Data collected on Aarogya Setu will be wiped after 180 days, says new protocol

Data obtained through the Aarogya Setu app will be permanently deleted by the National Informatics Commission (NIC) after 180 days from the date of collection, according to the latest data access and knowledge sharing protocol by the Ministry of Electronics and Information Technology (MeitY). 

Information collected by the contact tracing app includes demographic data on name, mobile number, age, gender profession and travel history of a person, contact data, self-assessment data and geographical location.

Data on Covid-19 positive users was previously stored in central servers for a period of 60 days. Now, the data can be stored for a maximum of 180 days. 

The notification on the change in data processing rules was issued on Monday. It states that the developer of the Aarogya Setu app, NIC, will have to permanently delete demographic data related to an individual if requested by the person within a period of 30 days. However, this is liable to the final decision taken by the empowered group on technology and data management for Covid-19 response constituted by the government. 

“Contact and location data shall by default, remain on the device on which the Aarogya Setu mobile application has been installed after such data has been collected. It may be uploaded to the server only for the purpose of formulating or implementing appropriate health responses,” said the notification.

The new protocol also states that government agencies, bodies and public health institutions with access to the anonymised data will be held liable for any disclosure of information. 

The NIC can also share user data in a hard anonymised form with universities or research institutions registered in India for academic purposes and will be bound by obligations and penalties under the Disaster Management Act 2005. All government entities and institutions remain subject to audits by the central government.

The app’s privacy policy has also been updated. Under the rights of the users, it states that “you cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration.” 

Read: Aarogya Setu app gets privacy policy changes, state-wise dashboard

The app has registered 98 million downloads since its launch in early April,  according to data provided by the chairman of the empowered group on technology and data management, Ajay Sawhney during a press briefing.

The announcements were made by MeitY in the light of security flaws and privacy issues in the app, alleged by France-based ethical hacker, Elliot Alderson. During the announcements related to the third phase of the extension of the national lockdown, the government of India made it mandatory to download Aaorgya Setu app for public and private sector employees, holding heads of businesses liable for a failure to do the same.

The protocol will be reviewed by the empowered group after a period of six months.