The administration of Jammu and Kashmir has revealed that it shared user data collected by Indian government’s Covid-19 contact tracing app Aarogya Setu with local police in the union territory’s Kulgam district. The shared data included the list of people that had tested positive of Covid as well as the data related to recoveries and casualties.
This is the first time any Indian state administration has publicly admitted to having shared Aarogya Setu data with police and law enforcement. Fazil Ali Kochak, the chief medical officer of the Kulgam region of J&K, revealed the development as response to an RTI (right to information) plea filed by journalist Saurav Das.
Das had filed the RTI plea with the National Informatics Center (NIC), which is responsible for the development and management of the Aarogya Setu app, last year. NIC also maintains the list of agencies/agencies with whom the data was shared. The department had transferred the plea to the administration of Jammu and Kashmir in October 2020, saying that the plea “does not relate to NIC and may relate” to the department of health and family welfare of the union territory.
“Perhaps data has been shared with law enforcement agencies by Govt authorities elsewhere in India… cannot be ruled out. At least now, we have 1 Dept [department] admitting to this. The RTI reply has come after months of perseverance,” Das said on Twitter.
The Internet Freedom Foundation (IFF) also took to Twitter to raise concerns over the unethical data sharing. The organisation highlighted that medical data is sensitive and tied to the specific purpose of health surveillance, “however without any limitation by law, risks continue for all promises for its protection being legally unenforceable.”
The concerns over Aarogya Setu leading to illegal surveillance by the Indian government have been coming into play ever since the launch of the app in April 2020. However, the Indian government has always advised against it, emphasising the contact tracing app would only be used for effectively tackling the Covid-19 situation in India.
The Ministry of Electronics and Information Technology (MeitY), on May 11, had also released a data-sharing protocol ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ for the app to highlight how its data will be shared and collected. The ministry assured that the app has been developed keeping in mind the privacy and security of the users, and the data collected will only be shared “strictly” for formulating, implementing or improving appropriate health responses.
The document also highlighted that the data will be shared with government-run public health institutions, including the Ministry of Health and Family Welfare (MoHFW), government of India, department of health of state, union territories and local governments, National and State Disaster Management Authorities and other government-run public health institutions.
The guidelines highlight that NIC will be liable to maintain the list of agencies the data has been shared with and the extent of document sharing, which does not seem to be the case as per the latest RTI plea filed by Das.