Punjab, MP release data of COVID-19 patients in public, data privacy activists cry foul

Hyderabad: Data security activists are up in arms against Madhya Pradesh and Punjab governments for sharing names and other personal information of the COVID-19 patients on their COVID-19 web dashboards allegedly in contravention of the privacy rules.

This privacy breach was brought into public attention after an ethical hacker based in France took to social media with screenshots from Madhya Pradesh’s COVID-19 dashboard. The hacker, Elliot Alderson pointed out that the Madhya Pradesh state government had created a COVID-19 dashboard which publishes the name of the people under quarantine, as well as their device ID and name. This information is accessible to the public and information can also be downloaded in Excel sheet format.

Another data security researcher had also pointed the same issue on Twitter. “I agree location data is to be collected, but why is the data available online for public view? Where are data privacy and security protocols? Why are real names displayed,” Saikiran Kannan, the researcher tweeted from his handle.

In another case, the government of Punjab’s website also revealed the complete names and addresses of the patients who are under quarantine. The patients, who come under district SAS Nagar Punjab, have all their details revealed in a public website, the document which may also be downloaded.

The Internet Freedom Foundation, an organization that works for digital rights said this is not a “privacy concern”, but also a direct, tangible injury. “Intimate personal data is being publicly revealed. As a first step, please do write to the Principal Secretary for shutting down this portal: psit-mp@nic.in,” the Foundation said.

To reveal or not to reveal: Publishing names of COVID-19 patients legal?

Since health is a state subject, the onus is upon state governments to decide the rules regarding COVID-19 patients and policies regarding privacy. While states such as Punjab and Madhya Pradesh have not released any separate policy regarding publishing names of COVID-19 patients, the argument that it is for effective contact tracing is often used by authorities. For instance, the health minister of Gujarat had announced on March 23 to publicise the names of COVID-19 patients so that “so that their neighbours, business associates, or those who came in contact with them get themselves checked.”

C Mallesh Rao, a senior advocate based in Hyderabad says that there is no direct law that prohibits the publishing of names of COVID-19 patients. “States may do that if they publish it in the name of public interest. If there are government orders prohibiting it, then it cannot be done. However, such data can also be accessed and made public if a citizen asks for the information via an RTI,” the advocate said.

Other officials opine that this would be a violation of right to privacy and can be classified as a cybercrime. They also point out the lack of a consolidated data security/cybersecurity law that governs such issues. “In the case of Telangana, we have a government order that prohibits publication of details like names of COVID-19 patients. So, if it happens in this state, it would be a direct violation of the order. A case can be booked under Section 188 (disobedience to public order) of IPC minimum,” said KVM Prasad, Assistant Commissioner of Police, Cybercrime Hyderabad.