In the order, the ministry said that the National Informatics Centre (NIC), the developer of the application, shall collect only such response data which is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.
The NIC shall process any data collected by it in a fair, transparent and non-discriminatory manner. Contact and location data shall by default remain on the device on which the Aarogya Setu mobile application has been installed after such data has been collected.
It may be uploaded to the server only for the purpose of formulating or implementing appropriate health responses, as per the ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’.
The response data shall be securely stored by NIC and shall only be shared in accordance with the protocol.
The Ministry’s protocol further said that response data containing personal data may be shared in a de-identified form with the Union Ministry of Health and Family Welfare, state health departments, NDMA, SDMAs, such other ministries and departments of the Centre and states and other government public health institutions where such sharing is strictly necessary to directly formulate or implement an appropriate health response.
De-identified data means data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID.
“NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared,” it said.
The data accessed and used by the government entities should not be retained beyond the period necessary to satisfy the purpose for which it is shared. In any circumstance, such data shall not ordinarily be retained beyond 180 days from the date on which it was accessed, after which such data shall be permanently deleted.
The Centre has mandated that any response data accessed by an authorised body shall ordinarily not be shared with any third party. However, response data may be shared with such third parties only if it is strictly necessary to directly formulate or implement appropriate health responses, it added.
Further response data may be made available for research purposes by NIC in hard anonymised form. Hard anonymisation refers to a series of technical processes which ensure that any individual is incapable of being identified from the response data through any means reasonably likely to be used to identify such individual.
This anonymisation shall be done in accordance with anonymisation protocols that are to be developed, reviewed and updated on a periodic basis by an expert committee appointed by the principal scientific advisor to the Government of India.
“Such review shall have regard to the nature and sensitivity of the data being processed, the robustness of the anonymisation protocol and advances in technology. Response data which has undergone hard anonymisation, as under para 8(a), may be made available to Indian universities and research institutions / research entities registered in India,” it said.
Any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable, as per the protocol.
An Empowered Group shall review the protocol after a period of six months or at an earlier time as it deems fit. Unless specifically extended by the Empowered Group on account of the continuation of the Covid-19 pandemic in India, this protocol shall be in force for six months from the date on which it is issued, it said.