The Ministry of Health and Family Welfare (MoHFW) on Monday issued guidelines for the use of CoWIN Application Programming Interfaces (APIs) by third-party Application Service Providers (ASPs).
Earlier in April, the government had stated that it does not want to open CoWIN APIs because they deal with sensitive data and a comprehensive data capture policy needs to be put in place before allowing third-party apps and services. But the government reversed its stance and opened up selective APIs anyway. As a result of this, a slew of apps and websites that offer vaccine alert services sprung up to address the limitations of the official CoWIN portal. These services captured mobile numbers and email IDs of users to notify them when a slot opens up in their desired area. But without a data capture policy in place, it was difficult to determine how these services used this data.
New Terms of Services
All ASPs that wish to use CoWIN APIs must comply with the new Terms of Service that provide guidelines for:
What data can be collected? Applications should only collect as much data as is strictly necessary to achieve the stated purpose and delete such data as soon as possible after the purpose has been served.
How should data be collected? Wherever personal data is collected, ASPs must inform users in a clear, concise and accessible manner of the “specific purpose for which the data would be used, the period of time for which it shall be retained and the manner in which it shall be deleted” and obtain consent from the user. ASPs must maintain auditable logs of the data collected and processed and should make these available to the CoWIN team if needed. All API communication should be done in a secure manner using transport layer encryption.
How should data be used? Data should only be used for the stated purpose and must be deleted on or before the end of the retention period. Vaccination centres can retain the patient data for complying with the existing laws of data retention. However, they should not store the Aadhaar number or details of any other identity documents used by beneficiaries. The CoWIN APIs or the data accessed through them should not be commercially exploited. ASPs must make reasonable efforts to protect the user data collected by them from unauthorized access or use. They should also promptly report to the CoWIN team and the users about any unauthorized access or use of such information.
How should data be stored? The data collected through the APIs should be stored within India only. CoWIN will retain the information on its servers for as long as is reasonably necessary, primarily for COVID-19 vaccination. If this information is no longer required, CoWIN will either securely delete it or store it in a way that it can no longer be used by itself or third parties.
What laws must ASPs comply with? ASPs must comply with all applicable laws, regulation, policies and third-party rights established by the Government of India. Data processed by third-party applications and CoWIN will be subject to the data protection guidelines and applicable laws and policies, established by the Government of India. ASPs updating data in CoWIN are solely responsible for the correctness of such data and any liability arising out of the said data completely rests with the ASP.
What is not allowed? API keys allotted should not be shared with anyone else except as may be allowed by the Ministry. In case of any compromise of the API key, the same should be immediately reported to the CoWIN team. Additionally, ASPs should sublicense APIs, perform an action with the intent of introducing any malware to Co-WIN services, disrupt the APIs or the servers providing the APIs, or reverse engineer the source code from any API.
Other important recommendations:
- Termination: MoHFW can terminate the use of CoWIN APIs any time with or without giving any notice. ASPs can also terminate the use of the APIs by giving 30 days prior notice and their keys will be deactivated within 30 days.
- Support: ASPs can seek support from MoHFW’s CoWIN team for any technical queries related to the APIs. However, the government does not have any obligations to make any changes to address these queries.
- API limitations: API requests will have predefined limited usage policies that may limit the number of users that can be served and ASPs should not attempt to circumvent these limitations.
- Use of Government logo: The government logo may only be used after explicit approval has been obtained from the Ministry.
- Display of approval: ASP applications will have to prominently display that it is “Approved by CoWIN”, in order to distinguish it from applications that are not approved.
What aspects can third-party platforms access?
The CoWIN platform consists of four main modules: registration and scheduling modules, vaccination facility management modules, vaccination workflow modules, and certificate module. The Health Ministry grants access to these modules via the following public and protected APIs:
Public APIs: These APIs allow any third-party application to access certain un-restricted information, that can be shared with its users. They provide read-only access to CoWIN. Currently available public APIs are:
- Fetch inventory of vaccination slots – Allows third-party apps real-time access to available vaccination slots using multiple search criteria.
- Fetch certificates – Allows third-party apps to access vaccination certificates of CoWIN users using beneficiary reference id or registered mobile number. CoWIN will provide the requested certificate only after OTP validation using the registered mobile number.
Protected APIs: These APIs allows approved third-party applications to access as well as update the information in the CoWIN database. Currently available protected APIs are:
- Beneficiary registration – To register a citizen for vaccination.
- Appointment scheduling – To schedule, reschedule, or cancel an appointment.
- Vaccination workflow- To record vaccination data and generate vaccination certificate, and report any adverse event.
While ASPs can roll out apps and services for all the functionalities described above, these services will have to use the master database maintained as part of the CoWIN platform and any update will have to be made on this master database. ASPs can retain a copy of data relating to their users but this must be done in compliance with the new Terms of Service (mentioned below). “Co-WIN will be a single source of truth with respect to all vaccinations, providing unified visibility of the vaccination programme through the Co-WIN dashboard and enabling the government to drive policies based on aggregated data” the guidelines stated.
How can third parties access CoWIN APIs?
- ASPs who wish to access CoWIN APIs will have to register themselves by sending an email to firstname.lastname@example.org and nominate an authorized system administrator.
- All ASPs should comply with the terms of service that CoWIN publishes. Vaccination centres that use third-party applications must be responsible for compliance with all the guidelines issued by the MoHFW including maintenance of historical records and supporting documents for audit purposes.
- ASPs that use protected APIs must undertake a testing process using a sandbox environment.
- Prior to the issuance of production-level API keys, the ASP should give evidence that the vaccination centre’s system is secure from the perspective of data security and that such a system complies with the Terms of Service.