Aarogya data only for health needs, to be deleted in 180 days

Opinion| Seven questions about an app

The present privacy policy allows the app to retain the data for 60 days after a Covid-19 patient is cured, and for other users, the personal information is removed from the server after 45 days. The new protocol will allow the government to hold on to the data beyond 180 days if “a specific recommendation …. is made” by the empowered group on technology, which is one of the 11 empowered group of officers formed to deal with lockdown issues.

The new protocol also allows an individual to request for deleting demographic data, which must be abided by in 30 days.

The new norms, which lay emphasis on anonymisation of data collected by the app, mention that the data can be shared with the “Government of India”, and all the agencies that are granted access to the data must use it only for the purpose for which it has been shared and delete it after 180 days.

“In the overall flow, the most important data set is the special surveillance system made by the health department in which states (and districts) can look at the information,” IT Secretary Ajay Prakash Sawhney, who head the empowered group, said in a press briefing on Monday. “Also, applications for testing samples with data reaches ICMR’s lab portals … all health systems in NIC and the Health Ministry are combined with Aarogya Setu’s self-assessment and Bluetooth contact tracing data. Along with NDMA (National Disaster Management Authority) data and with the help of IIT Madras, an analytics is done on all this combined data to see what actions can be taken. This is the broad picture of how we organise our data flows.”

Read | Mandating use of Aarogya Setu app illegal: Justice B N Srikrishna

The National Informatics Centre (NIC) is responsible for collecting, processing and managing all the data collected by Aarogya Setu, which has been downloaded to the phones of 9.82 crore Indians. NIC shall maintain a list of agencies with which the data is being shared.

“This makes it very clear that the intent of the government is only to use this data for COVID-19 related responses and there is no other purpose for which the data has been collected. The purpose is now upfront, and after that period is over, all data will be purged,” said Abhishek Singh, the CEO of the IT Ministry’s National e-Governance Division.

“There have been a few concerns about how data is shared, how it is being governed, and under what act is it being shared. So while the Data Protection Bill is pending in Parliament, there was a need to lay down the framework because ultimately what we are saying in the privacy policy about collection purpose and use needed a statutory backing,” said Singh.

Read| Aarogya Setu: 9 things you must know before downloading the contact tracing app

Recently, the Congress raised security concerns about the application by taking up a technical note by hacker Elliot Alderson. The hacker claimed that through the app he was able to access information about people who were infected by coronavirus and felt unwell, among other data points, including people in sensitive offices like the PMO or Parliament.

IT Ministry’s Additional Secretary S Gopalakrishnan, who also assisted in developing the protocol, told, The Indian Express: “It is in the same spirit as the Data Protection Bill. This puts clearly the role of NIC, MEITY, etc in handling this data”.

Compared with the Data Protection Bill, which is under examination by a Parliamentary Joint Select Committee, the new protocol has a stronger emphasis on anonymisation of personal data when it is shared with third parties. Though the protocol for sharing and processing of personal data have largely been kept unchanged, the new norms emphasize on “de-identifying”, which scrubs data of personally identifiable details, and “hard anonymisation”.