In what is a glaring privacy issue, the immunisation division under the Department of Public Health and Preventive Medicine (DPHPM) publicised the data of everyone in the state who is yet to take the second dose of the COVID-19 vaccine. While this was allegedly made public so that people are forced to take the vaccine, the data — made public via a Google Drive link — gives granular information.
The document, created on the evening of April 25, tabulates information of all those who haven’t received the second dose of the vaccine by district, which is then divided by blocks. It lists the name of the person who got the vaccine, when and in which centre they received it, whether they are a citizen or frontline worker, which vaccine and when, as well as the person’s reference and beneficiary ID. The data also includes how long it has been since the person became eligible for the second dose of the vaccine, and starts at zero days, going up to 350+ days.
The information, a link to which was on the homepage of the DPHPM website, was a publicly editable document that was online for eight days before the department revoked access to the document on the evening of May 6 after being pulled up.
While the department says that this was inadvertently done, and while their intentions may be to vaccinate people, it must be noted that vaccinations are still voluntary. In fact, the Supreme Court even earlier this week said that no person can be forced to be vaccinated against COVID-19, and that bodily autonomy and integrity are protected under Article 21 of the Constitution.
Srikanth L of Cashless Consumer, a consumer awareness collective, termed it “obnoxious on multiple levels”, while the idea may have been to shame people into getting the second shot of vaccine.
“This breaks the promise that people gave data to the government for the purpose of vaccination. Vaccination is voluntary and it is perfectly okay for someone to not take their second dose. Yes, it can have other implications such as public health, but this also came at a time when cases are very low. Why then stress upon these people who are yet to be vaccinated - why should their details be revealed?” asks Srikanth.
However, the large dataset being made public also has privacy implications. “With this information, you can actually download someone else’s vaccination certificate,” he says. The basis for this is a brief campaign on Co-Win that allowed users to share their vaccination status. This required the beneficiary ID, and Srikanth says that anyone can download someone else’s vaccination certificate with the beneficiary ID, which this data made public.
This goes a step further, as for everyone who gave their Aadhaar card as the identity proof, a universal health ID was created and the number published on the certificate as well. “This released so many people’s health data publicly. This could be misused in multiple ways,” he says. If any information with the Health ID is leaked in the future and does not have personally identifiable information, someone can reconcile both and deanonymise that data, he adds.
Srikanth also says that this gives granular information about people who are vaccine-hesitant, and can be used to spread anti-vaccine information.
Tamil Nadu released a data policy in March, but there still is no data protection law in the country.
“If they are doing this today, it can leak any other information tomorrow. How does it create trust with individuals interacting with the government? If the government does not like you, can it leak data about you? Where does this stop?” Srikanth asks.