessary to directly formulate or implement an appropriate health response”.
The protocol also lay the ground for sharing the data with any third parties — “only if it is strictly necessary to directly formulate or implement appropriate health responses”. Further, for research purposes, the response data can be shared with Indian universities or research institutions and research entities registered in India. The guidelines also empower universities and research entities to share the data with other such institutions, “only if such sharing is in furtherance of the same purpose for which it has sought approval to access such data from the expert committee”.
What are the checks and balances?
The protocol says the response data that can be shared with ministries, government departments and other administrative agencies has to be in de-identified form. This means that, except for demographic data, the response data must be stripped of information that may make it possible to identify the individual personally; it must be assigned a randomly generated ID.
Further, the NIC shall, “to the extent reasonable”, document the sharing of any data and maintain a list of the agencies with which data has been shared. This documentation will include the time at which data sharing was initiated, with which entities it was shared, the categories of such data, and the purpose of sharing the data.
The protocol also calls for any entity with which the data has been shared to not retain the data beyond 180 days from the day it was collected. The protocol reads back to the Disaster Management Act, 2005 to establish the penalties in case of violation of the protocol. It also has a sunset clause, which calls for the empowered group to review the protocol after six months; unless extended, it will be in force only for six months from the date of issue.
What are the concerns being raised?
Legal experts have stressed the need for a personal data protection law to back the government’s decision to make the app mandatory for everyone. “They are going the Aadhaar way. This cannot be done via an executive order, especially since there are a number of privacy concerns with the app,” said Prasanth Sugathan, volunteer legal director at SFLC.in.
Sugathan said the data being shared with third parties was one of the biggest areas of concern. “They should have listed the third parties with which the data can be shared,” he said, adding that it was left open-ended and had a possibility of misuse. Further, he said the process of de-identifying the data should have been detailed, given that reversing de-identification was not difficult.
The protocol, in fact, seeks to disincentivise reversal of de-identification. “Any university or research institution/ entity which accesses anonymised response data… shall not reverse anonymise such data or re-identify individuals in any manner. If any person knowingly or unknowingly, takes any action which has the effect of such data no longer remaining anonymised, any rights granted to them under this protocol shall stand terminated, and they shall be liable for penalties under applicable laws for the time being in force,” it reads.