The Empowered Group on Technology and Data Management have notified the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ to clarify on the data access and privacy standards being complied with. The Dialogue welcomes this step forward by the government towards ensuring greater transparency and accountability around the use of the app.
Last week, the Dialogue published a 14 point framework that aimed at improving the privacy features of the Aarogya Setu App. The framework recommends promulgation of an Ordinance which would legitimise the mandatory download of the App only after ensuring the existence certain predefined criteria. Other suggestions include, deletion of all data (except anonymised data required for tackling future pandemics) post the pandemic, data minimisation, access restrictions, defined protocols, and appointment of an independent auditor who will ensure that privacy respecting measures are being adhered to at every step of the data cycle. On the technical front, adoption of state-of-art anonymisation techniques, enhancement of the grievance redressal forum, and most importantly, making the App ‘open-source’ are pointers that would enhance the architecture of the app, and embed privacy in the design.
We are happy to note that our suggestions surrounding ‘data audits’, ‘data sharing protocols’ and a defined ‘Sunset Clause’ have been incorporated into Aarogya Setu’s Data Access & Knowledge Sharing Protocol.
The Dialogue had also recommended that utilisation of ‘state-of-art anonymisation techniques’ developed by an ‘expert committee’ is crucial for ensuring the safety and security of the App’s users. The protocol refers to ‘hard anonymisation’ standards for the data that would be shared with Universities and research institutions. The protocol iterates that the said anonymisation protocols are to be developed, reviewed and updated periodically by an ‘expert committee’ appointed by the Principal Scientific Advisor to the Government of India. The anonymisation protocols will be developed only after due regard is given to the sensitivity of the data collected and the advancements in the technological front. We are glad to understand that both the limbs of our suggestions have been incorporated in the protocol.
With regard to data sharing the NIC is to maintain a list with the purpose of data sharing along with a log of data shared. The Protocol also recognises an individual’s right to seek deletion of demographic data. While more clarity is required on what all constitutes ‘demographic data’, we welcome this acknowledgement of ‘Right to Erasure’ by the government.
Kazim Rizvi, Founding Director, The Dialogue, said, said, “We welcome the government’s initiative to release the data access protocol that will help in clarifying some of the doubts with the privacy architecture of the app and will also help enable check and balances on the use of the app, as well as enhancing its effectiveness. We are grateful that the recommendations suggested by The Dialogue as part of our 14-Point Privacy Framework finds itself in the government’s data access protocol. We are committed to continue to support the government towards making the app as robust as possible with the highest standards possible.”
There is more clarity on the bodies with which the data collected would be shared. The protocol suggests that de-identified data and response data will be shared with ministries, departments and other governmental bodies for the purpose of formulating responses. We believe that this is a step in a positive direction, and further recommend strict delineation of departments and authorities with whom such data will be shared. The Protocol is subject to review of the Empowered Group and we believe that with the feedback of the citizens and the civil society ecosystem in India the App and the relevant protocol(s) will be routinely updated to be made more transparent and accountable to people.