Your right to privacy does not win under U-WIN

How does the privacy policy of the U-WIN immunisation platform fare on the right-to-privacy test?  

—

WHILE presenting this year's interim budget, the Union finance minister Nirmala Sitharaman announced the government's intention to implement the U-WIN immunisation platform throughout the country expeditiously.

Modelled after Co-WIN, the U-WIN platform aims to bolster India's Universal Immunisation Programme (UIP) by improving vaccination management in the country. U-WIN's website states that it "captures each and every vaccination event for all pregnant women and children".

According to news reports, U-WIN also integrates with other government initiatives: it identifies unvaccinated children under Mission Indranush, and interfaces with the Ayushman Bharat Digital Mission (ABDM) to create and update patient records.

For delivering these services, the platform collects and shares a substantial amount of personal data. However, following the alleged Co-WIN data breach, concerns around health data privacy in e-government services have intensified.

Moreover, the U-WIN platform's roll-out has been flagged for its lack of transparency. In response to a recent Right to Information Act application, the Union ministry of health and family welfare failed to address critical questions regarding data retention and sharing on the U-WIN web application.

In this background, this piece first evaluates U-WIN platform's privacy policy against the notice for consent requirements of the Digital Personal Data Protection Act, 2023 (DPDPA). It then analyses how the privacy policy outlines the rights of users and obligations of the data fiduciary, i.e., the government as specified in the DPDPA.

Privacy policy

The objective of a privacy policy is to inform the user about how a tool collects, utilises, and distributes the user's information. By informing users about data handling practices, privacy policies conform to the mandate of transparency, thereby affirming the user's trust in the service provider.

Also read: Why India urgently needs a Union law to protect healthcare workers

As government services increasingly shift online, privacy policies of e-government applications are being held to higher legal and ethical standards worldwide. In its standardised form, a privacy policy can be broken down into an enumeration of data processing practices, users' rights and organisational obligations under the existing law.

The State's privacy obligations in India

In  2017, the Supreme Court reaffirmed the right to privacy as a fundamental right in the Puttaswamy judgment. While expounding on the right to privacy, the court specifically acknowledged the risk of the State's invasion of the individual's informational privacy through technology-based data collection.

In this judgment, the court explicitly called for a law on personal data protection. Following the Puttaswamy judgment, the Srikrishna Committee was constituted to deliberate on a new data protection framework. In its report, the committee proposed the Draft Data Protection Bill, which was enacted in the form of the DPDPA in 2023. DPDPA designates all entities "determining the means and purpose for processing personal data" as data fiduciaries, including the State.

Initially, the statutory framework of information technology law did not recognise the State's privacy obligations. Sections 43(a) and 72 of the Information Technology (IT) Act 2000 created rudimentary privacy protections by penalising unauthorised access to computer systems and confidentiality breaches.

Subsequently, to govern the handling of sensitive personal data, the Parliament passed the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (SPDI Rules) under the IT Act in 2011. However, the Rules had substantive limitations, and like the IT Act, they were not applicable to the government.

While the DPDPA itself fails to expressly mention a 'privacy policy', Section 5 of the Act mentions 'notices' and outlines its requirements. According to the Section, a data fiduciary is broadly obligated to inform the data principal on: 

1. Data collection and purpose.
2. The process for exercising rights related to consent under Section 6(4) and grievance redress under Section 13.
3. The provisions for making complaints to the board. 

Privacy policies and notices play distinct yet complementary roles in personal data management. Privacy policies provide a comprehensive overview of an organisation's data handling practices.

Also read: Ensuring fairness in e-pharmacies

In contrast, notices are targeted communications that inform users about specific data processing instances and seek their explicit consent for these actions. However, international data protection legislation requires fiduciaries to place details of notice requirements within broader privacy policies.

Such laws also mandate that privacy policies cover broader individual rights and organisational data obligations. Consequently, this piece evaluates the U-WIN privacy policy on both these aspects.

U-WIN's privacy policy 

U-WIN's privacy policy contains an introduction and seven clauses. It is available on the website and can be accessed without authentication. This section first evaluates the privacy policy against the provisions of DPDPA on notice requirements pertaining to consent and grievance redress.

Then, it evaluates the privacy policy against the requirements of informing users on data collection and purpose and the provisions for making complaints to the board under the notice requirements.

Analysis against notice requirements of DPDPA

Right to informed consent

The privacy policy's introduction deals with consent in the usage of the services. Specifically, it states: "At registration, you are requested to accept the terms of this privacy policy and your use of U-WIN signifies your continued acceptance thereof" and "In order to use U-WIN, you are agreeing to the terms of the privacy policy".

On a preliminary reading, the text seems ambiguous— not indicating whether explicit consent is sought from the user for using the tool. To confirm whether explicit consent is sought, a registration was made on the U-WIN web application.

