Updates

Co-WIN: Is Aadhaar linking being used as cover for Digital Health ID?

On January 16, 2020, the Government of India initiated a country-wide COVID vaccination drive, which will be facilitated via the COVID-19 Vaccine Intelligence Network (Co-WIN).

Rethink Aadhaar is concerned that the requirement in the Co-WIN vaccine delivery system, that Aadhaar authentication is to be the “preferred mode” for authentication, creates an impermissible barrier to access the vaccine and will violate the right to health. Additionally, Rethink Aadhaar is concerned about the lack of transparency around how the government plans to store and use the data that will be collected as part of the vaccine delivery process.

Co-WIN is a platform and app that has been developed by the Government of India, to track the delivery of the COVID-19 vaccine.

As per reports, the app will require citizens to “self-register” in order to get the COVID-19 vaccine. According to the Health Secretary, Aadhaar-based authentication will be the “preferred mode” to verify the identity of beneficiaries. Additionally, according to the Operational Guidelines on COVID-19 Vaccination (point 7.2.3) issued by the Ministry of Health and Family Welfare, the production of an Aadhaar number will be mandatory to receive the vaccination certificate issued once the vaccination is complete. 

The guidelines state that the platform will be used to track the beneficiaries health on a “real-time basis” after they receive the vaccination. After the beneficiary receives both doses of the vaccine, the Co-WIN application will generate a “QR certificate”, which will be stored in the Government’s DigiLocker application. A DigiLocker account can be accessed either using the unique ID (an ID specific to Digilocker which is linked to the person’s Aadhaar number) or the registered mobile number of the account holder. 

The Aadhaar details of persons who receive the vaccine will be used to create a Unique Health ID for them, albeit only for “willing beneficiaries”.

Thus, it appears that data collected for the vaccine delivery system will be used to populate the Digital Health ID database, and people’s vaccine certificates will be stored on DigiLocker. Collating people’s health information in this manner, even as India lacks a legal framework to safeguard citizens’ data or health information, is a dangerous step.

This raises serious concerns:  

  1. Making the vaccine or subsequent certification conditional on Aadhaar authentication or linkage, would go against all tenets of medical ethics, is a violation of the basic and fundamental right to health, and would also be poor public policy as the roll-out of the vaccine should be focused on universal access to the vaccine.

    The Central government’s requirement that Aadhaar authentication is be the “preferred mode” for authentication of identities, as well as the requirement that mobile phone numbers be linked to Aadhaar to pre-register on the app, will exclude citizens. Any requirement to mandatorily link mobile numbers with Aadhaar – as some reports have indicated could be the case – would violate the Supreme Court’s judgement on the constitutionality of Aadhaar.  As recent report by Medianama shows, as of August 2020, nearly 11% of India’s population still does not have an Aadhaar number. Errors happen frequently in the huge and complicated Aadhaar infrastructure, leading to authentication failures. Conditioning the vaccine to Aadhaar authentication will repeat the mass exclusion already seen after Aadhaar was linked to essential services and entitlements to food, pensions, scholarships.

  2. The lack of privacy safeguards, either in the app or in the vaccine delivery system as a whole, is a serious violation of the right to privacy.

    Details on where the data related to vaccination will be shared/stored are not addressed in the app’s consent form, which only makes a blanket statement about “maintaining the privacy and confidentiality of the information provided”. Neither the website nor the application have privacy policies that address how the health data will be protected. Data related to health is sensitive data and should be accorded the highest level of protection. The Karnataka High Court’s recent interim order on Aarogya Setu,  reiterated the importance of ensuring health-related data collected to track the spread of COVID-19 is safeguarded. It held that medical information or data is a category of data to which there is a reasonable expectation of privacy, and “the sharing of health data of a citizen without his/her consent will necessarily infringe his/her fundamental right of privacy under Article 21 of the Constitution of India.”

  3. The vaccine delivery system is being used to populate the database for the Digital Health ID and to coerce people to use Digilocker.

    This is a coercive step which is being taken without due deliberation or public scrutiny, and with no consideration for privacy rights. This would also violate the fundamental principle of purpose limitation, that data collected for one purpose (for the vaccine) cannot be reused for another (for the creation of the Digital Health ID system) without an individual’s explicit consent and the option to opt-out with no adverse implications of doing so. There are  worrying reports of hospital administrations sharing Aadhaar details of its staff to register them on the Co-WIN application, even without their consent. The vaccine delivery should not be used as a cover to create a Digital health ID without sufficient public debate, and safeguards to ensure that people are free to choose not to enroll. 

Rethink Aadhaar urges the Government to: 

  1. Adopt all possible measures to ease access to the vaccine, investing resources to improve health services, and delink the requirement of Aadhaar for the vaccine. A notification must be issued reiterating the point that multiple IDs, apart from Aadhaar, can be submitted to get access to the vaccination.

  2. Clearly establish the privacy policies of the Co-WIN application, particularly with respect to the protection of the health data of the beneficiaries. More particularly, assurances must be provided that the vaccine delivery system will not be used to populate the database for the Digital Health ID or used to coerce people to use Digilocker.

  3. Ensure that adequate safeguards are taken against making a health ID mandatory, including issuing a notification in line with the Health Data Management Policy which states that “no individual shall be denied access to any health facility or service, or any other right in any way merely by reason of not being in possession of a Health ID or for not opting to participate in the NDHE.” 

The Indian public health system has administered large scale vaccine programs in the past with relative efficiency, without such restrictions and conditions, and should trust its public health systems to do so for COVID as well, without making it restrictive, conditional or linked to a digital health system which is in its infancy and surrounded by legal and ethical concerns. The vaccine delivery should not be used as a cover to create Digital Health IDs without sufficient public debate, and without enough safeguards to ensure that people are free to choose not to enroll.