Aarogya Setu, the official Indian government app for contact tracing Covid-19 cases, enables alerts via Bluetooth Low Energy and GPS when people come in proximity with a positive or suspect Covid-19 case. However, the application, launched on April 2, had no terms on how it is using the information of users. After many concerns from privacy experts, the government has now updated the policies.
Aarogya Setu has also clarified the end-use for the data Aarogya Setu collects. The policy says that the DiDs will only be linked to personal information in order to communicate to users the probability that they have been infected with Covid-19. The DiD will also provide information to those carrying out medical and administrative interventions necessary in relation to Covid-19.
Further, the privacy terms now show that the government will encrypt all the data before uploading to the server. The application access location details and uploads it to the server, new policies clarify.
As far as the data sharing is concerned, the policy has now explained that only DiDs will be shared when two devices come in proximity. Previously, the application had no such feature, while the new policy now reads, “The data collected from your app will be securely stored on the mobile device of the other registered user and will not be accessible by such other user.” The DiD is similar to a token generated for certain online services.
Under the new policy, data collection questions have also been clarified to some extent. The update says that the app will collect data every 15 minutes of users having a ‘yellow’ or ‘orange’ status. These colour codes signify a high level of risk for contracting coronavirus. No data will be collected from users having a ‘green’ status on the application.
Also, the Aarogya Setu app has now explained that no data will be shared with any third party organisations. It says, “Nothing set out herein shall apply to medical reports, diagnoses, or other medical information generated by medical professionals in the course of treatment.”
On the data retention front, the government has clarified that all the data will be deleted from the application and server in 30 days for people not contracting coronavirus. Meanwhile, the data of people testing positive for Covid-19 will be deleted from the server 60 days after they defeat coronavirus.