A large part of the current effort between the Union and state governments in contact tracing, widespread testing, disease surveillance and quarantining is being coordinated under the Integrated Disease Surveillance Project (IDSP), the decentralised state-based disease surveillance programme established in 2004 with the National Centre for Disease Control (NCDC) as its nodal agency.
The IDSP is operationalised by state governments through a strong network of health workers, who collect and compile patient data to monitor, detect and respond to epidemics. This is largely done manually. Similarly, the Aarogya Setu mobile app is currently at the forefront of government responses in identifying clusters and hotspots.
An efficacious government surveillance programme requires collection and processing of large scale personal data, including sensitive health and location data. This has raised crucial concerns relating to protection and privacy of the personal data so collected and the purpose for which it would be used after the pandemic is over. Recognising that data privacy is a part of right to life and a fundamental human right, the Supreme Court has already comprehensively enunciated the principles of informational privacy and data protection in its celebrated judgment of K.S. Puttaswamy vs Union of India, which has also found articulation in the Personal Data Protection Bill, 2019 (PDP Bill) currently under discussion in a joint parliamentary committee of which the first author of this article is a member.
Some of these principles include reasonable processing of data, purpose limitation, collection limitation, lawful processing, storage limitation, data quality and accountability along with crucial rights of persons whose data is being collected. One such right is the right to be forgotten. Once enacted, collection and processing of the personal data – both by government, corporate and non-government organizations – will be subject to the provisions of this PDP Bill.
Two questions then arise for consideration. Firstly, what measures should be taken to protect the personal data of citizens until the PDP Bill is enacted as law? And secondly, is there a need to enact a separate umbrella surveillance law or make separate sectoral laws?
It is important to note that both the IDSP and Aarogya Setu are currently operating in a legislative void. There is no overarching surveillance law either, even in the matter of national security where the protocols for data collection and surveillance have been laid out merely in executive orders. A protocol for Aarogya Setu was recently released by the Ministry of Electronics and Information Technology, but the same does not provide for a legislative foundation.
On the one hand, the protection of personal data has been recognised as a fundamental right, while on the other, there is an absence of law to effectively outline the state purpose in collecting such data and enforce, limit and balance the rights of citizens against the larger public interests. The currently used Epidemic Disease Act, 1897 or the Disaster Management Act, 2005 by the government does not address these concerns at all. Therefore, a law sanctioning collection of data and requiring the government to follow crucial data protection and surveillance principles is the need of the hour.
One surveillance law or several sectoral laws?
The next question is whether there should be several sectoral laws setting out separate mechanisms of data protection and surveillance principles in each sector or an umbrella surveillance law. The PDP Bill enumerates the principles of data protection, as well as provides for mechanisms to address any violations of its provisions.
For example, the PDP Bill imposes fines on a corporate or person when they fail to comply with certain provisions of the Bill. Similarly, it also provides for an adjudicatory mechanism where the citizens may seek compensation for any ‘harm’ caused to them due to the violation of any provision of the Bill. However, in order to detect and determine breaches in the data protection and processing principles (such as purpose limitation, collection limitation and storage limitation), there must be a clear enunciation of the purpose and use of such personal data within a legislative framework. While an umbrella law may be simpler and easier to frame, it may miss out sector specific nuances to achieve the stated state purpose.
For example, collection of data and its use to achieve the state objectives would be different in case of the health sector as in case of the current pandemic from that of the security of the nation considerations involving issues of terrorism and counterfeit currency. The surveillance requirements in both cases would understandably be different. It can be carried out best by the industry-specific regulator or the appropriate ministry having a detailed understanding and knowledge of the sector. Only such a specialised approach can lead to an effective formulation of the purpose, use and necessity of personal data for specific purposes and an effective adjudication of the violation of data principles under the PDP Bill.
Amar Patnaik is a Rajya Sabha MP from Odisha. Views are personal. Nikhil Pratap is a practising advocate.