The validity of the Aarogya Setu Data Access and Knowledge Sharing Protocol has been extended by six months until May 10, 2021. Essentially, personal data collected from Aarogya Setu users can be retained and shared until this date, unless a user requests the deletion of such data.

Released on May 11, 2020, the Protocol is supposed to govern the collection of data by Aarogya Setu and data sharing of personal and non-personal data collected through the app. It allowed the retention of contact, location and self-assessment data for up to 180 days. In what was a welcome move then, the Protocol had a sunset clause, which entailed the mandatory deletion of all user data by November 11, 2020 (the original deadline). However, per the latest announcement by MEITY on Tuesday, the Protocol will not lapse until May 10, 2021.

When announced, the Protocol was seen as indication that the Aarogya Setu app would be repurposed for other purposes after the pandemic is dealt with, including becoming the first building block of the India health stack. With this extension, this appears to have been the right inference.

The Protocol is distinct from Aarogya Setu’s privacy policy, which specifies that personal information of COVID-19 patients can be collected and stored in government servers for 60 days. It was developed by the Empowered Group 9 on Technology and Data Management, one of the 11 empowered groups formed to deal with the pandemic. MEITY is supervising the its implementation, per directions of the empowered group.

Whom can the data be shared with? The Protocol allows for the sharing of Aarogya Setu data (demographic, contact, self-assessment and location) with the Ministry of Health and Family Welfare, Government of India, state health departments, the NDMA, SDMAs, and other such public health institutions “where such sharing is strictly necessary to directly formulate or implement an appropriate health response”.

The Protocol lists several conditions and obligations on entities receiving this data. However, per a recent report in the Quint, several of these safeguards were not followed by the National Informatics Centre (NIC). For instance, the NIC was supposed to maintain a list of agencies it has shared Aarogya Setu data with. But NIC was unable to provide this list when asked as part of a Right to Information (RTI) query. Similarly, data recipients are supposed to have “reasonable security practices”, but NIC has reportedly nor created any reasonably security practices and procedures.