After submitting the user's number for signing up, it was found that the application did not show a consent banner with a link to the privacy policy.

Also read: Kota story redux: UMMEED will be hopeless without wider social changes

Section 4 of the DPDPA states that personal data must only be processed upon obtaining consent or for certain "legitimate uses". Section 6 of the Act defines valid consent as "free, specific, informed, unconditional and unambiguous with a clear affirmative action".

To satisfy this condition, seeking the user's consent directly in the user interface with affirmative action is necessary. However, the U-WIN application fails to meet this requirement.

Rights related to modification of account and withdrawal of consent

Clause 4 of the policy states the rights of the data principal in the removal or modification of user details and services. According to Part A of the clause, the user can access or edit the profile.

Part B of the clause further states that users can delete their information as long as no vaccination is taken. Sub-section 4 of Section 6 of the DPDPA states that the users should be allowed to withdraw consent at any time and that the withdrawal of consent should match the ease of its collection.

However, the privacy policy states that the withdrawal of consent through the removal of the profile is conditional upon members not taking the vaccine. To test the ease of profile removal in the application, a dummy account was made.

Upon attempting to delete the user's profile, it became apparent that profile deletion is subjected to further constraints. Members who booked appointments, received vaccinations, linked dependents, are pregnant, or were imported from Co-WIN, cannot delete their profiles.

This information is not mentioned in the privacy policy. Consequently, it is evident that the clause does not meet the substantive requirements of the law, and generally lacks transparency.

Rights related to modification of application services

Even though the DPDPA does not mandate providing the ability to modify application's services, offering such capabilities gives data principals greater choice and control. The U-WIN privacy policy, however, does not enable data principals to modify application services.

Clause 4(b) of the privacy policy states that communications from the application cannot be turned off. Since registration on the application is optional and users can access immunisation services non-digitally, strict restrictions to delete accounts or modify communications appear unreasonable.

Also read: Flagging policy of 'systemic discrimination' against HIV patients in armed forces, SC awards compensation to havaldar

At the minimum, the policy could distinguish between essential or non-essential communications; allowing the latter to be turned off, which provides choice to the data principals.

Rights related to grievance redress

Grievance redress is addressed in Clause 7 in the policy but omits key procedural details. The clause does not disclose the particulars of the responsible authority and only provides an email address for communications.

Moreover, the policy fails to specify response or resolution deadlines for addressing grievances. Section 13 of the DPDPA mandates the creation of a grievance redress mechanism for data principals with yet-to-be-prescribed time limitations.

Section 8 obligates data fiduciaries to publish the contact information of the Data Protection Officer (DPO) for "answering questions" raised by the data principal.

While the publication of these contact details is mandated by law, clear response and resolution time frames are also essential for ensuring transparency even if they have not been prescribed yet. The lack of such provisions hinders the principal's ability to seek grievance redress.

Personal data collected and the purpose of data collection

The privacy policy mentions that personal data is collected during application usage. The first clause of the document outlines the personal data collected and the purpose of its collection.

Part A of this clause mentions that name, date of birth (child) and/or year of birth (pregnant women); gender;  photo ID type; and Photo ID number are mandatory for the creation of a reference identity (ID) in the application.

The reference ID allows the user to be tracked within the application according to Part B of the clause. Part D of the clause then states the lists of identity cards that can be used for the user's identity verification.

Finally, Part E states that the mobile number can be used for notifications and reminders. Clause 2 of the policy further outlines the use of personal information. It states the various domains where such information can be used.

Also read: Five years of the HIV/AIDS Act, 2017: An assessment— Part 2

It states that purposes for collecting personal data include "tracking vaccination progress and status, generating reports, heat maps and other statistical visualisations for the purpose of the management of universal immunisation in the country, and for generation of vaccination certificates, and to provide you general notifications pertaining to routine vaccination as may be required".

While these purposes appear reasonable, some aspects remain overly broad. The details of the nature of the reports, statistical visualisations and notifications that will be generated using personal data are not specified.

The absence of such details essentially contravenes Section 6 of the DPDPA, which states that the data principal's consent signifies agreement to share personal data only for an explicitly stated purpose.

Moreover, leveraging individuals' personal information for developing heat maps can jeopardise the right to privacy by revealing sensitive location data.

Even when aggregated, this information remains vulnerable to re-identification. Consequently, U-WIN's privacy policy should be transparent in outlining the processes involved in the generation of reports, heat maps and statistical visualisations in the privacy policy.

Provision for making complaints to the board

The privacy policy does not have any provisions to make complaints to the board. Presumably, since the board has not yet been established, a clause might be added to the policy in the future.

