Aarogya Setu’s data can be shared with myriad government units, say new protocol2 min read . Updated: 11 May 2020, 11:17 PM IST
- While the government has repeatedly said that the app doesn’t put user data at risk, the new protocols may raise more concerns
- According to the document, response data includes demographic data, contact data, self assessment data and location data of the app’s users
The Ministry of Electronics and Information Technology (MeitY) has issued new data access and knowledge sharing protocols for Aarogya Setu, the government’s contact-tracing application. The notifications come at a time when both users and privacy advocates have raised privacy concerns around the app. While the government has repeatedly said that the app doesn’t put user data at risk, the new protocols may raise more concerns.
Particularly, under the “principles of sharing of response data", the document states that response data “containing personal data" may be shared with the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/ local governments, National Disaster Management Authority (NDMA), State Disaster Management Authority (SDMA), “such 3 other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India", State Governments and local governments, “where such sharing is strictly necessary to directly formulate or implement an appropriate health response.
According to the document, response data includes demographic data, contact data, self assessment data and location data of the app’s users. While sharing data collected through the app with disaster management units of various governments does make sense, the protocols allow much wider reach by the government.
On the brightside, the National Informatics Centre (NIC) is required to maintain a list of all agencies with whom data is shared. The NIC is responsible for collecting, processing and management of data from the Aarogya Setu app.
The protocols also allow data to be shared with ministries and departments of central, state and union territory governments, and disaster and health institutions in a “de-identified form" when it’s “necessary to assist in the formulation or implementation of a critical health response", the document states.
It also says that parties who get data from the app are required to use it only for the purpose for which it was shared. Also, these entities “should not" retain the data beyond the “period necessary to satisfy the purpose for which it is shared". Also, data will be deleted permanently after 180 days of it being accessed, with some exceptions.
“Demographic data of an individual that has been collected by the NIC shall be retained for as long as this protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier," the document states. Privacy think tank, The Dialogue, pointed out via a tweet, that the government needs to clarify what demographic data constitutes.
Perhaps most importantly, the document adds a “sunset clause", which has been missing so far. The Empowered Group — which is a group of officials appointed by the government to tackle various pandemic related issues — will be reviewing this Protocol in six months or earlier (if it deems fit).
What’s still missing though is a sunset clause on the app itself. While the government has said that Aarogya Setu will be used for purposes other than contact tracing, many have said that the app should be taken down once the pandemic is over.