The Ministry of Health and Family Welfare (MoHFW) on Monday issued guidelines for the use of CoWIN Application Programming Interfaces (APIs) by third-party Application Service Providers (ASPs). Earlier in April, the government had stated that it does not want to open CoWIN APIs because they deal with sensitive data and a comprehensive data capture policy needs to be put in place before allowing third-party apps and services. But the government reversed its stance and opened up selective APIs anyway. As a result of this, a slew of apps and websites that offer vaccine alert services sprung up to address the limitations of the official CoWIN portal. These services captured mobile numbers and email IDs of users to notify them when a slot opens up in their desired area. But without a data capture policy in place, it was difficult to determine how these services used this data. New Terms of Services All ASPs that wish to use CoWIN APIs must comply with the new Terms of Service that provide guidelines for: What data can be collected? Applications should only collect as much data as is strictly necessary to achieve the stated purpose and delete such data as soon as possible after the purpose has been served. How should data be collected? Wherever personal data is collected, ASPs must inform users in a clear, concise and accessible manner of the "specific purpose for which the data would be used, the period of time for which it shall be retained and the manner in which it shall be deleted"…
