Aarogya Setu App (Who can access your data?) – Burning Issues

Table of Contents

Aarogya Setu seeks continuous access to location information for its social movement graph and uses Bluetooth technology to alert people when they come in contact with a covid-19 positive person.
It gives users a colour coding of green and yellow based on their self assessment. The data of users in the yellow category are uploaded to the server, while that of those in the green category is retained in the app.

ON MONDAY (11-May), the Ministry of Electronics & Information Technology issued a data-sharing and knowledge-sharing protocol for the Aarogya Setu app, laying down guidelines for sharing such data with government agencies and third parties. Prior to this, the only legal shield around the mechanism was the app’s privacy policy.

WHY HAS THE GOVERNMENT ISSUED THESE GUIDELINES?

The executive order issued by IT Secretary Ajay Prakash Sawhney says that “in order to formulate appropriate health responses for addressing the COVID-19 pandemic, data pertaining to individuals is urgently required”.
Here, individuals means persons who are infected, or are at high risk of being infected, or who have come in contact with infected individuals.

GATHERED, PROCESSED AND SHARED…

To fulfil this purpose, and ensure that data collected from the app is gathered, processed and shared in an appropriate way, the government has issued these guidelines.

WHAT DATA CAN BE COLLECTED AND SHARED BY AAROGYA SETU?

The data collected by the Aarogya Setu app is broadly divided into four categories:

Demographic data includes information such as name, mobile number, age, gender, profession and travel history.
Contact data is about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals, and the geographical location at which the contact occurred.
Self-assessment data means the responses providd by that individual to the self-assessment test administered within the app.
Location data comprises the geographical position of an individual in latitude and longitude.

WHAT ENTITIES WILL BE ABLE TO ACCESS THIS AAROGYA SETU DATA?

According to the protocol, the response data containing personal data may be shared by the app’s developer — National Informatics Centre (NIC) — with the Health Ministry, Health Departments of State/UT/ local governments, NDMA, SDMA, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments, “where such sharing is strictly necessary to directly formulate or implement an appropriate health response”.
The protocol also lay the ground for sharing the data with any third parties — “only if it is strictly necessary to directly formulate or implement appropriate health responses”.
Further, for research purposes, the response data can be shared with Indian universities or research institutions and research entities registered in India.

WHAT ARE THE CHECKS AND BALANCES?

The protocol says the response data that can be shared with ministries, government departments and other administrative agencies has to be in de-identified form.
This means that, the response data must be stripped of information that may make it possible to identify the individual personally; it must be assigned a randomly generated ID.
The protocol also calls for any entity with which the data has been shared to not retain the data beyond 180 days from the day it was collected. It also has a sunset clause, which calls for the empowered group to review the protocol after six months; unless extended, it will be in force only for six months from the date of issue.

NEW CONCERNS: STILL NO LAW…

Experts have now said that while on the one hand a decision of such nature should be backed by a personal data protection law, the loosely worded nature of the protocol too is an area of concern.
Currently, India’s personal data protection bill is in the process of being approved by Parliament.
“They are going the Aadhaar way. This cannot be done via an executive order, especially since there are a number of privacy concerns with the app,”
Data being shared with third parties was one of the biggest areas of concern. “They should have listed the third parties with which the data can be shared,”
Further, he said the process of de-identifying the data should have been detailed, given that reversing de-identification was not difficult.

</div>" width="100%" height="315" frameborder="0"><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>