In its nascent stages, what eventually culminated as the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, was actually supposed to be a “guideline document for entire lifecycle of data governance related to Covid19 pandemic [sic]”, RTI documents have revealed. The Ministry of Electronics and Information Technology (MEITY) had, in fact, sought to develop these rules as general guidelines for any “such disaster response” and internally called them Disaster Management (Processing of the Public Health Emergency Data) Rules, 2020, the documents reveal. But eventually, the Protocol that was released was limited in its scope to the government’s contact tracing app. To develop these guidelines for all data, the Ministry of Information and technology had approached three law firms/entities — PLR Chambers, Vidhi Legal and Advocate Vakul Sharma. From the notes on official files, revealed via an RTI filed by Srinivas Kodali, an independent researcher, it is not clear how the focus shifted from governance of all COVID-19 related data collection to focus only on Aarogya Setu. Comments of Prafulla Kumar, a senior member of the Cyber Laws and E-Security (CLES) Group at the MEITY, dated May 1, suggest that the urgency around issuing a governance framework was prompted by lack of response from the Home Ministry for at least 10 days on the issue. This urgency was exacerbated by the Sprinklr case in the Kerala High Court and “concerns in the media about the need for a data protection framework” for COVID-19 apps that have rolled out by the…
