New Delhi: Despite clear assurances from the Ministry of Electronics and Information Technology (MeitY) that the Aarogya Setu app data was secure and would “strictly” be used for formulating, implementing or improving health responses, a Right to Information query has revealed that in Kulgam district of Jammu and Kashmir, the chief medical officer shared users’ data with the local police. This also happens to be the first instance of a state administration admitting to sharing Aarogya Setu data with the police authorities.
The matter came to light when RTI activist Saurav Das filed an application with the National Informatics Center (NIC), which is responsible for the development and management of the Aarogya Setu app. He asked about the data and if it was shared with other agencies.
The NIC, which maintains details of the agencies with which the app data is shared, transferred the appeal to the Jammu and Kashmir administration in October 2020, stating that the plea “does not relate to NIC and may relate” to the Department of Health and Family Welfare of the union territory.
Recently, Das received a response from the Office of the Chief Medical Officer of Kulgam stating that information in the Aarogya Setu app was “shared with IT Cell, Department of Police, District Kulgam”. It further stated that the department had shared the “positive list” and “recovery and deaths” details with the police authorities.
Reacting to the findings, Das issued a series of tweets. “Our fears have come true, at least on record. I can now confirm that at least one State Government has shared people’s Aarogya Setu data with a law enforcement agency. Jammu & Kashmir’s Kulgam district has done so with the Kulgam Police,” he wrote in one of them.
He also asked what was the need for the police to seek such health-related information: “Further, why does the Police Department need to have our health data? And if does need to have our data, why wasn’t this disclosed to the people? Was their consent obtained? No.”
The RTI activist added that “Perhaps data has been shared with law enforcement agencies by Govt authorities elsewhere in India… cannot be ruled out. At least now, we have 1 Dept admitting to this. The RTI reply has come after months of perseverance.”
He also noted that in October 2020, his investigation had revealed that the Government of India had failed to implement its own rules relating to data sharing and data protection of Aarogya Setu.
In a tweet, Das also questioned why the Kulgam police had “directed” the CMO to share the data with them. He said “the reasons are unclear”.
Experts, civil society members had cautioned PMO against app misuse
The RTI has revealed what experts had always feared – that the Aarogya Setu data could end up being used for purposes other than those related to health alone. Soon after the app was launched at the start of the COVID-19 pandemic, over 40 technology rights and civil society organisations had cited surveillance concerns and written to the Prime Minister’s Office (PMO), protesting against the app’s mandatory use.
Among other things, the petition had stated: “At present, the Aarogya Setu app is operating in a legal vacuum and its Privacy Policy and Terms of Service do not comply with data protection principles of purpose limitation, data minimisation, storage limitation, accuracy, integrity and confidentiality, and transparency and fairness in processing.”
It added that, “In the absence of a legislative guarantee containing a sunset clause, sensitive personal data… could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.”
The Ministry of Electronics and Information Technology had on May 11 said that the contact tracing app had been developed keeping in mind privacy and security concerns. It had also released ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ to illustrate how the app data would be collected and shared.
However, as the latest RTI exposé has revealed, the adherence to the norms provided therein has not addressed the concerns pertaining to data security.