Unlike the Privacy Policy of Aarogya Setu where data is retained for at most 60 days, the newly released Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 allows retention of contact, location and self-assessment data for up to 180 days. But in a welcome move, personal data will be retained only until the Protocol is in effect or until the user requests deletion of such data (more on that below). And if the Protocol is not “specifically extended” by November 11, 2020 by Empowered Group 9 on Technology and Data Management, the Protocol will lapse, meaning that all personal data will be permanently deleted. However, this sunset clause is for the Protocol, not for the app itself. This suggests that the app will be repurposed for other issues once the pandemic has been dealt with, including becoming the first building block of India health stack.

Read: #NAMA: How Aarogya Setu can be improved, Checks and balances, and a governance framework for Privacy during the COVID19 pandemic: #NAMA

The Ministry of Electronics and Information Technology (MEITY) released this Protocol earlier today to govern the collection of data by Aarogya Setu and data sharing of personal/non-personal data collected through the app. It has been developed by the Empowered Group 9, one of the 11 empowered groups formed to deal with the pandemic. Neha Alawadhi, a Business Standard journalist, first tweeted about this.

In a significant departure from the latest Privacy Policy and Terms of Use, the Protocol, which will most likely result in updated Privacy Policy and Terms of Use, also lays down penalties and obligations for sharing data with government agencies, third parties, and research institutions. Strangely enough, the most stringent rules have been laid down for data sharing with research institutions — which will be governed by an Expert Committee set up by the Principal Scientific Advisor —, while parts of the Protocol are unclear about data sharing with third parties.

Violation of this protocol may lead to penalties under Section 51 to 60 of the Disaster Management Act, 2005, and other legal provision, as may be applicable. It is not clear how data and privacy related offences will be recognised under the Disaster Management Act since none of the mentioned sections talk about data, and there are currently no laws that make violations related to personal data an offence. The Protocol also does not make it mandatory for NIC to make the code open source, or to conduct independent security and/or privacy audits of the app.

Who is responsible for implementing the protocol? MEITY, while National Informatics Centre (NIC) is responsible for all data collection, processing and management by the app itself. MEITY, thus, has a supervisory role, but will be directed by the EMpowered Group 9 on Technology and Data Management.

What response data is being talked about?

  • Demographic data: name, mobile number, age, gender, profession and travel history of an individual
  • Contact data: data about any other individual that an infected person/person in contact with an infected person/high risk person has been in touch with . This includes duration of the contact, proximate distance between the two individuals, and the geographical location where the contact occurred.
  • Self-assessment data: responses provided to the self-assessment test within the app
  • Location data: geographical location of the user in latitude and longitude

It appears that only data related to “persons who are infected, at high risk of being infected or who have come in contact with infected individuals” will be required to formulate “appropriate health responses” as per the document.

Principles for response data collection and processing

  1. Clearly define the purpose for collection of response data by NIC in the app’s privacy policy
  2. NIC will collect response data that is necessary and proportionate to come up with “appropriate” health responses.
  3. Limit purpose of data collected to “formulating or implementing appropriate health responses and constantly improving such responses”. Ironically, this clause for “improving” response data delimits the purpose for which response data is to be used.
  4. NIC will process all collected in a “fair, transparent and non-discriminatory” manner (hat tip: Divij Joshi at MediaNama’s discussion on Privacy in the Era of COVID-19)
  5. Location data and contact data will be stored locally on the device by default. It will be uploaded to the server only “for the purpose of formulating or implementing appropriate health responses”. That’s already the case, as per the Privacy Policy.
  6. Data deletion:
    • Contact, location and self-assessment data will “ordinarily” not be retained beyond 180 days from the data of collection after which it will be deleted. This is significant because as per the current privacy policy, this data is retained for a maximum period of 60 days from the date of COVID-19 positive person being cured, but the Protocol extends it to thrice that duration.
    • Demographic data will be retained for as long as this Protocol will remain in force, or if an individual requests for deletion of such data, whichever comes earlier. In the latter case, it must be deleted within 30 days of such a request. This is a good step but it is not clear how such a data deletion request will be made, given that there is no explicit way of deleting the account on the app itself, and demographic data is uploaded to the server immediately upon registration. The only possible way to get in touch with NIC is by emailing the Deputy Director General (DDG) of NIC, R.S. Mani, at support.aarogyasetu@gov.in as per the privacy policy.
  7. All response data will be “securely” stored by NIC and will be shared only in accordance with the Protocol. Once again, the standards for “secure” storage have not been defined.

