Aarogya Setu’s Data Access and Knowledge Sharing Protocol, 2020 

An explainer by the Vidhi Centre for Legal Policy

The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 (“Aarogya Setu Protocol”) has been issued by the Empowered Group on Technology and Data Management under the Disaster Management Act, 2005 to provide legal safeguards for the operation of the Aarogya Setu mobile application – a tool which has emerged as an essential aspect of India’s strategy against Covid-19.

How does the Protocol balance the imperatives of privacy and public health?

Exposure notification and contact tracing has emerged as a potent tool in managing the Covid-19 pandemic. While the idea of contact tracing is as old as the first organised responses to pandemics itself, the use of latest technology allows this exercise to be conducted at a large scale.

Contact tracing enables speedier medical and administrative interventions, which can be formulated, planned and implemented in a better manner because of the availability of valuable information related to the pandemic. For example, the Aarogya Setu application enabled the advance detection of 130 potential hotspots at the sub-post office level, which were all later declared as hotspots by the Health Ministry.

While the benefits are clear, it is equally essential that user privacy should be at the forefront of a large-scale information collection exercise such as this. This is necessary to build trust in the population to part with their data on the confidence that it will not be misused or misplaced. To this end, features of the Protocol, which relate directly to issues of user privacy, accountability and data protection – essential to building a healthy and trustworthy environment for contact tracing – are explained below.

How does the Aarogya Setu Protocol protect privacy?

The Aarogya Setu Protocol is structured as a set of restrictions on how the mobile app should collect the data; obligations related to the processing and handling of such data; and restrictions on sharing of the data, along with measures directed at improving accountability within each aspect of the flow of data under the Protocol.

These include:

What are the purposes for which data can be collected and used? How long can such data be retained?

The Aarogya Setu Protocol aligns with the norms of data protection by setting out clear limitations on the purpose of data collection, the use of data and the retention of data. The Protocol strictly defines the phrase ‘appropriate health responses’ as a set of contextualised operations – such as syndromic mapping, formulation of treatment plans and communication to at-risk individuals – which are directly related to the management of the Covid-19 pandemic.

For example, syndromic mapping refers to the detection of symptoms as a tool in tracking the spread of an epidemic. The results of a user’s self-assessment tests would directly aid this exercise and enable the advance detection of hotspots. The contact tracing data of an infected user can reveal other users who may be at-risk, and to whom appropriate safety and medical information should be communicated. These purposes are specifically outlined in Paragraph 2 of the Protocol.

Any collection, use or sharing of data under this Protocol, which poses a potential risk to the privacy of individuals, must be necessary to formulate or implement an appropriate health response. Consequently, the Protocol ensures that data, which is not relevant to an appropriate health response, is not collected or shared under this Protocol. It also ensures that all data collected is used only in relation to this purpose, and not for other unrelated activities.

Finally, no contact, location or self-assessment data shall be retained beyond the period necessary, and unless specifically required by a review committee, shall be permanently deleted 180 days after its collection. The demographic data of an individual shall be retained only if the Protocol remains in force, unless the user requests the deletion of this data, in which case it shall be deleted after 30 days from such request.

What are the safeguards on the sharing of data?

The Protocol enables data sharing with the Ministry of Health and Family Welfare and other public health institutions engaged in formulating or implementing an appropriate health response to COVID-19. This may involve the sharing of personal data only with the specifically mentioned public health institutions when such sharing is strictly necessary to directly formulate or implement an appropriate health response, such as for detecting the emergence of a hotspot, providing treatment to infected individuals, or tracing the spread of the pandemic.

Further, the sharing of any data with other agencies of the Government, whose assistance may be necessary, is to be done only in de-identified form – that is, where the personal information of an individual is replaced with a randomly generated ID to prevent identification of the individual, therefore preserving the privacy interests of users of the app. Any onward sharing of the data under the Protocol is subject to more stringent safeguards and obligations to prevent any disclosure of the data.

Thus, by default, the location and contact data of an individual is ordinarily stored only on the phone of that individual, and can be uploaded to the server only in some limited circumstances for the purposes mentioned above. For example, out of its 96 million users, the contact tracing data of only 12,000 users (0.1% of all users) has been uploaded to the server so far.

