The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 was notified
by Ministry of Electronics and Information Technology on 11 May 2020. This has
again led to new debate regarding whether after this notification Aarogya Setu
app Data is safe? Adv Dr Mahendra Limaye, a cyber legal consultant, analyzed the
notification and his reading of the notification is as below.
Functioning of Aarogya Setu app as per notification relates to technology
and data management and certain necessary steps required to be taken to ensure
its effective operation to detect and mitigate the spread of Covid 19 pandemic
and enhance government preparedness at all levels. So the aim and object of the
Aarogya Setu App was never a question and it is much applauded move by the
government.
In order to ensure secure collection of data, protection of personal data
of individuals and efficient use and sharing of personal or non-personal data
for mitigation and redress this notification was specially issued. So we must
understand that this notification was fall out of many objections raised
towards security of the personal data collected through this app and about
accountability of the data collected through this app and specially when some
hacker claimed about vulnerability of this huge database. This response also
shows government’s responsive approach to security concerns raised about the
app and this is welcome move.
The
notifications says that in order to formulate appropriate health responses for
addressing the COVID-19 pandemic, data pertaining to persons who are infected,
at high risk of being infected or who have come in contact with infected
individuals is urgently required. This data includes demographic data, contact
data, self assessment data and location data, collectively called ‘response.
The demographic data includes the name, mobile number, age, gender, profession
and travel history of an individual. Contact data covers data about any other
individual that a given individual has come in close proximity with, including
the duration of the contact, the proximate distance between the individuals and
the geographical location at which the contact occurred. Self assessment data
means the responses provided by that individual to the self assessment test
administered within the Aarogya Setu mobile application. Finally Location data
means data about the geographical position of an individual in latitude and
longitude. So the broad categories of data collected through this app by
government is once again made public by this notification.
The
notification also states that the Ministry of Electronics and Information
Technology, Government of India (“MeitY”) is designated as the agency
responsible for the implementation of this Protocol and its developer, the
National Informatics Center shall, under this Protocol be responsible for
collection, processing and managing response data collected by the Aarogya Setu
mobile application.
So it is highlighted that MeitY will be only supervising
authority. So the government has brought NIC in picture for protection of
entire data in the capacity of developer and made its role minimal in capacity
of implementer.
Highlights of Principles for collection and processing
of response data:
a. Any response data and the
purpose for which it is collected by NIC shall be clearly specified in the
Privacy Policy of the Aarogya Setu mobile application.
b. NIC shall collect only such
response data as is necessary and proportionate to formulate or implement
appropriate health responses. Further, such data shall be used strictly for the
purpose of formulating or implementing appropriate health responses and
constantly improving such responses.
c. NIC shall process any data
collected by it in a fair, transparent and non-discriminatory manner.
d. Contact and location data
shall by default, remain on the device on which the Aarogya
Setu mobile application has been installed after such data has
been collected. It may be uploaded to the server only for the purpose of
formulating or implementing appropriate health responses.
e. Contact, location and self
assessment data of an individual that has been collected by NIC shall not be
retained beyond the period necessary to satisfy the purpose for which it is
obtained which, unless a specific recommendation to this effect is made in the
review under Para 10 of this Protocol, shall not ordinarily extend beyond 180
days from the date on which it is collected, after which such data shall be
permanently deleted. Demographic data of an individual that has been collected
by NIC shall be retained for as long as this Protocol remains in force or if
the individual requests that it be deleted, for a maximum of 30 days from such
request, whichever is earlier.
f. The response data shall be
securely stored by NIC and shall only be shared in accordance with this
Protocol.
Principles for sharing of response data have also been
stated which highlights that 1) Response
data containing personal data may be shared with various government
agencies/bodies where such sharing is strictly necessary to directly formulate
or implement an appropriate health response.2) Response data in de-identified
form may be shared with various bodies with whom such sharing is necessary to
assist in the formulation or implementation of a critical health response.3)
NIC shall, to the extent reasonable, document the sharing of any data and maintain
a list of the agencies with whom such data has been shared.
Obligations of entities with which response data is
shared are like use of such data strictly for the
purpose for which it is shared, the data accessed and used by such entities
should not be retained beyond the period necessary to satisfy the purpose for
which it is shared, in any circumstance; such data shall not ordinarily be
retained beyond
180
days from the date on which it was accessed, after which such data shall be
permanently deleted etc.
The main concern is who is liable for any privacy violations
committed through security breach of Aarogya Setu App? This notification does
not provide any clarity to said concern. It was clarified that any violation of
these directions may lead to penalties as per section 51 to 60 of the Disaster
Management Act, 2005 and other legal provisions as may be applicable. Legal
position for the protection of sensitive personal information under section 43A
of Information Technology Act 2000 is that state cannot be made responsible in
case of breach of data or lapse in protection of sensitive personal data.
Through this Notification State has clarified that it is acting only in
supervisory capacity and National Informatics Center, which is developer of the
Aarogya Setu app will own entire responsibility as far as security and sharing
of Response Data is concerned.
As regards section 51 to 60 of the Disaster Management Act
they have one important protection as related to breach of data and the
protection is “ unless he proves that the offense was committed without his knowledge or that he exercised all due
diligence to prevent the commission of such offense”.
In case of any data breach through Aarogya Setu app defense
will be always available that all due diligence was observed to prevent the
commission of offense like Data Theft etc. So in my view this notification clearly
fails to provide any specific measures which government has suggested for
protection of Data of millions of Aarogya Setu app users. Also the other
question remains is whether the provisions of the Disaster management Act can
be enforced after Disaster is over? If data breach is reported after present
pandemic is over then whether these provisions can be enforced, remains a
question in my mind.
Advocate Dr. Mahendra Limaye
About the author- Advocate Dr
Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India.
He specifically practices in Information Technology Act based litigation's
before Civil as well as Criminal Courts in India. He has obtained his doctorate
on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.
No comments:
Post a Comment