Enabling Trust Through Effective Oversight: Response to the Protocol
- Shweta Reddy*
An assortment of digital measures have been deployed across the world to deal with the COVID-19 pandemic. These measures have amplified conversations around what qualifies as an additional safeguard to protect the privacy of the individual in the face of a public health emergency. Despite the exemptions in data protection legislations for personal data processing during such emergencies, agencies are still required to comply with core privacy principles. The requirement to provide accurate and transparent details of the processing to the individual disclosing the data is one such principle. Most of the technological measures that have been launched to combat the spread of the virus require active and truthful disclosures from the individual. The significance of compliance with the transparency principle has been heightened due to the accelerated pace at which these applications are being developed and deployed. Such compliance is needed to instill trust in the individual to promote such active disclosures. One way to accentuate the trust building process, in addition to updating privacy policies and releasing the source code of the application, is to have strong oversight mechanisms over the data that is being processed, and to publicly disclose the existence of such mechanisms. Providing clarity around the oversight and enforcement mechanisms adopted to reasonably restrict privacy is one of the measures that can aid in transparent processing. This essay will examine the oversight mechanisms for contact tracing applications implemented in other countries (Australia, Singapore, and South Africa) to identify key activities that the Ministry of Electronics and Information Technology (‘MEITY’), or any other independent authority, can specifically be tasked with.
Considering the nature of digital measures to combat the pandemic, the oversight mechanisms should ideally be found in the data protection legislations of the countries. Most of these legislations establish an independent authority that is tasked with the duty of enforcing the obligations mandated under the legislation. In order to enforce these obligations, the Authority is granted certain investigative and corrective powers. Since most of the measures have been launched by States, the first step in evaluating the efficacy of the oversight mechanisms is to examine if the application of the legislation is extended to the government and its agencies. In the absence of such application, the existence of specific rules regarding the government processing of data needs to be examined.
Singapore was one of the first countries that launched a contact tracing application, TraceTogether.  The Personal Data Protection Act, 2012 (‘PDPA’) governs the collection, use, and disclosure of personal data by private organisations only. It doesn’t extend to the personal data processing that is undertaken by the government or its agencies. Public sector agencies are bound by the Public Sector (Governance Act), 2018 (‘PSGA’), and internal government instruction manuals where the latter are not publicly available.  The final report of the Public Sector Data Review Committee, which was set up to examine the standards of data protection for data collected by public sector agencies, suggested that the standards were as stringent as the ones imposed on the private sector.  The data protection requirements in the PSGA are limited to authorized disclosures of data and penalties for noncompliance. The Personal Data Protection Commission is the independent data protection authority established under the PDPA. However, this authority doesn’t enforce data protection obligations on the public sector agencies. The specific authority responsible for the enforcement of the PSGA, or the internal government guidelines on data protection, is unclear. It has been argued that the lack of transparency around the government processing of data from TraceTogether is one of the reasons  for its low adoption rate among the citizens of Singapore.
In countries with no data protection legislations, a clear indication of the authority supervising the personal data processing by the government may not be present. Sectoral regulations or rules under their disaster management regulations need to be examined.
III. South Africa
In South Africa, the Regulations issued under the Disaster Management Act, 2002 require the National Department of Health to maintain a COVID-19 tracing database.  South Africa passed its data protection law, Protection of Personal Information Act, in 2013. However, not all the provisions in the legislation were made operational. The Information Regulator, which was set up in 2016, has issued a guidance note  on the lawful processing of personal data for containing COVID-19. There is an emphasis on requiring the government to adhere to the principles laid down in the guidance note. The exact nature of the enforcement power of the Regulator with respect to the COVID data is unclear as the Act finally became operational  on July 1, 2020, around a month after the setting up of the electronic database. However, the regulations mandating the setting up of the electronic tracking database have sections  on oversight of the data being processed. The Director General of Health (DG) is required to provide weekly reports on the data being included in the database to a designated COVID-19 judge. Based on the details collected, the judge has the power to recommend changes in the regulation. Post the pandemic, the DG is required to submit a report to the judge providing details of the de-identification and destruction of the database. The judge has the power to recommend any further steps for protecting the privacy of the individual.
