Aarogya Setu: Who can access your data and when?

Before the guidelines, the only legal shield around the app was its privacy policy. (AP)

ON MONDAY, the Ministry of Electronics and Information Technology issued a protocol to share data and share knowledge for the Aarogya Setu application, establishing guidelines for sharing such data with government agencies and third parties. Before this, the only legal shield around the mechanism was the app’s privacy policy.

The executive order issued on Monday came amid concerns voiced by several experts about the app’s effectiveness and security. Experts have now said that while on the one hand such a decision should be supported by a personal data protection law, the nature of the protocol is also a matter of concern. Currently, India’s personal data protection bill is in the process of being approved by Parliament.

Read | Aarogya data for health needs only will be removed in 180 days.

Why has the government issued these guidelines?

The executive order issued by IT Secretary Ajay Prakash Sawhney, who is also the President of the Empowered Group on Technology and Data Management (one of several empowered groups formed by the Home Office to address various aspects of the Covid pandemic – 19), says that “to formulate appropriate health responses to address the COVID-19 pandemic, data related to individuals is urgently required.” Here, individuals means people who are infected, or who have a high risk of becoming infected, or who have been in contact with infected people.

To fulfill this purpose and ensure that the data collected from the application is collected, processed and shared appropriately, the government has issued these guidelines. “The Ministry of Health and Family Welfare, the Government of India and other Ministries of the Government of India and the governments of the State / Union territories have issued various warnings and statements on precautionary measures, such as social distancing and Treatment of Affected People or -Risk In order to ensure their effective implementation, there is a need to ensure the efficient exchange of data and information between the different departments and ministries of the Government of India, as well as those of the governments of the State / Union territories, “reads the order.

Read | Mandatory use of the Aarogya Setu app is illegal, says Judge B N Srikrishna

What data can Aarogya Setu collect and share?

The data collected by the Aarogya Setu app falls broadly into four categories: demographics, contact data, self-assessment data, and location data. This is collectively called response data. Demographics include information such as name, mobile phone number, age, gender, profession, and travel history. Contact details refer to any other person a particular person has approached, including the duration of the contact, the approximate distance between the people, and the geographic location at which the contact occurred. Self-assessment data means the responses provided by that individual to the self-assessment test administered within the application. Location data includes an individual’s geographic position in latitude and longitude.

Which entities will be able to access this data from Aarogya Setu?

According to the protocol, the developer of the application, the National Center of Informatics (NIC), can share the response data that contains personal data with the Ministry of Health, the health departments of state governments / of the territory of the Union / local governments, the National Disaster Management Authority, state disaster management authorities, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments, “where such exchange is strictly necessary to directly formulate or implement an appropriate health response. “

The protocol also lays the foundation for sharing data with third parties, “only if it is strictly necessary to formulate or directly implement appropriate health responses.” Furthermore, for research purposes, response data may be shared with Indian universities or research institutions and registered research entities in India. The guidelines also empower universities and research entities to share the data with other similar institutions, “only if such sharing is to promote the same purpose for which you have requested approval to access such data from the expert committee.”

What are checks and balances?

The protocol says that the response data that can be shared with ministries, government departments and other administrative agencies must be in an unidentified form. This means that, with the exception of demographic data, response data must be stripped of information that can personally identify the individual; it must be assigned a randomly generated ID.

In addition, the IAS shall, “to the reasonable extent”, document the data exchange and maintain a list of the agencies with which the data has been shared. This documentation will include the time the data exchange started, with which entities it was shared, the categories of such data and the purpose of sharing the data.

The protocol also requires that any entity with which the data has been shared does not retain the data beyond 180 days from the day it was collected. The protocol rereads the Disaster Management Act of 2005 to establish sanctions in case of violation of the protocol. It also has a sunset clause, which requires the empowered group to review the protocol after six months; Unless it is extended, it will only be valid for six months from the date of issue.

What are the concerns raised?

Legal experts have emphasized the need for a personal data protection law to support the government’s decision to make the app mandatory for everyone. “They are on the road to Aadhaar. This cannot be done through an executive order, especially since there are a number of privacy concerns with the app, “said Prasanth Sugathan, volunteer legal director at SFLC.in.

Sugathan said data shared with third parties was one of the main areas of concern. “They should have listed the third parties with whom the data can be shared,” he said, adding that they were left open and had the potential for misuse. In addition, he said the data de-identification process should have been detailed, since reversing the de-identification was not difficult.

The protocol, in fact, seeks to discourage the reversal of disidentification. “Any university or research institution / entity that accesses anonymous response data … will not anonymously override such data or re-identify individuals in any way. If any person knowingly or unknowingly takes any action that has the effect that such data no longer remain anonymous, the rights granted to them under this protocol will be terminated and they will be liable for sanctions under the applicable laws at the time in force, “the statement read.

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For the latest news explained, download the Indian Express app.