March 31, 2020
To Shri Amit Shah, Home Minister, Ministry of Home Affairs, Government of India, North Block, New Delhi — 110001
Sub: Concerns over protection of privacy of citizens in the wake of COVID-19 pandemic
We the undersigned, are a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, social activists, entrepreneurs, and concerned citizens involved in the promotion and protection of digital rights and freedoms. We note, with concern, every step taken by the Central Government, in tandem with the State Governments to deal with the spread of the novel Corona virus (COVID-19) including the instructions to curb misinformation being spread through Internet-based communication services.
As we face this unprecedented situation, we recognise that responsible and proper use of personal data has potential to be used for beneficial purposes. We understand and see the uses of data as a means of prediction, analysis, and strategic planning for government and health authorities.
However, processing of personal data of individuals within the territory of India, and monitoring of persons, should only be conducted per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual.
The current situation warrants prompt and comprehensive extraordinary action from the State but under no circumstances should such measures permit use of data for marketing or commercial purposes. Any waiver of privacy protection or data rights must only be to serve public health. Any processing of health data must be conducted with strict restrictions in place. Any increased access to personal or sensitive data allowed to companies or Government agencies should be limited in time and such access should be removed once the health emergency has passed.
We strongly urge that any steps taken by the Central or State Governments must include privacy and data protection for data that is being collected now or screened from already existing databases and being used in novel ways and strictly adhere to the following principles:
Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over.
Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine.
Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person.
Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future. Health data needs to be kept confidential and secure, and should be deleted automatically following the pandemic.
Security: Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware. Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein.
No Surveillance without Due Process: Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified Therein. Any surveillance measures pursuant to the aforementioned statues or other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review.
We urge you, therefore, to ensure that the above principles are followed in the collection and processing of personal data of individuals during the ongoing COVID-19 pandemic.
CONCERNED CITIZENS/ ORGANISATIONS:
- Digital Empowerment Foundation
- Free Software Movement of India
- Internet Democracy Project
- Internet Freedom Foundation
- Internet Society, Delhi Chapter
- IT For Change
- Swathanthra Malayalam Computing
- Chetan Gupta, Member, Advisory Body, SFLC.IN
- Faisal Farooqui, CEO, MouthShut.com
- Geeta Seshu, Member, Advisory Board, SFLC.IN
- Dr.Nagarjuna, Member, Governing Board, SFLC.IN
- Prof. Rahul De’, Professor and Chair, Information Systems Area, IIM, Bangalore
- Satish Babu, Member, Governing Board, SFLC.IN
- Smriti Parsheera, Technology Policy Researcher
- Sivahari Nandakumar, Free Software Activist
- Tahir Amin, Member, Member, Advisory Board, SFLC.IN
- Venkatesh Hariharan, Member, Governing Board, SFLC.IN
- Vickram Crishna, Member, Advisory Body, SFLC.IN
For further communication: Prasanth Sugathan Voluntary Legal Director, SFLC.IN prasanth @sflc.in
The Home Secretary Ministry of Home Affairs, Government of India, Room 113, North Block, New Delhi — 110001