Co-WIN portal

Article Title: Co-WIN portal

13-06-2023

Polity & Governance Prelims Plus

Why is in news? Co-WIN portal of Health Ministry is Completely Safe with safeguards for Data Privacy

  • There are some media reports claiming breach of data of beneficiaries who have received COVID vaccination in the country, on some social media platforms. These reports allege breach of data from the Co-WIN portal of the Union health Ministry, which is repository of all data of beneficiaries who have been vaccinated against COVID19.
  • It is clarified that all such reports are without any basis and mischievous in nature. Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy.
  • Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal.
  • COWIN was developed and is owned & managed by Ministry of Health & Family Welfare. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues.
  • Co-WIN data access – At present individual level vaccinated beneficiary data access is available at three levels, as below:
  • Beneficiary dashboard- The person who has been vaccinated can have an access to the Co-WIN data through use of registered Mobile number with OTP authentication.
  • Co-WIN authorized user- The vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries. But the COWIN system tracks & keeps record of each time an authorized user accesses the COWIN system.
  • API based access – The third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.

Telegram BOT:

  • Without OTP vaccinated beneficiaries’ data cannot be shared to any BOT.
  • Only Year of Birth (YOB) is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also BOT mentioned date of Birth (DOB).
  • There is no provision to capture address of beneficiary.
  • The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP.
  • Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.
  • CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database.

Initiatives in India to safeguard the personal data:

Information Technology Act, 2000:

  • It provides for safeguard against certain breaches in relation to data from computer systems. It contains provisions to prevent the unauthorized use of computers, computer systems and data stored therein.

Personal Data Protection Bill 2019:

  • The Supreme Court maintained the right to privacy as a fundamental right in the landmark decision of K.S. Puttaswamy v. Union of India 2017 after which the Union government had appointed Justice B.N. Srikrishna Committee for proposing skeletal legislation in the discipline of data protection.
  • The Committee came up with its report and draft legislation in the form of the Personal Data Protection Bill, 2018.
  • In 2019, Parliament again revised the Bill and much deviation from the 2018 Bill was evident. The new Bill was named as Personal Data Protection Bill, 2019.
  • The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual.

Digital Personal Data Protection Bill, 2022:

  • The Digital Personal Data Protection Bill, 2022 applies to all processing of personal data that is carried out digitally.
  • This would include both - Personal data collected online and Personal data collected offline but is digitised for processing.
  • It seeks to govern and safeguard use of personal data, frames out the rights and duties of the Digital Nagrik.
  • Some of the recommendations - Remove the word ‘personal’ from the existing title of ‘Personal Data Protection Bill’. This is intended to reflect that the bill, in order to better ensure privacy, will also be dealing with non-personal data, such as personal data that has been anonymised.
  • Amend the section restricting the transfer of personal data outside India to say “sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the central government.
  • No social media platform be allowed to operate in India unless its parent company, which controls the technology powering its services, sets up an office in the country.
  • It proposes a separate regulatory body to be set up to regulate the media.
  • Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.
  • The word ‘personal’ ought to be dropped from the name of the Bill.
  • Central government may exempt any government agency from the legislation only under exceptional circumstances.