Privacy policy, data fiduciary obligations and data principal rights

As stated above, global best practices place the user's broader rights and the fiduciaries' duties within the privacy policy. Although the DPDPA does not explicitly mandate this approach, it does enumerate such rights and obligations. In that context, this section evaluates the U-WIN privacy policy against the DPDPA's rights and obligations outside of the notice requirements.

General obligations

The general obligations of the data fiduciary are listed in Section 8 of the DPDPA. The Section requires data fiduciaries to implement reasonable security safeguards, notify breaches, limit data storage, publish the data protection officer's contact details and establish grievance procedures.

Also read: Why India needs a robust content deletion procedure to repress revenge pornography

The U-WIN privacy policy only partially addresses these stipulations. Among these, the privacy policy has provisions on security safeguards, data storage limitations and grievance procedures, but does not include any information on breach notifications or the data protection officer's contact information.

Data retention

The privacy policy states that personal data will be retained for the duration of an active account. However, the policy also stipulates that data may be retained after account deletion for users whose data processing has begun for administrative or medical purposes.

With regards to these storage limitations, it states that retention will last for "such period thereafter as is required for such interventions to be completed".

According to Section 8(7) of the DPDPA, data retention should continue either until the data principal revokes consent or until the purpose for which the data was collected is fulfilled. As mentioned above, stringent restrictions on account deletion limit the exercise of rights to erasure and withdrawal of consent.

Moreover, Section 17(4) of the Act exempts the State or any of its "instrumentalities" from adhering to Section 8(7). Since U-WIN qualifies as an instrumentality of the State, it can effectively retain personal data till perpetuity.

Security measures

Clause 5 of the privacy policy asserts that personal data is secured, but it fails to provide specific details on the measures implemented to protect this information. The policy notably omits mention of common security controls such as encryption and firewalls.

Although the DPDPA does not specify any security controls, the lack of transparency in U-Win's privacy policy raises concerns about the robustness of the data protection measures in place.

Consent obligations for children and disabled individuals

In addition to the general obligations, the DPDPA mandates specific consent requirements for processing the personal data of children and individuals with disabilities.

Section 9 of the Act mandates that data fiduciaries obtain consent from lawful guardians when processing the personal data of minors or persons with disabilities who are deemed incapable of providing consent independently.

Also read: Automated Facial Recognition Systems: Not the win we were rooting for

Currently, however, the U-WIN privacy policy does not have any provisions for collecting separate consent from such lawful guardians, which is concerning in the case of mothers with disabilities.

Rights outlined in the DPDPA

The DPDPA outlines the rights of the users in Sections 11 to 14. These Sections recognise the rights of the data principal to know, grievance redress, correction and erasure of personal data.

Since grievance redress and correction and erasure of personal data have already been covered, this section looks at the right to know and the right to nominate.

Right to know/access

The data principal's right to know is mentioned in Section 11 of the Act. The Section grants data principals the right to obtain summaries of processed personal data and related activities, identify all involved data fiduciaries and processors, and access any additional information pertaining to their personal data.

This right is partly met as the privacy policy specifies the data collection and purpose. However, the U-WIN privacy policy does not provide for the data principals to obtain summaries of processed personal data.

Right to nominate

Section 14 grants data principals the right to nominate individuals who can exercise the principal's rights in case of death or incapacity. At present, the privacy policy does not provide any information related to this right.

Conclusion

Upon evaluation, it appears that U-WIN's privacy policy only partially complies with the notice requirements of the DPDPA. Notably, the policy does not obtain explicit consent from data principals with affirmative action and imposes undue restrictions on the deletion and modification of accounts. Prima facie, it also lacks effective grievance redress procedures.

The policy also falls short of fulfilling its obligations as a data fiduciary under the Act. It does not include provisions for breach notifications, fails to clearly explain data retention practices, and omits the mention of a data protection officer.

Furthermore, while the policy provides limited coverage for the data principal's rights to be informed and to know, it completely fails to address consent provisions required for mothers with disabilities.

Also read: Lack of Braille-embossed packaging on medicines hampers accessibility among India's visually impaired population

The analysis also reveals gaps within the DPDPA itself. Unlike the SPDI Rules under the Information Technology Act, the DPDPA has no mention of privacy policies.

Moreover, it does not recognise the category of sensitive personal data. This effectively results in a lack of enhanced protection for sensitive information such as an individual's health data.

The Act also does not establish any standards for data security measures. Lastly, broad exemptions for the State and its instrumentalities under the DPDPA invalidate personal data retention obligations— allowing the State to store personal data in perpetuity.

Consequently, the government must ensure that it incorporates and communicates adequate privacy standards and safeguards in the deployment of digital health tools such as U-WIN.

Additionally, the government must also ensure that the DPDPA's implementation addresses the risks of informational privacy violation through the State's information technology-driven initiatives as highlighted in the Puttaswamy judgment.