The National Digital Health Mission stands on weak footing. The Health Data Management Policy’s vague provisions don’t uphold its lofty guiding principles
By Shefali Malhotra, Rohin Garg & Shivangi Rai
The Policy seeks to develop a national health information system, by facilitating the creation of Unique Health Identification (UHID) for individuals and healthcare providers; and the collection, storage, processing and sharing of personal health information, as electronic health records (EHRs). Every individual’s UHID is linked to his or her EHR. While digitisation enables seamless and efficient exchange of information, it also entails significant risks to privacy, confidentiality and security of personal health data. The Policy purports to mitigate these risks, through two guiding principles: “security and privacy by design” and individual autonomy over personal health data. However, fundamental design flaws may end up increasing instances of personal health data breaches.
The Supreme Court, in Puttaswamy, held that the right to informational privacy is a fundamental right and any encroachment on this must be supported by law, also calling for enacting a comprehensive data protection legislation. Contrary to this, the digitisation process being rolled out under the Policy is not supported by any law. This remains a concern as unauthorised disclosures and breaches would cause serious and irreparable harm to individuals.
The Policy itself establishes the NDHM, which will function like a regulator performing legislative, executive and quasi-judicial functions. Setting up a regulatory authority entails a law that defines the boundaries within which it can function, while ensuring independence from government interference and accountability to Parliament. Instead, the Policy leaves it entirely to the NDHM, an executive authority, to define its own governance structure.
The privacy by design framework may be bogged down by weak accountability mechanisms vis-à-vis secondary use of digital health data for research and policy planning, particularly by private firms. The Policy permits sharing of aggregate and anonymised health data, on the premise that anonymisation conceals individuals’ identity. However, several studies have shown that anonymised datasets can be easily de-anonymised to link back to personally identifiable information, risking individual privacy.
The Policy also does not limit the use of aggregate health data to public health purposes, and prohibit data monetisation. Without strict purpose limitation, private firms may use people’s health data to enhance profits, at the cost of individual rights and societal interests. For example, insurance companies may freely use granular health data to profile and score individuals, leading to denial of coverage for high-risk groups and volatility in premium amounts. Recently, the Insurance Regulatory and Development Authority of India warned insurers against using leaked personal health records of COVID-19 patients to deny coverage or block claims.
The problem of weak accountability extends to personal health data as well. For example, the Policy does not require reporting of personal data breaches to affected individuals. This not only impedes the rights to information and access to grievance redress, but also increases the possibility of illegitimate state surveillance. For instance, a recent RTI query revealed that the chief medical officer of the Kulgam district in Jammu and Kashmir was surreptitiously sharing Aarogya Setu users’ data with local police authorities.
This suggests that one-time consent for one or more broad purposes may be sufficient, as opposed to informed consent for every instance of personal data processing.
The Policy also lacks clarity on two other measures. First, it does not stipulate ‘data masking’ as a measure available to individuals to ensure confidentiality of their data. In simple terms, data masking is a technique to hide specific sensitive health information in EHRs, disclosure of which could cause serious stigma and discriminaiton to an individual. Such information would be accessible even to health care providers only with the specific consent of the individual.
Second, the Policy does not expressly mandate informed consent for creating UHIDs. It seems to suggest that informed consent will be taken for digitisation of medical records, and consenting individuals will be issued a UHID. However, in practice, UHIDs are being issued without taking informed consent for digitisation or for UHID. Innumerable instances have been reported where UHIDs have been allotted to individuals, who got COVID-19 vaccinations using Aadhaar, without their knowledge or consent.
The Policy rightly sets out privacy by design and individual autonomy as its guiding principles. However, vague provisions and on-ground implementation are failing to adhere to these principles. In a recent working paper, published by the Internet Freedom Foundation and the Centre for Health Equity, Law and Policy, we examine various implications arising from the Policy. In a country with an uncertain cybersecurity environment, poor digital literacy and weak state capacity, the adverse implications can be particularly severe and widespread.
While addressing the gaps in the Policy is necessary, it is not sufficient. A comprehensive data protection law (with health sector specific rules) as well as meaningful and sustained stakeholder engagement, are imperative for guiding the development of a digital health ecosystem in an effective, efficient and equitable manner.
Malhotra is research consultant and Rai is deputy coordinator with the Centre for Health Equity, Law and Policy, ILS Law College, Pune. Garg is associate policy counsel with the Internet Freedom Foundation, New Delhi