In its nascent stages, what eventually culminated as the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, was actually supposed to be a “guideline document for entire lifecycle of data governance related to Covid19 pandemic [sic]”, RTI documents have revealed. The Ministry of Electronics and Information Technology (MEITY) had, in fact, sought to develop these rules as general guidelines for any “such disaster response” and internally called them Disaster Management (Processing of the Public Health Emergency Data) Rules, 2020, the documents reveal. But eventually, the Protocol that was released was limited in its scope to the government’s contact tracing app.
To develop these guidelines for all data, the Ministry of Information and technology had approached three law firms/entities — PLR Chambers, Vidhi Legal and Advocate Vakul Sharma.
From the notes on official files, revealed via an RTI filed by Srinivas Kodali, an independent researcher, it is not clear how the focus shifted from governance of all COVID-19 related data collection to focus only on Aarogya Setu. Comments of Prafulla Kumar, a senior member of the Cyber Laws and E-Security (CLES) Group at the MEITY, dated May 1, suggest that the urgency around issuing a governance framework was prompted by lack of response from the Home Ministry for at least 10 days on the issue. This urgency was exacerbated by the Sprinklr case in the Kerala High Court and “concerns in the media about the need for a data protection framework” for COVID-19 apps that have rolled out by the central and state government.
The decision to notify the Protocol was taken on May 6, and the MEITY Secretary approved it on May 8. The Protocol was released on May 11.
While it appears that the scope of the Protocol was narrowed down by the Home Ministry, readers should note that the information revealed by the notings in this RTI does not contain the text of the emails that were sent, or discussions that happened in person or on phone. These are the notes made by the officers in a particular file and hence, do not give the complete picture. We have reached out to the Ministry of Electronics and Information Technology wherever things are not clear, and will update the story accordingly. Read the RTI response here.
What prompted the need for the rules?
On April 8, six days after Aarogya Setu was launched, Dr D. Sathyanarayanan, Scientist D at CLES, wrote:
“[A] large number of health related data set of subjects is being collected through various regulatory measures of ICMR and NCDC [National Centre for Disease Control]. Government has also launched Aarogyasetu [sic] App which will be collecting lot of information regarding citizens of India. The App will be collecting health data with consent of the users. Presently all the data is being supervised by ICMR.”
Two reasons — “quantum of data is getting exponentially high” and private players were interested in providing analytics-based solutions — were cited by Sathyanarayanan.
What did the Empowered Group propose?
The original protocol that the Empowered Group 9 on technology and data management had proposed would have identified the data types, their source of collection and the need for their inclusion along with identifying organisations that would done the necessary data analytics. The protocol that was originally envisioned would have overseen the functioning of state and district authorities through SOPs, and most significantly how data breaches and security of COVID-19 related data was to be handled. The Empowered Group 9 was constituted by the National Executive Committee under the National Disaster Management Act on March 29.
Private law firms advised changing rules
MEITY had approached the three law firms — PLR Chambers, Vidhi Legal and Advocate Vakul Sharma — to develop the rules. From these discussions, the Ministry concluded that the Information Technology Act did not “give powers for collection of data from any agency” and that Section 43A of the IT Act — which deals with protection of sensitive personal data or information — only deals with the “body corporate”. Readers should note that the SPDI Rules, that lay down the practices and procedures for processing sensitive personal data or information, are also issued under this Section.
Advocate Vakul Sharma had proposed new “simplified” rules that the Ministry was also satisfied with, as per Sathyanarayanan’s note dated April 8.
Thus, MEITY concluded that any such rules would need to be derived from the Disaster Management Act.
Why did it take a month to notify the Protocol?
In response to Sathyanarayanan’s note, MEITY Additional Secretary S. Gopalakrishnan, on April 8, had written, “The rules are Generic and can be used in any case any such disaster response [sic]” and asked them to be recommended to the Home Ministry since “responsibility for regulating data handling is being delegate [sic] to the National Executive Committee chaired by the Home Secretary”.
