Blog 29 | HEaL Institute & IJME – Covid-19 Insights | October 12, 2021

Letter to the National Health Authority (NHA) on the issues with the new CoWIN Application Programming Interface (API) “KYC-VS: Know Your Customer’s/Client’s Vaccination Status” | IFF, Ch-HELP and FMES-HEaL Institute


By Email/Speed Post
Without Prejudice

Dr. Ram Sewak Sharma,
Chief Executive Officer, National Health Authority,
Ministry of Health and Family Welfare,
Government of India.
3rd Floor, Tower-L, Jeevan Bharati Building,
Connaught Place, New Delhi – 110001
Email: [email protected]
Wed, September 29, 2021

Subject: Letter to the National Health Authority (NHA) on the issues with the new CoWIN Application Programming Interface (API) “KYC-VS: Know Your Customer’s/Client’s Vaccination Status”

Dear sir,

1. The Internet Freedom Foundation (IFF) is a non-profit organisation that advocates for the rights of internet users in India. The Centre for Health Equity Law & Policy (C-HELP) is a research and advocacy initiative of the Indian Law Society that uses law as a tool for health transformation, embedding its work in the right to health as envisaged within India’s constitutional framework and her international commitments. The Forum for Medical Ethics Society (FMES) is an organisation focused on strengthening medical ethics in modern healthcare. It works to protect patients’ rights, facilitate the conduct of transparent and humane research, and enable medical practitioners to deliver rational, patient-friendly and compassionate care.

2. Through a press release dated September 10, 2021, the NHA launched a new API for CoWIN “KYC-VS: Know Your Customer’s/Client’s Vaccination Status”. According to the press release, this new API would allow government and private entities such as the railways, the airlines and hotels to instantly know the status of vaccination of an individual. Another use case which has been included is where an enterprise/employer may want to know the vaccination status of their employee.

3. We appreciate the steps taken by the NHA to facilitate the smooth and safe removal of COVID-19 restrictions and to facilitate the ease with which economic activities can be accessed by the general public. The CoWIN platform has contributed to the safe administration of vaccines in the country and has ensured that individuals are able to get their vaccination shots correctly while also facilitating ease of administration for healthcare professionals. While the use of APIs has further enhanced the accessibility of the CoWIN platform, it has also led to some concerns.

4. Our concerns with the new API are:

a. CoWIN’s privacy policy does not allow for such sharing of health data

A person’s COVID-19 status is their private and confidential health information. Use of this data must be fair, relevant and necessary for a specific purpose. According to the existing privacy policy of CoWIN, personal data collected will only be “used by the Government of India or state governments for the purpose of tracking vaccination progress and status, generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 vaccination in the country, and for generation of vaccination certificates, and to provide you general notifications pertaining to COVID-19 vaccination as may be required”. Hence, the new API is inconsistent with the existing privacy policy since it allows for data to be shared with third parties for purposes other than those which are laid out in the privacy policy.

The privacy policy also states that, “Co-WIN is not in any manner responsible for the security of such information or their privacy practices or content of those Third – Party Sites”. Thus, sharing of vaccination data with third parties becomes alarming since the CoWIN platform is not liable in case of any breach or violation of data privacy which may take place. In the absence of a personal data protection law, allowing for such data to be shared with third parties without any safeguards in place and with no one to be held liable for misuse will only lead to grave injustice and unaccountability.

Even the proposed Personal Data Protection Bill, 2019 fails to adequately protect the privacy of health data. For example, it is silent on non-personal and anonymized data.  The Bill alsol lacks transparency, insofar as the data fiduciary is not required to report instances of breaches of personal data to the data principal (in this case, users whose healthcare data is now public).

b. Scientific evidence on whether COVID-19 vaccinations prevent transmission is not clear

