Centre ends Aarogya Setu data protocol; what happens to stored public data?

When COVID raged across two horrific waves, the Aarogya Setu app was the linchpin of the Centre’s efforts to contain the pandemic. It was deployed for contact tracing. Subsequently, it was used extensively for the vaccination drive.

Now, with the contagion ebbing and the vaccination drive running a course of its own, the question arises on what happens to the Aarogya Setu app, and the massive amounts of data it has collected.

To answer the first question, the Centre intends to convert the contact tracing app into a ‘national health app’. While there is little detail on what exactly that would involve, it is obvious that it will not be a COVID-related app anymore. Already, the app’s jurisdiction has been passed on from the Ministry of Electronics and Information Technology to the Union Health Ministry.

It is the second question that has raised data privacy concerns. The Centre has discontinued the app’s data accessing and sharing protocol. So, activists are now demanding that the public data collected on the app since April 2020 be destroyed, as it can easily lend itself to misuse.

Protocol discontinued 

In response to an RTI (Right to Information Act) application filed by the Internet Freedom Foundation (IFF), the Centre said that the Aarogya Setu Data Access and Sharing Protocol 2020 has been discontinued since May 10, 2022. Further, the Empowered Group on Technology and Data Management, which had the power to extend the protocol, was dissolved in September 2020.

You can read the text of the RTI response and a summarised timeline of the Aarogya Setu Protocol on the following link. https://t.co/Z8dc5dhqaE

— Internet Freedom Foundation (IFF) (@internetfreedom) July 29, 2022

According to the National Informatics Centre (NIC), which designed Aarogya Setu, the app has lost its relevance and hence does not need to have an active protocol running it. 

“Data sharing protocol was written primarily from the perspective of contact tracing, and now that Aarogya Setu is transitioning into a national health app, there is  no relevance for it. There is no need to have it (protocol) active and running,” said an NIC spokesperson in the RTI response, as cited by an Economic Times report.

Downloads are still on

Meanwhile, Indians are continuing to download the app, said media reports. In April and June this year alone, 10 lakh downloads were seen, said ET. In March, there were 11 lakh downloads. The downloads are mostly because the app is linked to the CoWIN portal, from which citizens can download their COVID vaccination certificates. These certificates are required for certain travel and other purposes.

The IFF has raised the concern that the protocol was extended twice after the Empowered Group was dissolved. 

In the RTI response, the Centre did not provide an answer on whether or not the public data collected during the period protocol is still active or destroyed.

However, the Aarogya Setu Data Access and Sharing Protocol, which mandates the entry of contact and location, had earlier stated that personal data of the app’s user is permanently deleted after 180 days from the day on which it was collected. The protocol also stated that personal data will be strictly used for the purpose of formulating appropriate health responses.