Therefore, safeguards such as a stringent purpose and use limitation, restrictions on sharing of data, the obligation to process data in a ‘fair, transparent and non-discriminatory manner’ and strict retention requirements create a legal framework to safeguard the processing of data.

How does this Protocol ensure accountability?

The Protocol requires four key pieces of information to be recorded at each step of data sharing – the time at which data was accessed, the persons who have accessed any data, the categories of data accessed by them and the purpose for which they accessed such data.

This information is to be maintained by the National Informatics Centre (NIC), as well as by any entity with whom data is shared under this Protocol. This ensures that there exists a paper-trail, which can be examined to identify any misuse or irresponsible sharing of the data.

Further, NIC is required to maintain a list of agencies with whom the data was shared. Together, these measures institute a strong framework for accountability in data sharing under this Protocol. This, however, requires to be supplemented by a comprehensive data protection law.

Can the data be used for other research?

The Protocol enables hard-anonymised data, that is data which has undergone irreversible processes of anonymisation, to be made available to Indian research institutions on a non-discriminatory basis. The anonymisation standards to be used in this process shall be developed, reviewed and updated by an expert committee appointed by the Principal Scientific Advisor to the Government of India.

Further, the Protocol prohibits the re-identification of any individual through such anonymised data, thereby ensuring the privacy interests of users are not harmed in the process of enabling academic research and making non-compliance with this direction punishable.

When will the Protocol come to an end?

The Protocol has a strict sunset clause, stating that it shall cease operation after 6 months from the date of its issuance. This also aligns with the retention requirements mentioned earlier, which require data to be permanently deleted after a period of 180 days. At the end of this Protocol, the legal basis for collection and sharing of data provided by this Protocol shall cease to exist.

The only situation in which this might be extended is if the Empowered Group, which is meant to review the Protocol, specifically deems it necessary that the Protocol should continue on account of continuation of the Covid-19 pandemic. This ensures that the legal basis for data collection under this Protocol will not outlast the pandemic to become a tool for surveillance of individuals, and will remain closely tied to the purpose for which it is issued.

Issues to build further on

While a Protocol such as this is a bold step towards securing citizens’ privacy while enabling the leveraging of data to fight an unprecedented crisis, there are some lingering concerns that must be kept in mind, and should guide future advocacy on the issue of preserving user freedoms.

1. How may the legal basis for information sharing exercises in the response to the pandemic be improved?

The Aarogya Setu mobile app can be a useful tool – however, at present, it appears to have been made mandatory for some groups of people through guidelines that lack a clear legal basis. If the app is made mandatory, this maybe considered to be a restriction on the individual’s right to privacy, and would have to satisfy the tests of legality, necessity and proportionality for it to be lawful.

Therefore, a valid legal basis – such as an act of Parliament – would be required to make the Aarogya Setu app mandatory in a legal manner. Without the presence of a clear legal basis, making the app mandatory is a likely infringement on the fundamental right to privacy.

2. How may the transparency of the Aarogya Setu application be improved?

The Aarogya Setu application represents an information-collection exercise at an unprecedented scale in a time of an unprecedented crisis. In this circumstance, the value of transparency cannot be understated which could be met by making the application open-source. However, while doing this, it is essential that any vulnerabilities related to the app should be addressed without putting the privacy interests of millions of users at risk. Additionally, the shift to a decentralised model of contact sharing, or the use of dynamic device IDs are also potential approaches to further safeguard user privacy in this exercise. To the extent feasible and permitted by the technical infrastructure of the app, the NIC may consider some of the approaches mentioned above to improve the transparency of the app.

3. How may the deployment of this app be made inclusive?

The Aarogya Setu app is an effective tool for contact tracing, and could potentially be linked to access to facilities like movement, travel and workforce participation for its users if such a decision was to be made by the Government. A vast majority of the population, however, lacks access to smartphones and therefore, would not be covered by the application. Hence, viable and feasible alternatives to ensure access for such individuals must be explored so that there is no exclusion or denial of access.

Vidhi’s ALTR team assisted the Government of India’s Empowered Group on Technology and Data Management in formulating the Aarogya Setu Data Access & Knowledge Sharing Protocol, 2020.