1. Prior to seeking beneficiary’s consent, authorized organizations must inform each
of their beneficiaries in a clear, concise and accessible manner of the specific
purpose for which the data would be used, the period of time for which it shall be
retained and the manner in which it shall be deleted.
2. Once collected, the organization shall only use the data for the stated purpose in
accordance with these guidelines and delete it on or before the expiry of the
retention period or as defined in the API Terms of Service.
3. All API Clients shall be designed to only collect as much data as is strictly necessary
to achieve the stated purpose and to delete such data as soon as possible after
such purpose has been served.
4. For the avoidance of all doubts, no API Client shall be designed to use the data for
a purpose unrelated to the management of COVID-19 Vaccination nor shall the
period for which the data is retained by the API Client exceed the data retention
provisions set out by Co-WIN.
5. The CVCs can retain the patient data as required for complying with the existing
applicable laws of data retention, as may be required. However, no ASP shall store
the Aadhaar number or the details or any copy of the identity cards/documents
being used by beneficiaries, either in physical or electronic form, under any
circumstances. Such information will be stored only at CoWIN and will be
provided to the ASP’s systems through the CoWIN APIs for facilitating various
functional needs such as recording of vaccination events and generation of
certificates etc.
6. Whenever personal information needs to be published for the purposes of
managing COVID-19 vaccinations, only the last 4 digits of the Aadhar
number/Identity document, may be printed.
7. The authorized organizations shall ensure that they will generate and maintain
auditable logs of the Co-WIN data collected and processed by the API Client,
including details and records of the storage, access and sharing of any such data,
and shall, on demand, make such logs available to the Co-WIN team.
8. The authorized organization shall not use the APIs and the data available through APIs
to engineer any products that lead to any automation of the data input processes
specially those where the data is to be entered by the citizen/beneficiary. Provision
of the API keys must not be construed as a concurrence of the Ministry, for any such
misuse of the system, the APIs and the data accessed or made available through the
APIs.
9. The CoWIN APIs or the data accessed through the APIs shall not be commercially
exploited.
9. Data Security
1. The authorized organizations shall use all reasonable efforts to protect the user
data collected by the API Client from unauthorized access or use, and take all
measures as may be required by any applicable law in relation to security of
personal data, and will promptly report to MoHFW’s Co-WIN team and the users
about any unauthorized access or use of such information to the extent required
by Law.
2. To the extent possible, the API client should follow the anonymisation principles,
where applicable. All API communication should be done in a secure manner,
using a transport layer encryption.