Despite having relatively stringent data protection legislations, Australia and Singapore approach the personal data processing by the public sector differently. Assurances of the adequate level of standards of protection might not inspire confidence in the absence of clarity around enforcement of those obligations. Prior to the pandemic, the government of Singapore laid emphasis  on their duties to deliver integrated services as a justification for a separate legislation for the public sector. However, the need for transparency in the current scenario should have prompted further clarifications on the oversight and enforcement provisions. Australia’s Amendment, on the other hand, apart from providing more details around the personal data processing than the initial Determination, also expands the functions and powers of the Information Commissioner with respect to the COVIDSafe data. Even in the absence of an enforceable data protection framework at the time of deploying the electronic tracking data base in South Africa, there has been an attempt at providing some degree of oversight over the COVID data. This has been undertaken through the responsibilities of the Director-General of Health and the designated COVID-19 judge, through the Regulations under the Disaster Management Act.
IV. The Current Scenario in India
On the issue of oversight, the Aarogya Setu Data Access and Knowledge Sharing Protocol (‘the Protocol’) merely states that the MEITY is responsible for the implementation of the protocol. Details regarding the nature of duties and powers that the MEITY can exercise to further the implementation of the Protocol are absent. The Protocol also provides for penalties under the Disaster Management Act, 2005 and other legal provisions, in case of any violations of the directions provided. Neither the Act nor the Protocol provide details of the specific offences that will be applicable to the entities that are currently part of the ecosystem, or of the authority responsible for prosecuting these offences. The requirement of conducting an audit is provided for only in relation to the third parties with whom ‘response data’ has been shared, and not for the primary data fiduciary itself. The lack of clear accountability mechanisms in the protocol does not reassure the public of the intentions of the personal data processing. Purely relying on the number of downloads as a metric of trust is ill-advised due to the societal pressures in downloading the application in certain situations.
Since most of the countries with established data protection frameworks have independent authorities overseeing the personal data processing, the accountability mechanisms are much clearer. However, opting for closed-door accountability as was done in Singapore, due to the difference in treatment of public sector and private sector data processing, will be counterintuitive to the process of establishing trust. In India, the absence of a data protection framework diminishes the right to privacy of the individual. Hence, additional precautions should have been taken to provide clear oversight and enforcement mechanisms at the time of deployment of the application. Since the project is being driven by the central government, assigning the task of providing oversight to another agency of the central government raises questions regarding the agency’s independence. The MEITY’s ability to provide independent and effective oversight should be reconsidered. In the absence of sufficient evidence of independence, an oversight board  that is not Executive-dominant should be constituted at the earliest. The investigative and corrective powers of such a Board in the event of a data breach or a violation of the measures governing the processing should be clearly laid down. The Board should have the power to periodically review the privacy and security safeguards of the application, and disclose the results of the review to the public. The Board should also have enforcement powers over the potential function creep issues regarding the application., Further, it should provide for transparent mechanisms to ensure the deletion of data after the application ceases to exist (after the modification of the sunset clause  in the Protocol).
Arguments opting for dealing with the pandemic first and privacy later dilute the essence of the fundamental right to privacy of the individual. It is imperative to focus on the non-binary nature of the privacy and health trade-off, and implement the necessary safeguards. A clear indication of the authority responsible for ensuring compliance with the framework that governs the management of personal data collected, including the specific powers that exist with the authority to ensure such compliance, will indicate the government’s intention to uphold the privacy of the individual despite the challenging circumstances.
*Shweta Reddy is currently a Programme Officer at the Centre for Internet and Society.
 Smart Nation Singapore, ‘Launch of a new app for contact tracing’ (Smart Nation Singapore, 20 March 2020 accessed 18 August 2020.
 Felicia Choo, ‘Parliament: Public agencies not governed by PDPA because of fundamental differences in how they operate’ (The Strait Times, 1 April 2019) accessed 18 August 2020.  Public Sector Data Security Review Committee, ‘Public Sector Data Security Review Committee Report’ (Smart Nation Singapore, November 2019) accessed 18 August 2020.