In recent news, the Ministry of Electronics and Information Technology (MeitY) has initiated the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’. The protocol outlines the procedure for sharing data acquired via the Aarogya Setu App with government agencies and third parties during the Covid-19 pandemic. The decision comes as a response to privacy concerns raised by experts questioning the app’s safety and efficacy.
Understanding the Aarogya Setu App
The app, launched by MeitY, is designed to aid users in gauging their risk of contracting Coronavirus. It employs advanced Bluetooth technology, algorithms and artificial intelligence to calculate hazards based on the user’s interaction with others. The technology identifies nearby devices installed with Aarogya Setu, therefore aiding the Government in timely decision-making for risk assessment and necessary isolation measures.
A Glance at the Protocol Used
The protocol aims at ensuring that data collected through the app is gathered, processed and disseminated appropriately. Any violation of the protocol may invite penalties under the Disaster Management Act, 2005. While MeitY is the agency responsible for implementing the protocol, the National Informatics Centre (NIC) is entrusted with the collection, processing and management of response data. The protocol has a validity of six months unless extended.
Empowered Group of Ministers and Their Role
The Empowered Group of Ministers (EGoM) is a set of ministers appointed by the Cabinet or the Prime Minister to investigate and report on specified matters. They are also responsible for taking decisions after investigation. The protocol order emphasizes the relevance of individual data in formulating effective health responses to Covid-19.
Defining Individual Data
The protocol defines ‘individuals’ as people who are infected, at high risk of infection or have been in contact with the infected populace. It categorizes data in four ways: demographic, contact, self-assessment and location data. This data can only be shared if necessary for health response formulation or relevant research work.
Data Access Entities
The protocol allows for entities such as the Health Ministry, various State/Union Territory government Health Departments, National and State Disaster Management Authorities and other local, state and central public health institutions to access the data. Certain Indian universities, research institutions and other registered entities can also gain access to the information.
Checks and Balances Asserted by the Protocol
The protocol provides several safeguards. Apart from demographic data, the remaining data must be de-identified to protect personal identities. The NIC is required to maintain a list of data-sharing instances including details like time of initiation, categories of data and purpose of sharing. Shared data cannot be retained beyond 180 days from its collection date.
Privacy Concerns and Necessary Safeguards
Despite these provisions, the need for a Personal Data Protection Law remains. This law would support the decision to make the app mandatory for all users. The Personal Data Protection Bill 2019 is under consideration by the Parliament. There are concerns that the clause allowing data sharing with third parties could be misused. A comprehensive list of third parties that are eligible for access to data needs to be developed. Furthermore, there is a call for elaborating on the de-identification process for added safety.