The Union government has discontinued Aarogya Setu’s data access and sharing protocol, as it seeks to convert the contact tracing app into a ‘national health app’. Privacy activists, however, have raised concerns over the security of the personal data which has been collected since April 2020, even as new users download the app every day.
In a response to an application filed by the Internet Freedom Foundation (IFF) under the Right to Information Act, the government said that the Aarogya Setu Data Access and Sharing Protocol, 2020, had been discontinued since May 10, 2022. The Empowered Group on Technology and Data Management — which was the competent authority to extend the protocol — was dissolved way back in September 2020, said the RTI response.
A spokesperson for the National Informatics Center (NIC), which designed Aarogya Setu, said that the protocol was discontinued because “it had lost its relevance”. “Data sharing protocol was written primarily from the perspective of contact tracing, and now that Aarogya Setu is transitioning into a national health app, there is no relevance for it. There is no need to have it (protocol) active and running…,” the NIC spokesperson quoted above said.
Aarogya Setu was an Indian Covid-19 contact-tracing, syndromic mapping and self-assessment digital service, developed by the NIC under the Ministry of Electronics and Information Technology (MeitY) primarily as a mobile app.
Despite the ebbing of the pandemic, the app continues to see downloads. Five lakh new users downloaded the app each in April and June this year. In March, 11 lakh users were added. This is because it is linked to the CoWIN portal and citizens can use the app to download their vaccination certificates.
The IFF has expressed surprise that the protocol was extended twice after the empowered group was dissolved and has questioned what happens to the data collected by the app while the protocol was in force. “In the protocol, there were limitations on how long the data could be stored. Importantly, the protocol said that the self-assessment data, i.e., the data that users themselves enter, would not be stored for more than 180 days. It was the same with contact data, demographic and location data as well. It also said that once the protocol is discontinued, this data will be deleted,” Krishnesh Bapat, a lawyer at IFF, told ET.
In the RTI application filed by IFF, the government did not give a clear answer on whether this data has been destroyed or not, said Bapat. “Our demand is that the government immediately destroy the data that it collected on the Aarogya Setu app till May 11, 2022, the date till which the protocol was in place,” Bapat added.
When ET contacted MeitY officials, they said that the app had been handed over to the Ministry of Health and Family Welfare as it was now linked to the CoWIN portal. “Data on CoWIN app has all the provisions of data safety,” said health secretary Rajesh Bhushan.
Health ministry officials said that they plan to use the Aarogya Setu application for a bigger set of health services in the days to come.