Joint Letter to the Central and State Governments on Unwarranted, Excessive, Collection and Processing of Personal Data of Individuals during the ongoing COVID-19 Pandemic
March 31, New Delhi: Delhi-based non-profit legal services organization SFLC.IN along with a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, technologists, social activists, entrepreneurs, and citizens voice their concerns urging the government to resort to strict legal measures to regulate and supervise the collection, and subsequent processing of personal data of individuals during the ongoing COVID-19 pandemic.
A joint letter was sent to Shri Amit Shah, Home Minister, Shri Harsh Vardhan, Minister of Health and Family Welfare, Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology, as well as heads of various State Governments urging them to process the personal data of individuals within the territory of India, and conduct the monitoring of persons, only as per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual.
The organisations who have signed are CCAOI, Digital Empowerment Foundation, Free Software Movement of India, Internet Democracy Project, Internet Freedom Foundation, Internet Society-Delhi Chapter, IT For Change, SFLC.in and Swathanthra Malayalam Computing.
Prasanth Sugathan, Voluntary Legal Director, SFLC.in said that “Central and State Governments are taking various steps like publishing information of patients and persons under quarantine and are coming out with apps that collect and process personal information. Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights. Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact tracing should be done without publishing the personal details of patients”
The letter highlights the following principles that the governments should follow while processing data during the ongoing Covid-19 Pandemic:
Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over.
Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine.
Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person.
Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future.
Security:Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware. Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein.
No Surveillance without Due Process:Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified under these statutes. Any surveillance pursuant to the aforementioned statutes and other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review.
About SFLC.IN
SFLC.IN is a donor-supported legal services organisation that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology.
For further communication:
Prasanth Sugathan
Voluntary Legal Director, SFLC.IN
prasanth @sflc.in
+91 9013585902
Read the letter below:
March 31, 2020
To
The Home Minister,
Ministry of Home Affairs,
Government of India,
North Block, New Delhi – 110001
Sir,
Sub: Concerns over protection of privacy of citizens in the wake of COVID-19 pandemic
We the undersigned, are a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, social activists, entrepreneurs, and concerned citizens involved in the promotion and protection of digital rights and freedoms. We note, with concern, every step taken by the Central Government, in tandem with the State Governments to deal with the spread of the novel Corona virus (COVID-19) including the instructions to curb misinformation being spread through Internet-based communication services.
As we face this unprecedented situation, we recognise that responsible and proper use of personal data has potential to be used for beneficial purposes. We understand and see the uses of data as a means of prediction, analysis, and strategic planning for government and health authorities. However, processing of personal data of individuals within the territory of India, and monitoring of persons, should only be conducted per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual.
The current situation warrants prompt and comprehensive extraordinary action from the State but under no circumstances should such measures permit use of data for marketing or commercial purposes. Any waiver of privacy protection or data rights must only be to serve public health. Any processing of health data must be conducted with strict restrictions in place. Any increased access
to personal or sensitive data allowed to companies or Government agencies should be limited in time and such access should be removed once the health emergency has passed.
We strongly urge that any steps taken by the Central or State Governments must include privacy and data protection for data that is being collected now or screened from already existing databases and being used in novel ways and strictly adhere to the following principles:
Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over.
Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine.
Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person.
Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future. Health data needs to be kept confidential and secure, and should be deleted automatically following the pandemic.
Security: Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware. Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein.
No Surveillance without Due Process: Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified Therein. Any surveillance measures pursuant to the aforementioned statues or other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review.
We urge you, therefore, to ensure that the above principles are followed in the collection and processing of personal data of individuals during the ongoing COVID-19 pandemic.
Sincerely,
CONCERNED CITIZENS/ ORGANISATIONS:
1. CCAOI
2. Digital Empowerment Foundation
3. Free Software Movement of India
4. Internet Democracy Project
5. Internet Freedom Foundation
6. Internet Society, Delhi Chapter
7. IT For Change
8. SFLC.IN
9. Swathanthra Malayalam Computing
10. Chetan Gupta, Member, Advisory Body, SFLC.IN
11. Faisal Farooqui, CEO, MouthShut.com
12. Geeta Seshu, Member, Advisory Board, SFLC.IN
13. Dr.Nagarjuna, Member, Governing Board, SFLC.IN
14. Prof. Rahul De’, Professor and Chair, Information Systems Area, IIM, Bangalore
15. Satish Babu, Member, Governing Board, SFLC.IN
16. Smriti Parsheera, Technology Policy Researcher
17. Sivahari Nandakumar, Free Software Activist
18. Tahir Amin, Member, Member, Advisory Board, SFLC.IN
19. Venkatesh Hariharan, Member, Governing Board, SFLC.IN
20. Vickram Crishna, Member, Advisory Body, SFLC.IN
For further communication:
Prasanth Sugathan
Voluntary Legal Director, SFLC.IN
prasanth @sflc.in
Copy to:
The Home Secretary
Ministry of Home Affairs,
Government of India,
Room 113, North Block,
New Delhi – 110001