Aarogya Setu Application Data Governance Protocol Interruption: NIC in RTI Response


Aarogya Setu Data Access and Knowledge Sharing Protocol is no longer in production,’ said the National Informatics Center (NIC) on June 8, in response to an RTI deposit by the Internet Freedom Foundation (IFF). This data collected by Aarogya Setu is now governed by the privacy policypursuant to the Department of Electronics and Information Technology’s July response to a follow-up RTI filed by IFF.

Review by MediaNamathe two RTIs requested answers on the data sharing protocols instituted by the Union for would have govern personal and non-personal data related to COVID-19 collected by the Aarogya Setu app.

According to Economic periodan official of the NIC declared that the protocol was obsolete because it had “lost its relevance (…) Aarogya Setu is in the process of transitioning to a national health application [from a contact tracing one].’ As MediaNama reported a few years ago, this echoes concerns that “the Aarogya Setu app would be reused for other purposes after the fight against the pandemic, including becoming the first building block of the health stack in India”.

Introduced on May 11, 2020, the Protocol authorized for the retention of “contact, location and self-assessment data [collected by the app] up to 180 days.’ Later in the year, however, the Ministry of Electronics and Information Technology announcement the extension of the Protocol beyond November 2020, until May 10, 2021. An ITR answer of last September revealed that the Protocol had been further extended until May 10, 2022, “given the ongoing pandemic”.


Never miss important developments in technology policy, whether in India or around the world. Sign up for our morning newsletterwith a “Free Reading of the Day”, to experience MediaNama in a whole new way.

Advertising. Scroll to continue reading.

Why is this important: The Protocol’s data collection practices have been critical for not respecting the principles of legality, necessity and proportionality, which seriously infringes the privacy of the many users who have registered there. According to the June 8 RTI response, Aarogya Setu had 21, 60, 82, 111 registered users as of May 20, 2022. Even though the protocol has expired, the government’s response to the IFF’s RTIs does not clearly describe how the data collected so far are consulted. , managed or removed, leaving privacy concerns largely unaddressed.

Currently, Aarogya Setu’s Privacy Policy available online always states that users will be required to consent to both the terms of the Privacy Policy and the Aarogyasetu [sic] Data Access and Knowledge Sharing Protocol’ for using the application.

What else did the RTIs reveal?

The IFF follow-up RTI asked if the data collected by Aarogya Setu up to May 10, 2022 had been deleted, as per protocol. The answer simply points to the app’s privacy policy, which contains, among other things, the following provisions on data retention, purging, and deletion:

‘(b) All personal information collected under clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date collection, after which, if it has not already been uploaded to the server, it will be purged from the application. All information collected under clauses 1(b), 1(c), 1(d) and 1(e) and uploaded to the server will, to the extent that such information relates to persons who have not been tested positive for COVID-19, will be purged from the server 45 days after being uploaded. All information collected under clauses 1(b), 1(c), 1(d) and 1(e) from individuals who have tested positive for COVID-19 will be purged from the server 60 days after such individuals have been tested. declared cured of COVID-19[FEMININE’

“La suppression de l’application supprimera toutes les informations collectées et stockées sur votre téléphone, mais ne supprimera aucune information stockée sur le cloud. Si vous souhaitez supprimer les informations d’enregistrement visées à la clause 1 (a) et stockées sur les serveurs principaux, vous pouvez annuler votre enregistrement. Une fois que vous confirmez que vous souhaitez annuler l’enregistrement, toutes les informations que vous nous avez fournies en vertu de la clause 1 (a) seront supprimées après l’expiration d’un délai de 30 jours à compter de la date de cette annulation.

D’autre part, le responsable du NIC Raconté Période économique que les données des citoyens avaient été purgées de l’application et des serveurs gouvernementaux, conformément à la politique de confidentialité de l’application.

Publicité. Faites défiler pour continuer la lecture.

La réponse du 8 juin ajoutait en outre que le gouvernement ne disposait ni d’informations sur le dernier rapport de faisabilité de l’application, ni d’une liste des instituts de recherche avec lesquels ses données avaient été partagées. La réponse de suivi, en revanche, indiquait qu ‘”aucune donnée n’a été partagée conformément au protocole d’accès aux données et de partage des connaissances d’Aarogya setu”.

Quelles étaient les préoccupations entourant le protocole ?

Préoccupations soulevé par l’Internet Freedom Foundation dans le passé comprennent :

  • Le Protocole n’offre pas de fondement législatif pour Aarogya Setu. Ceci est préoccupant car l’État ne peut pas restreindre les droits fondamentaux sans soutien législatif – le Protocole n’offre pas ce soutien. Ainsi, l’application Aarogya Setu et ses politiques de collecte de données fonctionnent dans un vide législatif.
  • Le protocole justifie les pratiques de collecte de données centralisées d’Aarogya Setu sur les données individuelles afin de développer des «réponses sanitaires appropriées». L’axiome politique conçu de manière expansive est «incompatible avec le principe de proportionnalité». Selon l’IFF, peu d’efforts sont faits pour s’assurer que les pratiques de collecte de données les plus respectueuses de la vie privée sont déployées.
  • Le partage de données centralisées avec diverses institutions de recherche indique “l’appétit [sic] of the Indian government to market or discover commercial applications of the Aarogya Setu app, rather than following the path of other democratic societies that focus more on decentralized models that can effectively alert people to get tested and treat for the coronavirus itself.
  • The protocol also introduced a sunset clause – if the protocol is not in effect after November 11, 2020, all user data collected by the app will be deleted. However, IFF argues that the sunset clause is also questionable because the protocol includes “no reference to the actual destruction of servers and systems created as a result of the Aarogya Setu program.” This can lead to persistent government surveillance.

What is the Protocol?

The protocol, which is separate from Aarogya Setu’s broader privacy policy, has been developed by the government’s Empowered Group 9, which was responsible for technology and data management during the pandemic.

The protocol authorized the sharing of collected data with state health departments, the Ministry of Health and Family Welfare, national and state disaster management authorities, and various other public health institutions, whenever ‘there was a need to ‘formulate or implement an appropriate public health policy response.’ At the same time, he also established strict guidelines for sharing data with research institutes.

Articles 51 to 60 of the Disaster Management Act 2005, may be invoked in the event of a violation, alongside the applicable legal provisions. The NIC had to manipulate management and processing of data by the application. The MeitY had a supervisory role in the implementation of the Protocol and was to be guided by the recommendations of Empowered Group 9.

Advertising. Scroll to continue reading.

RTI answers further revealed that several of MeitY’s submissions for the Protocol at the time were rejected. These included guidelines to govern not only data collected by the Aarogya Setu app, but all COVID-19 related data in India. These guidelines could potentially be used in any “disaster response”.


This post is published under a CC-BY-SA 4.0 license. Feel free to repost on your site, with attribution and a link. Adaptation and rewriting, although permitted, must be faithful to the original.

Read more