On 11 May 2020, the Ministry of Electronics and Information Technology issued the Data Access and Knowledge Sharing Protocol (the “Protocol”) in order to ensure secure collection of data by the Aarogya Setu mobile application, protection of personal data of individuals, and the efficient use and sharing of personal and non-personal data for mitigation and redressal of the pandemic. MEITY is designated as the agency responsible for the implementation of this Protocol and its developer, the National Informatics Centre (“NIC”) is responsible for collection, processing and managing response data collected by the Aarogya Setu mobile application.
Data Collection: Demographic data, contact data, self-assessment data and location data (collectively “response data”) is collected on the App. NIC shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.
Data Sharing: Response data containing personal data may be shared with Ministry of Health and departments of health of State Governments, etc. where such sharing is strictly necessary to directly formulate or implement an appropriate health response. In other cases, response data in de-identified form to be shared. NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Any entity with whom response data has been shared shall use such data strictly for the purpose for which it is shared. Response data may be shared with such third parties only if it is strictly necessary to directly formulate or implement appropriate health responses.
Data Sharing for Research Purposes: Response data which has undergone hard anonymization may be made available to Indian universities and research institutions / research entities registered in India. Hard anonymization refers to a series of technical processes which ensure that any individual is incapable of being identified from the response data through any means reasonably likely to be used to identify such individual.
This post has been contributed by Ms. Vaneesa Agarwal and Ms. Vasuvita Singh.
[Disclaimer: This article is for academic purpose and is solely to provide readers with general information regarding developments in Indian law. For specific queries, please write to us at firstname.lastname@example.org.]