Draft Health Data Management Policy attracts concerns regarding data privacy

The ongoing pandemic has revealed the gaps in India’s public health infrastructure. On 15th August 2020, the Prime Minister announced the launch of a National Data Health Mission (NDHM) which aims to create a universal health care system in India. It intends to fix the gaps in the public healthcare sector through digital interventions. Led by the National Health Authority, it recently put up a draft Health Data Management Policy on its website and made it available for public consultation. The Policy is intended to act as a guidance document across the NDHM and to set out the minimum standard for data privacy protection that should be followed across the board. It is intended to supplement any law on this subject matter and not override it.

The policy seeks to create a digital repository of personal and health data, accessible by individuals and healthcare service providers. The NDHM has emphasized that the policy is in furtherance of its “Security and Privacy by Design” principle. In particular, the policy provides for the setting up of a ‘Health ID’, a unique 14-digit identification number linked through either the Aadhar card or an individual’s phone number. The creation of the Health ID will be free and voluntary, so citizens can ‘opt-out’ of the system. The ID can be generated digitally or at health care facilities. The NHA has already started testing the Health IDs by rolling them out in six Union Territories: Puducherry, Chandigarh, Dadra and Nagar Haveli, Ladakh, Andaman & Nicobar Islands, Daman and Diu, and Lakshadweep.

The Health ID will be accompanied by a ‘health locker’, a collection of an individual’s personal and sensitive data which will be solely owned by her. Sensitive data, under the policy, include a citizen’s financial details, their physical and mental health, sex life, medical records, gender, as well as sexuality, caste, religious and political beliefs, genetic and biometric records. The collected data shall be stored at three levels – Central, State or Union Territory, and the health facility level.

The data collected can be processed by ‘data fiduciaries’ such as hospitals, diagnostic centres, public health programs or other such entities registered with the National Health Infrastructure Registry under a consent framework, where the data subject has complete control and decision-making power with respect to their data. They have been allowed to share personal data with ‘Health Information Users’ (HIU) after obtaining the individual’s consent, and can also make de-identified or anonymised data available for a wide variety of purposes, including the facilitation of health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions, etc. The collected data may be shared with HIUs, such as doctors or medical institutions, although the exact definition is to be determined by further NHA instructions. Prior to any use of data by HIUs, the individual would have to be notified and their consent would have to be taken. Individuals would also have the right to request erasure or restriction to access their data unless its storage for a specific period of time is mandated by law.

This policy appears promising on certain fronts - firstly, it aims to set up a consent framework for secure data sharing across different stakeholders in the health industry. Health data portability and interoperability can be a very effective tool to deliver health services in a quality and timely manner. In cases of a pandemic, as we have seen recently, public health intervention can be run effectively as data will be available at hand to model the best outcomes. The policy introduces the concept of a “consent manager”. Consent can be enforced and verified only where there is a proper record and verifiable audit trail of use and disclosure. A consent manager, whose standards are well defined, can be a useful tool in this.

For the policy to be really beneficial to the public, a couple of things need to be ensured. First and foremost is security. If individuals are entrusting large amounts of sensitive data to the government, the government needs to convince them that they have a robust security infrastructure in place to protect their data’s confidentiality and integrity. Secondly, the Personal Data Protection Bill, 2019, as it stands, gives the government power to exempt itself from the data protection obligations therein, if required in certain circumstances like maintaining public order. Unless this power is circumscribed by a due process of law, the guiding principle of this policy of ‘privacy by design’ is moot. We cannot have a repeat of the Sprinklr case. Something as sensitive as health should not be a ‘free for all’ and accountability needs to be fixed at all levels.

The draft has been made open for public consultation until 21 September 2020. Privacy experts and other stakeholders have been given the opportunity to voice their concerns and provide feedback on the policy. If the necessary changes are made by the NHA, India may finally have a robust healthcare data framework. The need of the hour is a policy which provides accessibility in the healthcare sector while protecting the privacy and data security of citizens.

Akshaya Suresh

Akshaya is a partner at VB Legal, Chennai; and formerly served as Director (Legal) of Freshworks.