A coalition of citizens, on Tuesday, 31 March, wrote to Union Home Minister Amit Shah as well as other central ministers, urging the government to ensure that principles of privacy are followed in the collection and processing of personal data of individuals during the ongoing COVID-19 pandemic.
It states that the processing personal data and monitoring individuals should only be conducted as per the law laid down through various judgments of the Supreme Court of India, norms and principles.
The letter was also sent to Minister of Health and Family Welfare Harsh Vardhan; Minister of Electronics and Information Technology Ravi Shankar Prasad; Minister for Civil Aviation Hardeep Singh Puri, as well as chief ministers of all the state governments.
The appeal to central and state governments comes soon after reports emerged of personal data of quarantined citizens being circulated on WhatsApp.
While Karnataka government also announced it would seek hourly selfies, Andhra Pradesh government has decided to track mobile signals of those who are in home- quarantine. Moreover, volunteer drone operators working with state administrations have also undertaken the aerial surveillance of public spaces in Gujarat.
The letter, written by the Software Freedom Law Centre India (SFLC.In) was signed by digital rights organisations including Internet Freedom Foundation, civil society groups, lawyers, public policy professionals, social activists, entrepreneurs, and individual citizens involved.
“Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights,” said Prasanth Sugathan, Voluntary Legal Director, SFLC.in
“Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact-tracing should be done without publishing the personal details of patients,” Sugathan added
Privacy Violations in Time of COVID-19
Days after the Karnataka government sought hourly selfies from those home quarantined, the Andhra Pradesh government has decided to track the mobile signals of those in home isolation.
This massive exercise will be coordinated by State Disaster Management Authority and the government has already partnered with the service providers in the state to roll out the project.
On 27 March, a document containing the personal information of 722 quarantined residents of New Delhi, including phone numbers, full address, and passport number, was shared on WhatsApp.
A similar document of Hyderabad residents who had returned from abroad in March was also reported to have been circulated. In Bengaluru, the state’s Health Department itself had uploaded a list of 15,000 individuals, with their address and phone number, on Twitter. Karnataka health officials had said this was done to create awareness.
Letter Highlights 6 Privacy Principles
Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should be deleted automatically without maintaining any copies, once the pandemic has been declared to be over.
Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states, the list of persons who are under quarantine have been made public under the guise of public monitoring.
Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain-language format. Individuals must be informed as to the volume, extent, and purpose of their personal data being collected, processed, stored or transferred.
Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. Health data needs to be kept confidential and secure, and should be deleted automatically after the pandemic.
Security: Security protections for data processing during the COVID-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware.
Any apps related to COVID-19 promoted by the government should be secure and their data collection should be in tune with the principles mentioned.
No Surveillance Without Due Process: Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified therein.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)