Read our Joint Letter with C-Help & FMES to NHA on CoWIN’s updated API #SaveOurPrivacy


tl;dr

Through a new Application Programming Interface (API) for CoWIN, the National Health Authority (NHA) wants to allow government and private entities to instantly know the status of vaccination of an individual. While this may seem to be a good initiative, there are also some major concerns that come along with it. We wrote a joint letter along with the Centre for Health Equity Law & Policy (C-HELP) and the Forum for Medical Ethics Society (FMES) to highlight our concerns.

What happened?

Since its launch, the Government of India’s online web portal for COVID-19 vaccination registration CoWIN, has been embroiled in controversies. At first, it was criticised for its propensity to exclude those who were on the other side of the digital divide in the country and for turning the access to COVID-19 vaccination into a game of “fastest fingers first”. Another issue with the portal was that it mandated online self-registration for vaccination without a walk-in facility further which would entrench inequities in access to the vaccine. Subsequently, it attracted criticism when the news came out that facial recognition technology (FRT) would be used in conjunction with Aadhaar to authenticate the identity of people seeking vaccines. Last month, another problem was added to this growing list.

Through a press release dated September 10, 2021, the NHA launched a new API for CoWIN “KYC-VS: Know Your Customer’s/Client’s Vaccination Status”. According to the press release, this new API would allow government and private entities such as the railways, the airlines and hotels to instantly know the status of vaccination of an individual. Another use case which has been included is where an enterprise/employer may want to know the vaccination status of their employee.

The KYC-VS claims to be consent-based, privacy preserving and can be seamlessly integrated with any system.

Our concerns

A. CoWIN’s privacy policy does not allow for such sharing of health data

A person’s COVID-19 status is their private and confidential health information. Use of this data must be fair, relevant and necessary for a specific purpose. According to the existing privacy policy of CoWIN, personal data collected will only be “used by the Government of India or state governments for the purpose of tracking vaccination progress and status, generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 vaccination in the country, and for generation of vaccination certificates, and to provide you general notifications pertaining to COVID-19 vaccination as may be required”. Hence, the new API is inconsistent with the existing privacy policy since it allows for data to be shared with third parties for purposes other than those which are laid out in the privacy policy.

The privacy policy also states that, “Co-WIN is not in any manner responsible for the security of such information or their privacy practices or content of those Third – Party Sites”. Thus, sharing of vaccination data with third parties becomes alarming since the CoWIN platform is not liable in case of any breach or violation of data privacy which may take place. In the absence of a personal data protection law, allowing for such data to be shared with third parties without any safeguards in place and with no one to be held liable for misuse will only lead to grave injustice and unaccountability.

Even the proposed Personal Data Protection Bill, 2019 fails to adequately protect the privacy of health data. For example, it is silent on non-personal and anonymised data. Meanwhile, the Non-Personal Data Governance Framework provides an excessively wide berth for the processing of non-personal data.  The Bill also lacks transparency, insofar as the data fiduciary is not required to report instances of breaches of personal data to the data principal (in this case, users whose healthcare data is now public).

B. Scientific evidence on whether COVID-19 vaccinations prevent transmission is not clear

The underlying assumption behind the API is that the use of vaccination status to provide entry/access to government and private entities will help in protecting against transmission of the infection. However, scientific evidence on the link between COVID-19 vaccinations and transmission is not conclusive. In January 2021, the WHO Emergency Committee regarding the coronavirus disease (COVID-19) pandemic recommended, “(a)t the present time, do not introduce requirements of proof of vaccination or immunity for international travel as a condition of entry as there are still critical unknowns regarding the efficacy of vaccination in reducing transmission and limited availability of vaccines.” In August 2021, the WHO reiterated that, “(w)hile COVID-19 vaccines have demonstrated efficacy and effectiveness in preventing severe disease and death, the extent to which each vaccine prevents transmission of SARS-CoV-2 to susceptible individuals remains to be assessed. How long each vaccine confers protection against severe disease and against infection, and how well each protects against current and future variants of SARS-CoV-2 needs to be regularly assessed.”

In light of this, the carte blanche given to private and public entities (through the API) to use vaccination status as a condition to provide access to services and employment may lead to unjustifiable discrimination and exclusion, especially for populations who face greater barriers in accessing COVID-19 vaccination. Additionally, this assumption behind vaccination certificates may fuel complacency with respect to use of masks, sanitisers and reasonable physical distancing measures.

C. The scope of use of the API is not clearly defined

Current central government policy states that vaccination for COVID-19 is voluntary. In spite of this, some states (like Punjab) have introduced vaccine mandates for certain sections of the population. The API will further enable private and public entities to mandate sharing of COVID-19 vaccination status as a condition for access to services and employment. This will inevitably create barriers for individuals who are unable or unwilling to share their COVID-19 vaccination status. In effect, individuals may be compelled to take the vaccination as well as share vaccination status.

However, neither the central government nor the state governments have a clearly defined policy on vaccine mandates. The press release on CoWIN API “KYC-VS: Know Your Customer’s/Client’s Vaccination Status” states that the API can be used by any public or private service provider “for whom verifying an individual’s vaccination status is critical for facilitating a service requested.” It is not only silent on what does and does not qualify as ‘critical’, but also on the consequences of refusal.

The WHO recommends that member states should be clear about the proposed uses of vaccination certificates, and also about purposes for which they cannot be used. For example, the US and UK clearly specify the conditions under which service providers and employers can implement COVID-19-status certification. In the UK, the reasons for checking or recording people’s vaccination status must be clear, necessary and transparent. COVID-19-status certification is not permitted if employers or service providers are unable to specify a use of this information or the stated goal can be achieved without collecting the information. Finally, the use of this information must not lead to unfair and unjustified treatment of employees, customers or visitors.

In the US, employers can mandate employees to be COVID-19 vaccinated for legitimate non-discriminatory reasons only. An employer must provide reasonable accommodations for individuals who do not get vaccinated because of a disability or a sincerely held religious belief, practise or observance. However, the employer is exempted from this requirement if it poses undue hardship on the employer’s business. In this background, it is critical that the Government of India formulate a policy on vaccine mandates prior to enabling indiscriminate use of the new API.

D. Access to vaccination is unequal

Since vaccines are not available readily to the Indian population, basing access to services, places or benefits on vaccination status will lead to exclusions. As per latest figures, only 22.6% and 62.8% of the adult (15+ years) population is fully and partially vaccinated, respectively. In addition, there are disparities in COVID-19 vaccination coverage across states and union territories. In light of this, implementing COVID-19-status certification will adversely and disproportionately affect populations facing greater barriers in accessing the vaccines.

Our recommendations to the NHA

  1. Introduce necessary amendments to the CoWIN privacy policy in order to ensure privacy and security of data shared with third parties; and
  2. Introduce a clearly defined policy on vaccine mandates keeping in mind current evidence on COVID vaccinations and transmissions; health and safety requirements; equalities; and, non-discrimination, privacy and other fundamental rights of individuals.

We appreciate the steps taken by the NHA to facilitate the smooth and safe removal of COVID-19 restrictions and to facilitate the ease with which economic activities can be accessed by the general public. The CoWIN platform has contributed to the safe administration of vaccines in the country and has ensured that individuals are able to get their vaccination shots correctly while also facilitating ease of administration for healthcare professionals. However, it is also important to be vigilant whenever such private and confidential health data is in the mix. We hope the NHA will continue to prioritise the safety and privacy of the people in all its present and future actions.

Important documents

  1. Joint letter to NHA on updated CoWIN API dated September 29, 2021 (link)