IFF submits its comments on the Draft Health Data Retention Policy

IFF has provided our comments on the Consultation Paper on Proposed Health Data Retention Policy. In our comments, we have tried to highlight the harms of mandatory data retention, issues around a fragmented healthcare regime and data portability issues.

06 January, 2022
7 min read


IFF has provided our comments on the Consultation Paper on Proposed Health Data Retention Policy (‘the Policy’). The policy was put up for public comments on November 23, 2021. In our comments, we have tried to highlight the harms of mandatory data retention, issues around a fragmented healthcare regime and data portability issues.


India, even today, lacks uniform guidelines on the retention of health records by various healthcare entities and systems. The presence of these fragmented approaches fail to achieve long-term health benefits and therefore affect patients rights. In absence of a uniform form - digital or physical, patients are also restricted in their choice of healthcare facilities or have to bear additional costs when switching between healthcare providers.

In August 2020, the National Health Authority had issued a press release announcing the public consultation for the Draft Health Data Management Policy (HDMP) for the National Digital Health Mission (NDHM). We had provided legal support to a petition that challenged the consultation process for the HDMP. After hearing the petition, the Delhi High Court directed the government to consider the consultation process in accordance with existing policies such as the Pre-legislative Consultation Policy, after which the government extended the deadline to September 21st, 2020. However, several issues remained, such as the inaccessibility for persons with visual impairments as well as the online-only and english-only mode of consultation. Thus, we wrote to the Ministry of Health and Family Welfare regarding these issues.

Subsequently, we also submitted our comments on the HDMP. Our comments centred on the following themes, lack of data protection legislation, de facto mandatory nature of Digital Health ID Programme, linkage of Aadhaar with Digital Health ID, risk of re-identification of anonymized data, and threats due to data breaches.

Further, we also submitted our comments on the National Digital Health Mission’s consultation paper on the Unified Health Interface, in which we focused on five key issues, namely: the need for more diverse feedback, the risk of market capture by the private sector, the risk of digital exclusion, financial exploitation and service pricing, and the need for public digital infrastructure.

And after the Ministry of Health and Family Welfare notified the Unique Health Identifier Rules, 2021 on the 1st of January, 2021, we wrote an explainer to contribute to evidence and fact lead a public discussion on the use of digital technology in public health.

We also co-authored a paper ‘Analysing the NDHM Health Data Management Policy’ along with the Centre for Health Equity, Law and Policy analysing the notified NDHM-HDMP through various lenses such as prerequisites for a digital health record system, governance framework, consent and confidentiality, data privacy and security, inclusion, and access to health big data by private entities.

On November 23, 2021, in its quest to introduce data-driven approaches in order to realize the goals of the Ayushman Bharat Digital Mission (ABDM), the National Health Authority released the Consultation Paper on the Health Data Retention Policy, (‘draft HDRP’). Although the envisaged aim of draft HDRP is to ensure an efficient healthcare system by encouraging interoperability of patient records and retention of records to ensure better healthcare, we unequivocally believe that safeguarding patients’ rights, and not only industry needs, is a prerequisite required for implementing a robust digital health records system, and it is to this policy that we now turn.

The Health Data Retention Policy

The draft HDRP aims to maintain health records in a federated architecture to ensure continuity of care via interoperable systems maintaining the availability of health data. The consultation paper aims to seek consultation on framed issues on the policy, strategic, technical, and legal matters of health data. However, the policy states that “Health Data Retention Policy is prospective, not retrospective”,  which is worrisome as there exists a huge amount of health data collected even prior to the policy, most recently during the coronavirus pandemic through various applications and healthcare facilities.

The draft HDRP identifies the need for guidelines on data retention for personally identifiable information (PII), or personal health information (PHI).  The draft HDRP also seeks comments on the scope of the policy. The paper proposes either of two ways to be the scope of the applicable policy: to either cover only those entities who have opted-in the NDHE framework or expand to all healthcare facilities regardless of their choice to opt-out of NDHE.

The paper classifies health data records on the basis of record type - hence, recognizing the value based on the frequency of usage, and expected repeat references required for treatment or medical investigation, viz., those pertaining to the outpatient department, in-patient or medico-legal and special data types like mental or genetic health records, data collected from proxy devices like wearables etc. Further, the policy also discusses the need and harms of maintaining health data records on the basis of the granularity needed - such as in cases of any new patient category or genetic disorders where the patients' rights might be overridden by others.

