MEITY Extends The Validity Of 'Aarogya Setu Data Access & Knowledge Sharing Protocol' Upto May 10, 2021

An Order to this effect was issued by the Ministry on Tuesday (10^th November). In effect, the data of the Aarogya Setu App users can now be retained and shared until 10^th May, 2021, unless the user specifically requests the deletion of such data from him/her from the database.

Significantly, the Original Protocol (the validity now extended up to 10^th May 2021) was released by the Ministry on 11^th May 2020, and the Protocol is intended to regulate the collection of data by the Aarogya Setu App.

Further, the protocol ensures the "secure collection of data by the Aarogya Setu App, protection of personal data of individuals and sharing of personal or non-personal data for mitigation and redressal of COVID-19 Pandemic" collected through the app.

In other words, this Protocol intends to ensure that data collected from the app is gathered, processed and shared in an appropriate way.

The Protocol specifically states that such Ministry, Department of the Government, NDMA, SDMAs or public health institution (with whom the data is shared) shall process response data in a fair, transparent and non-discriminatory manner.

The Protocol further mandates that any Ministry, Department of the Government, NDMA, SDMAs or public health institution shall also implement reasonable security practices and procedures as prescribed under any law for the time being in force.

Notably, any data accessed by the App cannot (ordinarily) be shared with any third party. However, the Protocol allows the sharing of data with such third parties "only if it is strictly necessary to directly formulate or implement appropriate health responses."

Further, the Ministry or Department of the Government of India or State/ Union Territory Government/ local government, NDMA, SDMAs or public health institution of the Government of India/ State Governments/ local governments, which is sharing such information, has been mandated to remain responsible for adherence to this Protocol by any other entity with which it shares information.

The Protocol says that any third party with whom data is onward shared, "shall not re-use the data for any other purpose or disclose the data to any other entity and remain subject to audit and review of their data usage by the Central Government."

Any violation of the directions issued by the Protocol "may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable."

The Protocol, as released initially, had a sunset clause which stated that the protocol would be in effect till Wednesday (11^th November), however, as per the order dated 10^th November, the Protocol will now be in effect up to 10^th May, 2021.

Importantly, the Protocol had stated that,

"Contact, location and self-assessment data of an individual that has been collected by NIC shall not be retained beyond the period necessary to satisfy the purpose for which it is obtained which, unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol (Sunset clause), shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted."

In other words, the protocol had stated that data collected through the app would be mandatorily deleted by November 11, 2020. However, now the data shall not be deleted until 10^th May, 2021.

Notably, LiveLaw had recently reported the order passed by the CIC wherein it was observed: "None of the CPIOs(Central Public Information Officers) were able to explain anything regarding who created the App, where are the files, and the same is extremely preposterous".

In fact, the Central Information Commission on 27^th October had issued show-cause notices to the Central Public Information Officers(CPIOs) of the Ministry of Electronics and Information Technology, National Informatics Centre and National E-Governance Division(NeGD) to show reasons as to why penalty u/s 20 of the Right To Information Act should not be imposed on them for prima facie obstruction of information and providing an evasive reply on an RTI application related to Arogya Setu App.

Following the controversy generated by the Central Information Commission pulling up the central government authorities for not sharing information about the 'Aarogya Setu App', the Ministry of Electronics and Information Technology(MeitY) had issued a clarification statement

The Ministry had issued a statement on Wednesday evening stating that the app was developed via a public-private partnership in "record time" of 21 days to tackle COVID-19 and that the names of all persons associated with its development and management are available in the public domain.