The underlying assumption behind the API is that the use of vaccination status to provide entry/access to government and private entities will help in protecting against transmission of the infection. However, scientific evidence on the link between COVID-19 vaccinations and transmission is not conclusive. In January 2021, the WHO Emergency Committee regarding the coronavirus disease (COVID-19) pandemic recommended, “(a)t the present time, do not introduce requirements of proof of vaccination or immunity for international travel as a condition of entry as there are still critical unknowns regarding the efficacy of vaccination in reducing transmission and limited availability of vaccines.” In August 2021, the WHO reiterated that, “(w)hile COVID-19 vaccines have demonstrated efficacy and effectiveness in preventing severe disease and death, the extent to which each vaccine prevents transmission of SARS-CoV-2 to susceptible individuals remains to be assessed. How long each vaccine confers protection against severe disease and against infection, and how well each protects against current and future variants of SARS-CoV-2 needs to be regularly assessed.”

In light of this, the carte blanche given to private and public entities (through the API) to use vaccination status as a condition to provide access to services and employment may lead to unjustifiable discrimination and exclusion, especially for populations who face greater barriers in accessing COVID-19 vaccination. Additionally, this assumption behind vaccination certificates may fuel complacency with respect to use of masks, sanitisers and reasonable physical distancing measures.

  1. c. The scope of use of the API is not clearly defined

Current central government policy states that vaccination for COVID-19 is voluntary. In spite of this, some states (like Punjab) have introduced vaccine mandates for certain sections of the population. The API will further enable private and public entities to mandate sharing of COVID-19 vaccination status as a condition for access to services and employment. This will inevitably create barriers for individuals who are unable or unwilling to share their COVID-19 vaccination status. In effect, individuals may be compelled to take the vaccination as well as share vaccination status.

However, neither the central government nor the state governments have a clearly defined policy on vaccine mandates. The press release on CoWIN API “KYC-VS: Know Your Customer’s/Client’s Vaccination Status” states that the API can be used by any public or private service provider “for whom verifying an individual’s vaccination status is critical for facilitating a service requested.” It is not only silent on what does and does not qualify as ‘critical’, but also on the consequences of refusal.

The WHO recommends that member states should be clear about the proposed uses of vaccination certificates, and also about purposes for which they cannot be used. For example, the US and UK clearly specify the conditions under which service providers and employers can implement COVID-19-status certification. In the UK, the reasons for checking or recording people’s vaccination status must be clear, necessary and transparent. COVID-19-status certification is not permitted if employers or service providers are unable to specify a use of this information or the stated goal can be achieved without collecting the information. Finally, the use of this information must not lead to unfair and unjustified treatment of employees, customers or visitors.

In the US, employers can mandate employees to be COVID-19 vaccinated for legitimate non-discriminatory reasons only. An employer must provide reasonable accommodations for individuals who do not get vaccinated because of a disability or a sincerely held religious belief, practise or observance. However, the employer is exempted from this requirement if it poses undue hardship on the employer’s business. In this background, it is critical that the Government of India formulate a policy on vaccine mandates prior to enabling indiscriminate use of the new API.

d. Access to vaccination is unequal

Since vaccines are not available readily to the Indian population, basing access to services, places or benefits on vaccination status will lead to exclusions. As per latest figures, only 22.6% and 62.8% of the adult (15+ years) population is fully and partially vaccinated, respectively. In addition, there are disparities in COVID-19 vaccination coverage across states and union territories. In light of this, implementing COVID-19-status certification will adversely and disproportionately affect populations facing greater barriers in accessing the vaccines.

5. In light of the aforementioned concerns, we urge the National Health Authority to reconsider implementing the new CoWIN API, prior to:

a. introducing necessary amendments to the CoWIN privacy policy in order to ensure privacy and security of data shared with third parties; and

b. introducing a clearly defined policy on vaccine mandates keeping in mind current evidence on COVID vaccinations and transmissions; health and safety requirements; equalities; and, non-discrimination, privacy and other fundamental rights of individuals.

Kind regards,

Anushka Jain,
Associate Counsel (Surveillance & Transparency),
Internet Freedom Foundation
[email protected]

Vivek Divan,
Centre for Health Equity Law & Policy
[email protected]

Sunita Sheel Bandewar,
General Secretary, Director, Forum for Medical Ethics Society’s HEaL Institute
[email protected]