Principles for sharing response data

  1. Personal data may be shared with “Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/ local governments, NDMA, SDMAs, such other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State Governments and local governments, where such sharing is strictly necessary to directly formulate or implement an appropriate health response”. However, by including the Government of India at large as the second entity in this list, this data can be shared with practically any government ministry, department, or authority.
  2. De-identified data, that is, data which is “stripped of personally identifiable data” and “assigned a randomly generated ID” to prevent re-identification of the individual through the data may again be shared with “such Ministries or Departments of the Government of India or the State/Union Territory Governments, local governments, NDMA, SDMAs and such other public health institutions of the Government of India or State Governments or local governments with whom such sharing is necessary to assist in the formulation or implementation of a critical health response”.
  3. NIC to maintain list of agencies with which data has been shared, “to the extent reasonable”. This list which contain time at which data sharing was initiated, persons or agencies who have been given access to the data, categories of data shared, and purpose of sharing. While this is a welcome move, the condition “to the extent reasonable” is too broad and vague, and can be easily misused to not fulfill this obligation.

Obligations of entities with whom response data is shared

  1. Purpose limitation: Entity with which data is shared, which are all government entities, will only use data for the purpose for which it is shared.
  2. Data to be deleted at most 180 days after being accessed, and may be deleted earlier if the purpose for which it was shared has been fulfilled.
  3. Implement “reasonable security practices and procedures” as prescribed under any law. Once again, the standards for these practices and procedures have not been prescribed, and in the absence of a Personal Data Protection Law, there are no universal standards of codes of conduct the ministries/departments/public institutions can look to.
  4. Data may be shared with third parties but will be subjected to audit and review by the Central government. Date can be shared only if it is “strictly necessary to directly formulate or implement appropriate health responses”. In a welcome move, the government agency that shares this information with the third party will be responsible for the third party’s adherence to the Protocol. But the third party will also have to abide by the aforementioned purpose limitation, data deletion and reasonable security practices provisions. Third parties are forbidden from re-using this data for any other purpose or sharing it with any other entity. Their data usage will be subject to audit and review by the Central government. It is not clear which ministry/department will be responsible for the audit and review. The Personal Data Protection Bill, 2019, makes similar demands of data fiduciaries and data processors. In this case, the government agency is analogous to a data fiduciary, and the third party to a data processor. However, from the Protocol, it is not clear if a contract must be signed between the sharing agency and the third part, or if there are any penalties for third parties for violations or re-identification of anonymised data, as there are for research institutions (read below).

Data sharing for research purposes

  1. Only response data that has undergone “hard anonymisation” will be made available to Indian universities and research institutions/research entities registered in India.
    • Hard anonymisation is “a series of technical processes which ensure that any individual is incapable of being identified from the response data through any means reasonably likely to be used to identify such individual”.
  2. Expert committee appointed by the Principal Scientific Advisor to the Government of India will be responsible for (It is not clear when this expert committee will be appointed):
    • Developing, reviewing and updating on a periodic basis the anonymisation protocols and standards. “Such review shall have regard to the nature and sensitivity of the data being processed, the robustness of the anonymisation protocol and advances in technology.”
    • Approving requests from universities or research institutions seeking access to anonymised data only if it is of the view that such data will be used for “statistical, epidemiological, scientific or any other form of academic research, on such terms as may be stipulated by the expert committee in this behalf”.
    • Approving requests from permitted universities/research institutions to share data with other universities/research institutions.
  3. Institutions will be penalised for de-anonymising or re-identifying the individuals in any manner, “knowingly or unknowingly”. They will lose access to the data and will be “liable for penalties under applicable laws for the time being in force”. It is not clear which laws these are in the absence of a Personal Data Protection Law. The Personal Data Protection Bill, 2019, criminalises re-identification of anonymised data.
  4. Further sharing of data for research: Any institute permitted by the expert committee to access the data can share it further with an Indian university or research institution registered in India for the same purposes with approval of the committee. A contract must be signed between the two institutions and this contract will state nature of data shared, purpose of data sharing, duration of sharing, and other details that the committee may specify. It is interesting that research institutions must sign contracts and get them approved by a committee, but not data shared by government agencies with third parties.
  5. All universities and research institutions that are given access to the data will be subject to audit and review by the Central government. It is again not clear which agency will conduct the audit and review.
  6. Expert Committee can terminate data rights granted to university or research institution for non-compliance.