Data of about 13,000 Aarogya Setu App users, who have tested positive for coronavirus ( COVID-19 ), have so far been transferred to the server for health intervention, according to the Empowered Group on Technology and Data Management Chairman, Ajay Sawhney.
Watch | How does the Aarogya Setu app work?
On Monday, the Empowered Group Chairman issued an order notifying the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, that lays down the guidelines for collection, processing, storage and sharing of the “anonymised” data.
Stating that Aarogya Setu had contributed immensely to the fight against COVID-19 , Mr. Sawhney claimed that privacy protection was the primary consideration while developing the App. It stores an encrypted signature when the user comes in proximity with other registered devices. This interaction information is not pushed to the server unless the user turns positive.
Till 60 days
He claimed that encrypted data of all users, stored in their devices, get deleted automatically in 30 days. Data of the users who undergo tests are kept for 45 days and for those who have tested positive, it is stored in the server till 60 days from the day they are cured.
Aarogya Setu app promoting a few e-pharmacies, says SJM
Based on the data of less than 13,000 users who tested positive, alerts were sent to about 1.40 lakh users, he said. About 9.8 crore people had so far downloaded the contact-tracing App. The same service would soon be made available in feature phones.
Mr. Sawhney claimed that upon sign-up, every App user was assigned a unique randomised anonymous device ID. All communications between two devices and between the device and the server was done using the ID. No personal detail was used or shared with anyone.
What are the concerns around the Aarogya Setu?
The location data was used in case the person tested positive, only to map places the user visited in the past 14 days, for sanitisation and testing of people to prevent further spread.
Hot spots
The information was combined with self-assessment data to identify the areas that were likely to turn into a hotspot. The details were shared with district and State authorities for timely preventive steps. The tool had helped in identification of 697 such potential hotspots, said Mr. Sawhney.
The Aarogya Setu Data Access and Knowledge Sharing Protocol states that the contact and location data will, by default, remain on the device on which the App is installed. It may be uploaded to the server only for the purpose of formulating or implementing appropriate health responses.
The contact, location and self assessment data, collected by the National Informatics Centre (NIC), will not be retained beyond the period necessary to satisfy the purpose for which it is obtained. The period, unless a specific recommendation to this effect is made, will not ordinarily extend beyond 180 days from the date on which it is collected, after which it will be permanently deleted, it says.
Demographic data of an individual, collected by the NIC, will be retained for as long as the Protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier.
Any violation of the directions under the Protocol may lead to penalties under the Disaster Management Act, 2005 and other applicable legal provisions.
The Empowered Group will review the Protocol after six months or earlier, as and when it deems fit. Unless specifically extended, it will remain in force for six months.
