The Aarogya Setu Data Access and Knowledge Sharing Protocol released on Monday states that the personal data of the app’s user, which includes contacts and location, must be permanently deleted after 180 days “from the date on which it is collected”, and data can only be used for health purposes.
The protocol, developed and released by the Ministry of Electronics and Information Technology (MeitY), reads: “NIC (National Informatics Centre) shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses”.
Opinion| Seven questions about an app
The new protocol also allows an individual to request for deleting demographic data, which must be abided by in 30 days.
The new norms, which lay emphasis on anonymisation of data collected by the app, mention that the data can be shared with the “Government of India”, and all the agencies that are granted access to the data must use it only for the purpose for which it has been shared and delete it after 180 days.
“In the overall flow, the most important data set is the special surveillance system made by the health department in which states (and districts) can look at the information,” IT Secretary Ajay Prakash Sawhney, who head the empowered group, said in a press briefing on Monday. “Also, applications for testing samples with data reaches ICMR’s lab portals … all health systems in NIC and the Health Ministry are combined with Aarogya Setu’s self-assessment and Bluetooth contact tracing data. Along with NDMA (National Disaster Management Authority) data and with the help of IIT Madras, an analytics is done on all this combined data to see what actions can be taken. This is the broad picture of how we organise our data flows.”
The National Informatics Centre (NIC) is responsible for collecting, processing and managing all the data collected by Aarogya Setu, which has been downloaded to the phones of 9.82 crore Indians. NIC shall maintain a list of agencies with which the data is being shared.
“This makes it very clear that the intent of the government is only to use this data for COVID-19 related responses and there is no other purpose for which the data has been collected. The purpose is now upfront, and after that period is over, all data will be purged,” said Abhishek Singh, the CEO of the IT Ministry’s National e-Governance Division.
Recently, the Congress raised security concerns about the application by taking up a technical note by hacker Elliot Alderson. The hacker claimed that through the app he was able to access information about people who were infected by coronavirus and felt unwell, among other data points, including people in sensitive offices like the PMO or Parliament.
IT Ministry’s Additional Secretary S Gopalakrishnan, who also assisted in developing the protocol, told, The Indian Express: “It is in the same spirit as the Data Protection Bill. This puts clearly the role of NIC, MEITY, etc in handling this data”.
Compared with the Data Protection Bill, which is under examination by a Parliamentary Joint Select Committee, the new protocol has a stronger emphasis on anonymisation of personal data when it is shared with third parties. Though the protocol for sharing and processing of personal data have largely been kept unchanged, the new norms emphasize on “de-identifying”, which scrubs data of personally identifiable details, and “hard anonymisation”.