A. INTRODUCTION:
On 11 May 2020, the Ministry of Electronics and Information Technology (“MeitY”) released the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol’ (“Protocol”). The Protocol is issued by the chairperson of the ‘empowered group on technology and data management’ (“EG”), which is one of the 11 empowered groups created by the National Executive Committee of the National Disaster Management Authority (“NDMA”). The chairperson of this EG is also the Secretary of MeitY, Ajay Sawhney.
The ‘rationale’ behind the protocol is to enable the government to frame ‘appropriate health responses’ by collecting and processing the data of- (a) infected individuals; (b) high-risk individuals and (c) those who have come in contact with infected individuals. ‘Appropriate health responses’ include- (a) syndromic mapping; (b) contact tracing; (c) communication to an affected or at-risk individual’s family and acquaintances; (d) statistical analysis; (e) medical research; and (f) formulation of treatment plans or other medical and public health responses for the COVID-19 pandemic.
B. KEY HIGHLIGHTS FROM THE PROTOCOL:
1. Data points collected from the individuals: ‘Response data’ collected from people using the Aarogya Setu app will have the following data points-
1.1 Demographic data, which includes the name, mobile number, age, gender, profession and travel history of the person;
1.2 Contact data i.e. data about another person that a given person has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred;
1.3 Self-assessment data i.e. the responses provided by the person to the self-assessment test on the Aarogya Setu app, and
1.4 Location data i.e. data about the geographical position of an individual in latitude and
longitude.
2. Implementing agency: MeitY will be responsible for overall implementation of the protocol. The National Informatics Centre (“NIC”) under the MeitY will collect, process and manage ‘response data’.
3. Application of collection limitation, purpose limitation and period limitation principles: The Protocol requires that- (a) the response data to be collected and its purpose must be specified in the privacy policy of the Aarogya Setu app; (b) the data must be used in a ‘necessary and proportionate’ manner only for the purpose of framing appropriate health responses and to improve such responses; (c) the contact data, location data and self-assessment data will not be retained beyond a period of 180 days, unless extended by the EG; (d) demographic data will be stored till the Protocol is in force i.e. 180 days, unless extended by the EG; in case a person requests her data to be deleted, then it must be deleted within 30 days of her request.
4. Third party sharing of response data:
4.1 Sharing of personal response data: It can be shared with- (a) the Ministry of Health and Family Welfare; (b) Health departments of the state/union territory/local government, NDMA and state disaster management authorities (“SDMAs”), and any other department/ministry/public health institution of the central/state/local government, but only if the data is necessary to frame/implement an appropriate health response.
4.2 Sharing of de-identified response data: It can be shared with the ministry/department/public health institution of the central/state/union territory/local government, NDMA and SDMAs, where the data needs to be shared for framing/implementation of a critical health response. De-identified data means data which has been stripped of personally identifiable data.
4.3 Maintaining records of third parties: NIC will, to a reasonable extent, maintain a list of agencies with whom response data is shared, and record details such as the purpose of sharing, categories of data shared etc.
4.4 Application of collection limitation, purpose limitation and period limitation principles: These principles will also apply to third-party sharing of response data. The data must be permanently deleted in all circumstances after 180 days from the date on which it is accessed. Any ministry/department/public health institution with whom the data is shared must implement reasonable security practices and procedures under the Information Technology Act, 2000.
4.5 Further sharing of response data: Any ministry/department/public health institution shall further share response data only when it is strictly necessary to frame/implement appropriate health responses. It must ensure compliance of the Protocol by other such entities with whom data is further shared. Such entities can be subject to an audit and review of their usage of response data by the central government.
5. Sharing of response data for research purposes:
5.1 Availability of response data to Indian universities and research institutions:Such universities and research institutions must be registered in India.The response data provided to them must be subject to ‘hard anonymisation’ (as opposed to de-identification). The anonymisation protocols for ‘hard anonymisation’ will be developed by an expert committee appointed by the Principal Scientific Advisor of the Indian government.
5.2 Data access subject to approval of expert committee: An institution will need to submit a request to the PSA-appointed expert committee to seek access to response data. The expert committee can approve such request only if it is satisfied that the access is sought for the purposes of statistical, epidemiological, scientific or any other form of academic research. It can also specify additional terms for accessing the data.
5.3 Reverse anonymisation/re-identification banned: If the institution, irrespective of its intention, conducts reverse anonymisation or re-identification of the response data, its access rights will be terminated. It will also be subject to penalties under the applicable laws.
5.4 Further sharing of response data: Institutions can share the anonymised response data with any other institution, provided that- (a) the sharing is for the purpose approved by the expert committee; (b) there is a contract between both parties, mentioning particulars such as nature of data shared, purpose of sharing data, the duration of such sharing and other details specified by the expert committee. The institution must provide a copy of the contract to the expert committee.
6. Penalties: Any violation of the protocol will be punishable under the Disaster Management Act, 2005 and any other applicable legal provisions.
7. Termination of protocol: The Protocol will be in force for 6 months i.e. till 11 November 2020. However, its enforcement period may be extended upon a review by the EG.