"The Blind Men and the Elephant" is an ancient Indian parable that should be revisited in these unprecedented times. The following is a rendition of the parable:
"An elephant comes to a village and a group of blind men generate curiosity regarding its form and appearance. They decide to feel the elephant individually to decipher how it may be in actuality. One blind man feels the elephant’s ear and declares, 'an elephant is like a big fan,' another blind man feels the elephant’s leg and says, 'an elephant is like a tree trunk' and the others came up with equally preposterous but relevant analogies. Then, a wise man passing them suggests that the blind men should feel all the other parts of the elephant. On doing so, the blind men realize that the elephant is composed of many parts and before the wise man’s suggestion, they had a limited understanding of the elephant’s physicality."
Data privacy amid the COVID-19 outbreak seems like the elephant. If we focus solely on individual freedoms and rights, then we run the risk of compromising the larger public interest of both life and livelihood and vice versa. Therefore, it is critical to examine the technological interventions deployed to combat COVID-19 against the benchmark of a balance between civil liberties and public interest.
COVtech in India
As India continues its fervent efforts toward combating COVID-19, the government, along the same lines as its Singaporean counterpart, TraceTogether, launched a contact tracing application Aarogya Setu (Sanskrit for "bridge to health"). This app is in addition to a variety of technological measures deployed to enable contact tracing, location monitoring and lockdown enforcement. These measures range from facial-recognition software systems for home quarantined individuals, real-time geotagging-enabled selfie-based hourly check-in(s) to personal safety applications, such as DROR that facilitates social distancing.
While there is no denying that these technological interventions are imperative for identification of hot spots, collaboration between relief agencies and allocation of resources and rapid decision making, it is equally pertinent to analyze whether privacy by design was a guiding factor in developing these countermeasures. Moreover, such interventions come with risks of systematic mass surveillance, and one needs to be cognizant of such risks, especially since India lacks a comprehensive data protection legal regime as the Personal Data Protection Bill is pending legislative deliberation and assent.
Privacy considerations
The Supreme Court of India's judgment in KS Puttaswamy (Retd) v Anr v Union of India recognized privacy as part of the right to life and personal liberty. While the Supreme Court observed that an act of unauthorized distribution of an individual's medical records will amount to an invasion of privacy, it lays down certain exceptions in the form of a three-part test. Restrictions on an individual’s data can only be placed if done in furtherance of a legitimate state aim, backed by law and/or it is necessary and proportionate to the dataset in question. Therefore, the technical measures adopted by the government should qualify the three-part test prior to being enforced.
App deployment
While at the onset, privacy by design was claimed as the backbone of the development process, Aarogya Setu’s privacy policy, in particular, went through an update due to lack of clarity on pertinent issues such as purpose and collection limitation, retention periods, use and third-party disclosure of data, storage location and consent. The updated privacy policy clarifies issues by:
- Explicitly limiting the purpose for which data collected by the app can be used.
- Reiterating that personal information will not be shared with any third party except to carry out necessary medical and administrative interventions.
- Minimizing the data being collected and linking the individual’s information to a unique digital ID.
- Limiting the usage of data to anonymized and aggregated datasets for the purpose of generating reports, heat maps, communication related to the probability of infection, and calculating the probability of a user developing the infection using Bluetooth range and GPS location of app users in each other’s vicinity.
- Storing location data securely on a mobile device.
- Obtaining consent prior to uploading risk assessment test results to the government server.
Moreover, the app proclaims that user data will be retained for as long as an account remains in existence, though a mechanism to delete an account has not been provided currently. Additionally, audibility and accountability may also be looked into as factors impacting the privacy maturity of the app as, currently, the privacy policy has no mention of the same.
Legal protection for health data
The PDPB includes health data under sensitive personal data but is silent on any explicit regulatory and/or operational road maps that could be followed to extend adequate protection to health data with respect to its processing by public authorities and private entities alike. At this stage, Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 could be leveraged to derive a legally sound plan of action and:
- Develop a privacy policy and make it easily accessible for people who are providing the information.
- Obtain consent prior to collection and disclosures to third party(s).
- Collect information only for a lawful and necessary purpose(s).
- Use information only for the purpose for which it is collected and refrain from retaining it for a period longer than which is required.
- Maintain the security of the information provided.
- Designate a grievance officer and resolve grievances within a period of one month.
- Transfer of sensitive personal data/information within India or abroad to only be permitted provided the receiver ensures the same level of data protection as provided in India.
Greater emphasis should be made on voluntary usage of such interventions and technical security of data through encryption. Decentralized storage of data and access to data (health and location) should be removed in toto from government server(s) once the countermeasure apps and tools are deleted from the mobile device(s). In the absence of any privacy/security guidelines, we find ourselves in a situation where the "man will always paint himself to be killing the lion and never the other way around"; therefore, what remains to be seen is whether the technology deployed will be in line with collection and purpose limitation requirements and would consent be given the weight it deserves as a data privacy bulwark.
Photo by Fusion Medical Animation on Unsplash