IT ministry’s NIC will be responsible for collecting and managing response data
The data can be shared with other government departments, highlights protocol
Any violation can lead to imprisonment or fine
The Ministry of Electronics and Information Technology (MeitY), on Monday (May 11), released its data-sharing protocol for contact tracing application Aarogya Setu to highlight how the collected data will be used.
The MeitY in the document, ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’, assured that the app has been developed keeping in mind the privacy and security of the user data, which has been collected to keep track of Covid-19 patients and minimise the pandemic’s spread.
The protocol highlights that the National Informatics Centre (NIC), which comes under the MeitY, will be responsible to collect, process and manage data collected by the app. The document also added that NIC shall only collect such data, which will be necessary to formulate or implement appropriate health responses.
How And Why Will The Data Be Shared?
The NIC may share the data with the Ministry of Health and Family Welfare (MoHFW), government of India, department of health of state, union territories and local governments, National and State Disaster Management Authorities and other government-run public health institutions. According to the document, data would “strictly” be used for formulating, implementing or improving appropriate health responses.
However, it will be mandatory for NIC to maintain a list of agencies the data has been shared with and the extent of document sharing. It also states that the contact, location and self-assessment data, collected by NIC, would be deleted once the purpose has been fulfilled.
“Unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol, shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted,” the protocol added.
It also specified that the violation of the protocol may lead to penalties, as per Section 51 to 60 of the Disaster Management Act, 2005, which lists penalties ranging from a jail term, fines and other legal provisions. The empowered group shall review the protocol after six months from the date of its notification, or earlier if necessary.
Govt May Open-Source Aarogya Setu App
Meanwhile, the government is also looking to make Aarogya Setu app open- source, after French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, found flaws in the contact tracing app.
In order to prove the security flaw, Alderson revealed that inside a person had updated their status to infected in the Parliament, while two had selected the unwell option inside the Indian Army headquarters in New Delhi. The cybersecurity expert also wrote a blog titled ‘Aarogya Setu: The story of a failure’ to highlight the technical aspects of the privacy flaw in the app.
However, another point of contention has been the mandatory downloading of the Aarogya Setu app for public and private sector employees. Justice BN Srikrishna, who led the personal data protection framework for the country panel and a draft data protection bill in July 2018, has also stated that the mandating the use of Aarogya Setu app “utterly illegal”.
Meanwhile, the Indian government has also made the app mandatory for the passengers travelling through the resumed railway services.
