March 31, New Delhi: Delhi-based non-profit legal services organization SFLC.IN along with a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, technologists, social activists, entrepreneurs, and citizens voice their concerns urging the government to resort to strict legal measures to regulate and supervise the collection, and subsequent processing of personal data of individuals during the ongoing COVID-19 pandemic.
A joint letter was sent to Shri Amit Shah, Home Minister, Shri Harsh Vardhan, Minister of Health and Family Welfare, Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology, as well as heads of various State Governments urging them to process the personal data of individuals within the territory of India, and conduct the monitoring of persons, only as per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual.
The organisations who have signed are CCAOI, Digital Empowerment Foundation, Free Software Movement of India, Internet Democracy Project, Internet Freedom Foundation, Internet Society-Delhi Chapter, IT For Change, SFLC.in and Swathanthra Malayalam Computing.
Prasanth Sugathan, Voluntary Legal Director, SFLC.in said that “Central and State Governments are taking various steps like publishing information of patients and persons under quarantine and are coming out with apps that collect and process personal information. Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights. Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact tracing should be done without publishing the personal details of patients”
The letter highlights the following principles that the governments should follow while processing data during the ongoing Covid-19 Pandemic:
Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over.
Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine.
Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person.
Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future.
Security:Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware. Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein.
No Surveillance without Due Process:Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified under these statutes. Any surveillance pursuant to the aforementioned statutes and other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review.
SFLC.IN is a donor-supported legal services organisation that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology.
For further communication:
Voluntary Legal Director, SFLC.IN