Aarogya Setu Data Access And Knowledge Sharing Protocol – Economics

Table of Contents

Recently, the Ministry of Electronics and Information Technology (MeitY) has issued ‘Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’
Lays down guidelines for sharing such data with government agencies and third parties amid Covid-19 pandemic.

BACKGROUND

The executive order issued came amid concerns and privacy issues expressed by a number of experts over the efficacy and safety of the app.

Aarogya Setu App

Launched by the Ministry of Electronics and Information Technology.
It will help people in identifying the risk of getting affected by the Coronavirus.
It will also help to calculate risk based on the user’s interaction with others, using cutting edge Bluetooth technology, algorithms and artificial intelligence.
Once installed in a smartphone, the app detects other nearby devices with Aarogya Setu installed.
The app will help the Government take necessary timely steps for assessing risk of spread of Covid-19 infection and ensuring isolation where required.

GUIDELINES

Intends to ensure that data collected from the app is gathered, processed and shared in an appropriate way.
The violation of the protocol will lead to the penalties under the Disaster Management Act, 2005.
MeitY is designated as the agency responsible for the implementation of this Protocol.
Further, the app’s developer, National Informatics Centre (NIC) shall be responsible for collection, processing and managing response data collected by the Aarogya Setu app under this Protocol.
Further, it also calls for the Empowered Group on Technology and Data Management to review the protocol after six months; unless extended. It will be in force only for six months from the date of its issue.
Empowered Group of Ministers (EGoM) is a Group of Ministers (GoM) of the Union Government appointed by the Cabinet or the Prime Minister for investigating and reporting on such matters as may be specified.
These EGoMs are also authorised to take decisions in such matters after investigation.
Definition of Individual:
Data pertaining to individuals is urgently required in order to formulate appropriate health responses for addressing the Covid-19 pandemic.
Individuals means persons who are infected or are at high risk of being infected or who have come in contact with infected individuals.
Categorisation of Data:
The data collected by the Aarogya Setu app is broadly divided into four categories—
Demographic Data: It includes information such as name, mobile number, age, gender, profession and travel history.
Contact Data: It is about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred.
Self-assessment Data: It includes the responses provided by that individual to the self-assessment test administered within the app.
Location data: It comprises the geographical position of an individual in latitude and longitude.
The demographic data, contact data, self-assessment data and location data are collectively called as response data.
Ground for Data Sharing:
The data can be shared only if it is strictly necessary to directly formulate or implement an appropriate health response.
It can also be shared for appropriate research work.
Allowed Entities to Access Data:
Health Ministry, Health Departments of State/Union Territory governments/local governments, National and State Disaster Management Authorities, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments.
Third parties that include the Indian universities or research institutions and research entities registered in India.
De-identified Form:
Except for demographic data, the response data must be stripped of information that may make it possible to identify the individual personally.
De-identification is the process used to prevent someone’s personal identity from being revealed.
Stripped information must be assigned a randomly generated ID.
The Protocol also discourages reversal of de-identification and imposes penalties under applicable laws for the time being in force.
Maintenance of the List: The NIC needs to maintain a list of, the agencies with the time at which data sharing was initiated, the categories of such data and the purpose of sharing the data.
Data Retention: Any entity with which the data has been shared shall not retain the data beyond 180 days from the day it was collected.

Concerns

Need for a Personal data protection law
The Personal Data Protection Bill 2019 is in the process of being approved by Parliament.
The clause for data sharing with third parties is open ended and has a highest possibility of being misused.
The process of de-identifying the data should have been detailed, given that reversing de-identification was not difficult.