Review by MediaNamathe two RTIs requested answers on the data sharing protocols instituted by the Union for would have govern personal and non-personal data related to COVID-19 collected by the Aarogya Setu app.
According to Economic periodan official of the NIC declared that the protocol was obsolete because it had “lost its relevance (…) Aarogya Setu is in the process of transitioning to a national health application [from a contact tracing one].’ As MediaNama reported a few years ago, this echoes concerns that âthe Aarogya Setu app would be reused for other purposes after the fight against the pandemic, including becoming the first building block of the health stack in Indiaâ.
Introduced on May 11, 2020, the Protocol authorized for the retention of “contact, location and self-assessment data [collected by the app] up to 180 days.’ Later in the year, however, the Ministry of Electronics and Information Technology announcement the extension of the Protocol beyond November 2020, until May 10, 2021. An ITR answer of last September revealed that the Protocol had been further extended until May 10, 2022, “given the ongoing pandemic”.
Never miss important developments in technology policy, whether in India or around the world. Sign up for our morning newsletterwith a “Free Reading of the Day”, to experience MediaNama in a whole new way.
Why is this important: The Protocol’s data collection practices have been critical for not respecting the principles of legality, necessity and proportionality, which seriously infringes the privacy of the many users who have registered there. According to the June 8 RTI response, Aarogya Setu had 21, 60, 82, 111 registered users as of May 20, 2022. Even though the protocol has expired, the government’s response to the IFF’s RTIs does not clearly describe how the data collected so far are consulted. , managed or removed, leaving privacy concerns largely unaddressed.
What else did the RTIs reveal?
‘(b) All personal information collected under clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date collection, after which, if it has not already been uploaded to the server, it will be purged from the application. All information collected under clauses 1(b), 1(c), 1(d) and 1(e) and uploaded to the server will, to the extent that such information relates to persons who have not been tested positive for COVID-19, will be purged from the server 45 days after being uploaded. All information collected under clauses 1(b), 1(c), 1(d) and 1(e) from individuals who have tested positive for COVID-19 will be purged from the server 60 days after such individuals have been tested. declared cured of COVID-19[FEMININE’
“La suppression de l’application supprimera toutes les informations collectÃ©es et stockÃ©es sur votre tÃ©lÃ©phone, mais ne supprimera aucune information stockÃ©e sur le cloud. Si vous souhaitez supprimer les informations d’enregistrement visÃ©es Ã la clause 1 (a) et stockÃ©es sur les serveurs principaux, vous pouvez annuler votre enregistrement. Une fois que vous confirmez que vous souhaitez annuler l’enregistrement, toutes les informations que vous nous avez fournies en vertu de la clause 1 (a) seront supprimÃ©es aprÃ¨s l’expiration d’un dÃ©lai de 30 jours Ã compter de la date de cette annulation.
D’autre part, le responsable du NIC RacontÃ© PÃ©riode Ã©conomique que les donnÃ©es des citoyens avaient Ã©tÃ© purgÃ©es de l’application et des serveurs gouvernementaux, conformÃ©ment Ã la politique de confidentialitÃ© de l’application.
La rÃ©ponse du 8 juin ajoutait en outre que le gouvernement ne disposait ni d’informations sur le dernier rapport de faisabilitÃ© de l’application, ni d’une liste des instituts de recherche avec lesquels ses donnÃ©es avaient Ã©tÃ© partagÃ©es. La rÃ©ponse de suivi, en revanche, indiquait qu ‘”aucune donnÃ©e n’a Ã©tÃ© partagÃ©e conformÃ©ment au protocole d’accÃ¨s aux donnÃ©es et de partage des connaissances d’Aarogya setu”.
Quelles Ã©taient les prÃ©occupations entourant le protocoleÂ ?
PrÃ©occupations soulevÃ© par l’Internet Freedom Foundation dans le passÃ© comprennent :
- Le Protocole n’offre pas de fondement lÃ©gislatif pour Aarogya Setu. Ceci est prÃ©occupant car l’Ãtat ne peut pas restreindre les droits fondamentaux sans soutien lÃ©gislatif – le Protocole n’offre pas ce soutien. Ainsi, l’application Aarogya Setu et ses politiques de collecte de donnÃ©es fonctionnent dans un vide lÃ©gislatif.
- Le protocole justifie les pratiques de collecte de donnÃ©es centralisÃ©es d’Aarogya Setu sur les donnÃ©es individuelles afin de dÃ©velopper des Â«rÃ©ponses sanitaires appropriÃ©esÂ». L’axiome politique conÃ§u de maniÃ¨re expansive est Â«incompatible avec le principe de proportionnalitÃ©Â». Selon l’IFF, peu d’efforts sont faits pour s’assurer que les pratiques de collecte de donnÃ©es les plus respectueuses de la vie privÃ©e sont dÃ©ployÃ©es.
- Le partage de donnÃ©es centralisÃ©es avec diverses institutions de recherche indique “l’appÃ©tit [sic] of the Indian government to market or discover commercial applications of the Aarogya Setu app, rather than following the path of other democratic societies that focus more on decentralized models that can effectively alert people to get tested and treat for the coronavirus itself.
- The protocol also introduced a sunset clause â if the protocol is not in effect after November 11, 2020, all user data collected by the app will be deleted. However, IFF argues that the sunset clause is also questionable because the protocol includes “no reference to the actual destruction of servers and systems created as a result of the Aarogya Setu program.” This can lead to persistent government surveillance.
What is the Protocol?
The protocol authorized the sharing of collected data with state health departments, the Ministry of Health and Family Welfare, national and state disaster management authorities, and various other public health institutions, whenever ‘there was a need to ‘formulate or implement an appropriate public health policy response.’ At the same time, he also established strict guidelines for sharing data with research institutes.
Articles 51 to 60 of the Disaster Management Act 2005, may be invoked in the event of a violation, alongside the applicable legal provisions. The NIC had to manipulate management and processing of data by the application. The MeitY had a supervisory role in the implementation of the Protocol and was to be guided by the recommendations of Empowered Group 9.
RTI answers further revealed that several of MeitY’s submissions for the Protocol at the time were rejected. These included guidelines to govern not only data collected by the Aarogya Setu app, but all COVID-19 related data in India. These guidelines could potentially be used in any âdisaster responseâ.
This post is published under a CC-BY-SA 4.0 license. Feel free to repost on your site, with attribution and a link. Adaptation and rewriting, although permitted, must be faithful to the original.