Since MEITY had created a committee with Joint Secretary and a Scientist F through an order dated April 15, Gopalakrishnan concluded on April 17 that the proposed rules could continue to be handled by MEITY’s CLES division since it “is purely IT Act stuff related to data governance”. But the law firms had advised, and MEITY had concluded that any such rules would derive their power from the Disaster Management Act, and hence the Home Ministry. It is not clear why Gopalakrishnan gave opposing directions in his April 17 note. We were also unable to find the April 15 order.
From communication between Kumar, Gopalakrishnan, and CLES Group Coordinator Rakesh Maheshwari between April 21 and May 1, it is clear that the Rules were sent to MHA for notification (though the exact date is not known) and response was awaited from MHA. At the April 18 meeting of Empowered Group 9, the issue was raised and a “status update was provided”. It is important to note that while Empowered Group 9 is headed by MEITY Secretary and has representation from ICMR and MoHWF, it does not have representation from the Home Ministry.
On April 21, Kumar wrote that he had talked to the Joint Secretary (Disaster Management) at the Home Ministry, and that the Home Ministry was seeking input from the Health Secretary and the National Disaster Management Authority Secretary. Kumar had followed up with the Joint Secretary (DM) on April 20 for “latest status on the notification of the Rules” and spoken to Director (Disaster Management) at the MHA about the status. At that time, comments from MOHFW were still awaited.
Gopalakrishnan, at the request of Kumar, had also sent at email to the Additional Home Secretary. On May 1, Kumar, who had still not received comments from MHA, which was in turn awaiting comments from MoHFW and NDMA, proposed an in-person meeting chaired by the Home Secretary with participation from MEITY, MoHFW and NDMA. He stressed the urgency of the issue citing the Sprinklr case in Kerala High Court (though not by name) and concerns around data protection expressed in media.
Even as late as on May 1, MEITY had sought a framework to govern the “processing of sensitive data during disasters”, not just for the governance of data collected via Aarogya Setu.
Why were Rules proposed by MEITY dropped?
In the May 2 meeting, Home Secretary decided that “any rule on data collection, processing and storage may not be warranted under NDMA”. A document with guidelines or order could instead be issued by MEITY under the Information Technology Act or through the Empowered Group 9.
Consequently, the rules that were originally proposed by MEITY were dropped. At that time, Gopalakrishnan was already been in conversation with Vidhi Legal to come up with a “suitable document” based on the dropped rules. It is not known why PLR Chambers and Advocate Vakul Sharma were not consulted again.
Meetings that took place
April 18, 2020: Empowered Group 9 met and gave status update on the Rules.
May 2, 2020: At the office Home Secretary. Attended by MEITY Secretary Ajay Prakash Sawhney, the then MEITY Additional Secretary S. Gopalakrishnan, CLES Group Coordinator Rakesh Maheshwari, and representatives of NDMA, MHA and MOHFW.
What is unknown?
- An order notifying the release of the Protocol has been provided on Page 12 of the RTI response. It is not the same as the Protocol that was published on May 11. Which order is this and when was it drafted?
- Why did MEITY and MHA reduce the scope of the rules from governance of sensitive personal data during disasters to a Protocol for governance of Aarogya Setu in particular? Does this mean that Aarogya Setu would not be retired after the pandemic is dealt with and instead, will be used to deal with disasters in future? The lack of sunset clause for the app in the Protocol is something that we had highlighted.
- When were the Rules sent to MHA for notification?
- When did MEITY approach PLR Chambers, Vidhi Legal and Advocate Vakul Sharma — before or after Aarogya Setu was launched on April 2? Why did the government proceed with the Aarogya Setu Protocol only with Vidhi Legal?
We have reached out to the Ministry of Electronics and Information Technology for more information.
***Update (October 29, 4:58 pm): Edited the headline. Older headline was “MEITY wanted protocol for all governing all COVID-19 data, not just Aarogya Setu: RTI”. Originally published on July 27, 2020 at 1:12 pm.