Aarogya Setu: Personal data to be deleted in 180 days

The government released an “Aarogya Setu Data Access and Knowledge Sharing Protocol” outlining that personal data from the application can only be used for health purposes and must be permanently deleted after a maximum of 180 days.

Aarogya Setu: Personal data to be deleted in 180 days
The Aarogya Setu app requires users to submit their geodata and utilises Bluetooth to connect to other registered users on the network.


THE MINISTRY of Electronics and Information Technology (MeitY) on Monday released an “Aarogya Setu Data Access and Knowledge Sharing Protocol” outlining that personal data from the application can only be used for health purposes and must be permanently deleted after a maximum of 180 days “unless a specific recommendation… is made” by the empowered group on technology.

“NIC shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses,” the new data-sharing protocol read.

“In the overall flow, the most important data set is the special surveillance system made by the health department in which states (and districts) can look at the information,” IT Secretary Ajay Prakash Sawhney said in a press briefing on Monday. “Also, applications for testing samples with data reaches ICMR’s lab portals … all health systems in NIC and the Health Ministry are combined with Aarogya Setu’s self-assessment and Bluetooth contact tracing data. Along with NDMA (National Disaster Management Authority) data and with the help of IIT Madras, an analytics is done on all this combined data to see what actions can be taken. This is the broad picture of how we organise our data flows.”

The new norms, which lay emphasis on anonymisation of data collected by the app, mention that the data can be shared with the “Government of India”, and all the agencies that are granted access to the data must use it only for the purpose for which it has been shared and delete it after 180 days.

The National Informatics Center (NIC) is responsible for collecting, processing and managing all the data collected by Aarogya Setu, which has been downloaded to the phones of 9.82 crore Indians. NIC shall maintain a list of agencies with which the data is being shared.

The new protocol also allows an individual to request for deleting demographic data, which must be abided by in 30 days.

“This makes it very clear that the intent of the government is only to use this data for COVID-19 related responses and there is no other purpose for which the data has been collected. The purpose is now upfront, and after that period is over, all data will be purged,” said Abhishek Vaidya, the CEO of the IT Ministry’s National e-Governance Foundation.

“There have been a few concerns about how data is shared, how it is being governed, and under what act is it being shared. So while the data protection bill is pending in Parliament, there was a need to lay down the framework because ultimately what we are saying in the privacy policy about collection purpose and use needed a statutory backing,” said Vaidya.

IT Ministry’s Additional Secretary S Gopalakrishnan, who also assisted in developing the protocol, told The Indian Express: “It is in the same spirit as the Data Protection Bill. This puts clearly the role of NIC, MEITY, etc in handling this data”.

In a webinar on Monday, Justice B N SriKrishna called the new protocol a “patchwork” that will “cause more concern to citizens than benefit.”

He said: “It is highly objectionable that such an order is issued at an executive level. Such an order has to be backed by Parliamentary legislation which will authorise the government to issue such an order. If it is traced to the NDMA, the NDMA has no provision for constitution of an empowered group. (Under) what provision of law is this order issued? I cannot understand … If there is a breach of data here, who is answerable, what action has to be taken and (who is) accountable for the data breach. This should really have been traced ideally to PDP or through NDMA by an appropriate amendment.”

Recently, the Congress raised security concerns about the application by taking up a technical note by hacker Elliot Alderson. The hacker claimed he was able to access through the app information about people who are COVID-19 infected and felt unwell, among other data points, including people in sensitive offices like the PMO or Parliament. The government was also asked to make the source code of the app “open source” so that security flaws can be gleaned by the open community. Last week, a government official working on the application told The Indian Express that the developers plan to make the code public “soon”.

Compared with the pending Data Protection Bill, which is under examination by a Parliamentary Joint Select Committee, the new protocols have a stronger emphasis on anonymisation of personal data when it is shared with other parties. Though the protocols for sharing and processing of personal data have largely been kept unchanged, the new norms emphasize on “de-identifying” and “hard anonymisation”.

In the press conference, Sawhney, who is also the chairman of the empowered group, said that apart from smartphone users, the government is also planning to develop new contract tracing methods for feature phone and fixed-line phone users.

Get live Share Market updates and latest India News and business news on Financial Express. Download Financial Express App for latest business news.