The Ministry of Home Affairs in its advisory said company heads will be held responsible to ensure 100% coverage among employees in all private sector and public sector organisations.
This was after the government’s move to mandate downloads of its Covid-19 contact tracing app Aarogya Setu by way of strict enforcement through criminal penalties has sent alarm bells ringing among digital rights activists and technology lawyers.
Legal and privacy experts claim the app and the government’s mandate violate the Supreme Court’s Privacy judgement of 2017 and India’s Information Technology Act, which emphasises consent, proportionality and purpose limitation.
“The app does not comply with the IT Act. Its privacy policy says less and hides more,” said cyber law expert Pavan Duggal terming Aarogya Setu as a potential privacy disaster waiting to happen.
A government source said the user information is used only for administering necessary medical interventions and no other purpose. “Your location data is used, in the event you have tested positive for Covid-19, only to map the places you visited over the past 14 days in order to identify the locations that need to be sanitised and where people need to be more deeply tested and identify emerging areas where infection outbreaks are likely to occur,” said a government official on condition of anonymity.
The person claimed information of all unique interactions is stored only for 30 days on the device, post which such data is deleted, and for all data stored on the server for non-risk users, data is deleted in 45 days. For at-risk patients, data is deleted in 60 days, the official added. The person added the order is under Disaster Management Act, and the code of the app will be made open source soon. “Those who want to go to work need the App for their own safety,” he said.