The Government of India recently launched the Aarogya Setu app. The app helps people in determining whether they are infected with Covid-19 symptoms. Aarogya Setu is available on the Apple App Store and Google Play in 11 languages.
Speaking about how the app handles privacy aspects, Manish Sehgal, Partner, Deloitte India said that any application would handle privacy aspect based upon its’ design construct. Developers of applications that collect and process personal data should adopt the principle of ‘Privacy by Design’ to ensure that privacy requirements are considered during the initial stages of application development. In addition, techniques such as encryption and anonymization can help to avoid storing the data in clear text, thereby preventing disclosure of identity of an individual.
‘Privacy by Design’ is a leading practice for ‘system engineering’ that ensures that privacy is embedded in the DNA or the design specifications of new applications and tools.
Another key consideration should be the technique of ‘privacy by default’. This technique ensures that the strictest of privacy settings should apply by default. For example, application by default does not gain access to location, messages, contacts, storage etc. The app should provide a ‘Privacy Notice’ to individual and process data only upon an ‘explicit consent’ from the user.
Further, privacy impact assessments should be performed for the applications processing personal data to identify and proactively address any data protection issues that may arise when applications go-live. It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimise the risk of those impacts.
Privacy impact assessments encompasses a comprehensive review of the privacy considerations including fairness and transparency of processing activities, third parties to whom data is disclosed to, security safeguards that have been adopted, data retention and disposal practices and most importantly, the extent of control that a user can exercise over his or her personal data.
Applications should also include the adequate privacy notices and consent mechanisms to ensure that the users are aware of the nature and context of processing their personal data, the parties involved in such activities and most importantly their rights pertaining to the processing of their personal data.
So, what does Deloitte recommend for personal data handling considerations during remote working models?
He added that whilst the increased adaptability on technology-based solutions by organizations enables the users to work remotely, it also exposes to risk of data breaches, if data is not handled in an appropriate manner.
Therefore, protection of personal data requires a multi-dimensional approach covering people, process and technology. This approach includes many aspects, few of which are listed here:
People: Training and employee awareness communications w.r.t Cyber security and privacy requirements, to ensure that employees are aware and don’t fall prey into traps by cyber intruders.
Process: The leading practices for cyber security and principles of privacy shall be adopted, for example:
* Individuals should be provided a privacy notice highlighting the personal data that will be collected, the purpose of usage, security techniques, their rights etc.
* While collecting personal data, only the information required for the purposes of processing should be collected.
* Policy and standard operating procedures for users to refer while working remotely, such as data breach or an incident.
Technology: Cyber risk assessment and privacy impact assessments shall be performed before releasing such tools or a new digital utility. Gaps, if any shall be fixed prior to production rollout.
* Effective remote working solutions such as web meeting tools and Bring your Own Device (BYOD) polices to govern the use of personal devices.
* Encourage usage of Virtual Private Network (VPN) for secure network access through home Internet or public wi-fi.
* Implement security and privacy controls for preventing users from accessing public mailboxes, transferring data to unsecured devices etc.
* Enforce role-based access controls, multi factor authentication and strong password configuration requirements.