The Indian government’s Covid-19 contact tracing app, Aarogya Setu recently set a new record of 5 crore downloads. The app has been encouraged by Prime Minister Narendra Modi, and government agencies as well. The app’s privacy policy has also been under scrutiny with data collection of users being the key factor here. Aarogya Setu has now updated its privacy policy with more clarity on how it uses data.
Users were not notified of the updated privacy policy in Aarogya Setu. This was first spotted by Medianama which made a comparison between the old and new privacy policy. It’s important to note here that Aarogya Setu requires Bluetooth and location tracking permissions all the time to alert users if they came in close proximity with a Covid-19 patient.
Aarogya Setu’s privacy policy states that information collected will be stored on a server which is operated and managed by the government. Information collected includes name, phone number, age, sex, profession and countries visited in the last 30 days. This is basically all the information users are asked to provide while registering on the app. All this will be stored with a unique digital id (DiD).
Now when two users come in contact, the DiDs will be exchanged and stored on each other’s devices. The privacy policy states that the information will be stored safely and that the other user will not have any access. The app also collects location data of the user every 15 minutes, and this is said to be stored on their phone. Only if the user tests positive for Covid-19 or the self-assessed symptoms indicate it, will it be uploaded to the server.
Personal information of the user along with their DiD will be interlinked when they have to inform the person that they have Covid-19 and “to provide persons carrying out medical and administrative interventions”.
The privacy policy states that all personal information collected will be purged from the app after 30 days if it hasn’t been uploaded to the server. Information of those who have not tested positive for Covid-19 will be purged from the server within 45 days, and for those who have tested positive it will be 60 days. Now for those who wish to unregister their account, information provided will expire after 30 days.
It also says that user data is encrypted at all levels from the entry till the end point, and even on another user’s device when the DiDs are exchanged.