India's government has released the protocol for using data gathered by its Aarogya Setu COVID-19 tracing app, weeks after its April 2nd release and after it was downloaded almost 100 million times.
The protocols [PDF], released yesterday by India's Ministry of Electronics and Information Technology (Meity), state that the state-run National Informatics Centre (NIC) will "collect only such data as is necessary and proportionate to formulate or implement appropriate health responses."
Data collected includes the user's name, mobile number, age, gender, and profession, as well as which users they have been in contact with, for how long, and where they were.
Contact, location, and self-assessment data collected by the app will by default remain on the individual user's device, but "may be" uploaded on to an NIC server, where it will be kept for a maximum of 180 days. The user's personal data can be kept for as long as the app is used, but users can request it be deleted within 30 days.
The government will share the data from the app in an anonymised form with other government agencies "with whom such sharing is necessary to assist in the formulation or implementation of a critical health response". The government will also share the data with local universities and research institutions to conduct research.
The protocol also says that the data collected through the app can be shared with third parties in cases where “it is strictly necessary to directly formulate or implement appropriate health responses".
The guidelines come amid increased concerns about how the data collected by the app will be used. Last week, the Ministry of Home Affairs made downloading the app mandatory for employees returning to offices. Critics have argued that's illegal while opposition parties have called for greater transparency on the app's operations.
Aarogya Setu has 98.5 million downloads. Bluetooth & location data of only COVID19 positive are pushed to the server. Currently data of only 13287 COVID19 positive users has been uploaded to server to identify the Bluetooth contacts & alert them. This is just 0.013% of all users.— Aarogya Setu (@SetuAarogya) May 11, 2020
The Indian government is also considering making the app mandatory for all airline passengers. Commercial flights have been suspended for the country's three-month long lockdown period that began on March 25. The third-phase of the lockdown is due to end on Sunday, but the government has not said whether it plans to resume flights.
India's railways have, however, resumed limited operations. Tickets were sold only online and the website offering them promptly crashed under the load.
As of yesterday, the app has warned 140,000 people about possible risks of infection, the government said, and identified 616 "potential hotspots.
India's government has in recent days increased messaging that the app is secure, non-intrusive and an essential tool for the nation during the pandemic. ®
Sponsored: Ransomware has gone nuclear