Our response to the consultation

The draft HDRP contained several questions on for which consultation across a wide range of topics, including the scope of the HDRP, retention timelines for data, and the overall governance structure:

  1. Scope of the policy: As the pace of digitisation proceeds in modern India, it is likely that the healthcare sector too will increasingly ‘go digital’. That such a process has already started can be seen by the rapid rise in telemedicine and e-Consultations. For example, as of 4th October 2021, the Union Government’s telemedicine initiative completed 1.34 crore consultations, with 80.33 lakh doctor-to-doctor consultations and 53.78 lakh patient-to-doctor consultations. An independent report by Praxis Global Alliance predicted 40 crore total consultations by the end of 2021. Thus, it is likely that even smaller private clinics are likely to adopt some form of digitisation.
    As a result, it is important to ensure that as and when medical institutions digitise, adequate safeguards for data privacy and user consent are implemented. Thus, we have recommended that the policy would be applicable to all healthcare entities from a health data retention perspective. This would also ensure that a comprehensive plan for digitising medical institutions across the scale is implemented.
  2. Manner of implementation: We have recommended that the policy should be implemented in a phased manner and should be complemented by capacity-building measures. A comprehensive digital healthcare system can only be built on the back of robust infrastructure, something India may lack at present. Pushing the implementation of digital health without adequately taking into account and planning for these requirements will cause more harm than any stated benefit of digitization. In many cases, physical infrastructure or capacity itself is deficient: a NITI AAYOG report has stated that nearly 33% of patients who get admitted to private hospitals in India go to nursing homes manned by just one healthcare worker.
    Furthermore, some studies, evaluating existing electronic health record (EHR) systems in India, find several deficiencies particularly in relation to the quality of data being recorded (see here, here, and here). Furthermore, in countries that have implemented EHRs, several studies and surveys reveal that physicians are dissatisfied with EHRs for reasons of burnout and loss of productivity with consequences for the quality of care for patients.
  3. Data retention periods for various classes of data: As per The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, below types of data have been identified: Indoor Records -  
    Standard proforma for 3 years from the commencement of treatment, Outpatient Records - 3 years from treatment, & Medico-legal cases -  until the final disposal of the case.
    Such timelines may be suitable for adoption. However, in many cases, the very advantage of implementing EHR systems is claimed to be the ease of storing records over long periods. Certain patients may also be genuinely willing to store their medical records as EHRs over a long duration. Thus, it is recommended the retention period may be extended on the basis of patient consent. Such consent must be: freely and clearly given, informed as to the scope of the consent, specific as to the purposes of collecting or processing the data, capable of being withdrawn at any time. However, such extensions must be limited to a period of one year at a time, after which explicit consent must be obtained once again.
  4. Pressing need for health data regulations: The Supreme Court of India, in Justice K. S. Puttaswamy (Retd) Vs Union of India, held that privacy of medical/health data is a fundamental right under Article 21 of the Constitution. Consequently, any policy with a significant bearing on this right must meet the four tests laid by Puttaswamy, i.e. the measure must be (a) a procedure established by law aimed at a legitimate goal; (b) just, fair and reasonable; (c) proportionate to the objective sought to be achieved; and (d) have procedural guarantees to check against abuse by state or non-state actors.
    The need for strong data protection laws to implement digital health is recognised and emphasised globally. In 2006, the World Health Organisation recommended governments, as a prerequisite to digitisation efforts, to enact a comprehensive data protection law and build capacities to regulate all processes related to data, protect rights to consent, confidentiality and privacy, and safeguard individual health data from unauthorized access, abuse and theft. In 2018, the World Health Assembly, while recognising the potential of digital technologies to support health systems, called upon member states to develop legislation around issues such as data access, sharing, consent, security, privacy and inclusivity consistent with human rights obligations.
    Thus, till such legislation is enacted, temporary guidelines must be issued under Section 2(1) of the Epidemic Diseases Act, 1897 that would specify the standards and safeguards to be followed while storing/processing health data. This would, by definition, include retention timelines and any related policies thereof. Such regulations must stay in force till: a) a data protection legislation is enacted and b) specific guidelines for health data are specified by the regulatory body envisioned by the legislation.

To see all of our recommendations in-depth, please see our full consultation response here! We would also like to Radhika Radhakrishnan of the World Wide Web Foundation, whose working paper ‘Health Data as Wealth: Understanding Patient Rights in India within a Digital Ecosystem through a Feminist Approach’ was an invaluable resource for us.

Important Documents

  1. Consultation Paper on Health Data Retention Policy by NHA. (link)
  2. IFF’s Consultation Response to Draft Health Data Retention Policy. (link)
  3. IFF’s submissions on the Unified Health Interface Consultation Paper (link)
  4. IFF and C-HELP Working Paper: ‘Analysing the NDHM Health Data Management Policy’ (link)

The post was drafted with the assistance of Gyan Tripathi, a fourth-year law student from Symbiosis International (Deemed University), Pune, and reviewed by IFF staffer Rohin Garg.

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!