Aarogya Setu enables data sharing via Bluetooth Low Energy and GPS locations
Data, hashed with a unique digital id (DiD), is saved in secure servers of the government
The app will collect data every 15 minutes for users with a high risk for contracting coronavirus
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
After raising flak for missing out on crucial data privacy provisions, the Indian government has now finally updated the privacy policy for the Aarogya Setu to address the concerns and extend its use beyond Covid-19 tracing.
Aarogya Setu, the official Indian government app for contact tracing Covid-19 cases, enables alerts via Bluetooth Low Energy and GPS when people come in proximity with a positive or suspect Covid-19 case. However, the application, launched on April 2, had no terms on how it is using the information of users. After many concerns from privacy experts, the government has now updated the policies.
According to a report by Medianama, the government has addressed these crucial security and privacy concerns directly by updating the privacy policy of Aarogya Setu. The new norms suggest that data, hashed with a unique digital id (DiD), is saved in secure servers of the government. The DiDs ensure that names of users are never stored on the server unless there is a need to contact the user.
Aarogya Setu has also clarified the end-use for the data Aarogya Setu collects. The policy says that the DiDs will only be linked to personal information in order to communicate to users the probability that they have been infected with Covid-19. The DiD will also provide information to those carrying out medical and administrative interventions necessary in relation to Covid-19.
Further, the privacy terms now show that the government will encrypt all the data before uploading to the server. The application access location details and uploads it to the server, new policies clarify.
As far as the data sharing is concerned, the policy has now explained that only DiDs will be shared when two devices come in proximity. Previously, the application had no such feature, while the new policy now reads, “The data collected from your app will be securely stored on the mobile device of the other registered user and will not be accessible by such other user.” The DiD is similar to a token generated for certain online services.
Under the new policy, data collection questions have also been clarified to some extent. The update says that the app will collect data every 15 minutes of users having a ‘yellow’ or ‘orange’ status. These colour codes signify a high level of risk for contracting coronavirus. No data will be collected from users having a ‘green’ status on the application.
Also, the Aarogya Setu app has now explained that no data will be shared with any third party organisations. It says, “Nothing set out herein shall apply to medical reports, diagnoses, or other medical information generated by medical professionals in the course of treatment.”
On the data retention front, the government has clarified that all the data will be deleted from the application and server in 30 days for people not contracting coronavirus. Meanwhile, the data of people testing positive for Covid-19 will be deleted from the server 60 days after they defeat coronavirus.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.