Move fast, break things? Not when sensitive health data is at stake! #SaveOurPrivacy

Donate to help sustain our work

Tl;dr

On Monday, IFF wrote to the National Health Authority as part of the consultation being conducted for the National Digital Health Mission’s Health Data Management Policy. Our primary demands are that deployment of any digital health ID programme must be preceded by (a) enactment of general and sectoral data protection laws by the Parliament of India; and (b) meaningful public consultation which reaches out to vulnerable groups which face the greatest privacy risks.

Background

The public consultation being conducted by the National Health Authority for the National Digital Health Mission’s Health Data Management Policy (Draft Policy) has been the subject of intense controversy. Earlier this month, a petition was also filed before the Delhi High Court by Dr. Satendra Singh, a noted disability rights activist, which raised concerns about the unreasonably short deadline for submission of feedback at the height of the COVID-19 pandemic, and highlighted how the existing process excludes persons with disabilities, non-English speakers and people without internet access (Read more here).

Subsequent to the hearing before the Delhi High Court, the National Health Authority announced that the deadline for submission of feedback would be extended till 21 September 2020 and people could send their feedback through offline modes such as post or courier as well. It also indicated that it was undertaking measures to make the consultation process accessible for persons with disabilities in accordance with existing government policy. However, despite these concessions, the consultation process still remained violative of the Rights of Persons with Disabilities Act 2016, Official Languages Act 1963 and the Pre-Legislative Consultation Policy 2014 (Read more here).

IFF’s submission to NHA

In our submission to the National Health Authority, we have highlighted five key legal and technical concerns associated with the Draft Policy and the National Digital Health Mission (NDHM) more generally.

(i) Lack of data protection legislation

The submission emphasizes on the importance of an underlying legislative framework by relying on standards established by international bodies such as the World Health Organization (WHO) and the United Nations HIV/AIDS Programme (UNAIDS) for national digital ID projects. Our submission notes that ensuring health data privacy requires legislation at three levels- comprehensive laws, sectoral laws and informal rules. Applying this framework to India, we demonstrate that India neither has a comprehensive law since the Personal Data Protection Bill, 2019 is still pending in Parliament, nor does it have a sectoral law like the proposed but yet to be enacted Digital Information Security in Healthcare Act, 2018. Viewed through this lens, the Draft Policy can at best be considered a set of informal rules which lack any statutory basis.

In addition to WHO, UNAIDS has also emphasized that national level privacy legislation is necessary to address privacy concerns associated with national health IDs. The UNAIDS Report further states that prior to deployment of any national health ID programme, “it is essential to engage with people living with HIV and members of key populations and other vulnerable groups, including sex workers, men who have sex with men, people who use drugs and people with disabilities, so potential concerns such as access to cards and care, risk of unlawful access and use by law enforcement agencies and others can be identified and addressed.” The consultation process for the Draft Policy which has only been published on the internet in English and which was not accessible for persons with disabilities clearly falls short of these standards established by UNAIDS.

(ii) De facto mandatory nature of Digital Health ID Programme

As reported by various media publications, registration for a health ID under the NDHM may be voluntary on paper but it is being made mandatory in practice by hospital administrators and heads of departments. As doctors from Chandigarh quoted in the Caravan note “It feels like strong-arming really...There is a hierarchy and we have to follow orders, even if they don’t give it in writing, if your HOD asks you to register you have to register” and “They keep asking to give constant updates on how many members from our department have registered with the health ID, and so everyone has to ensure they have registered otherwise the HOD will know, and who knows what the repercussions will be.”

The de facto mandatory nature of the digital health ID programme under NDHM can be addressed only if it supported by an underlying legislation which clearly places a bar on denial of healthcare services because of lack of a digital health ID, and prescribes strict penalties for erring government officials who make use of such health IDs mandatory.

(iii) Linkage of Aadhaar with Digital Health ID

The use of Aadhaar number for the purposes of authentication of identity at the time of registration raises serious privacy concerns about linkage of a person’s health data with other databases, and it increases the likelihood of the National Digital Health Ecosystem being connected with systems beyond the health sector.

Additionally, the non-inclusion of official identifiers like Aadhaar number within the definition of sensitive personal data under the Draft Policy is inconsistent with the government’s own Personal Data Protection Bill and may lead to inadequate protection being provided to Aadhaar details shared by participants in NDHM.

(iv) Risk of re-identification of anonymized data

The Draft Policy does not adequately address concerns about reidentification of de-identified or anonymized health data which is now widely understood to be a real threat. For instance, researchers have been able to re-identify 43% of known patients by matching de-identified data sets against news reports. Researchers have also found that 87% of the population in the United States can be uniquely identified based on only three characteristics - ZIP, gender, date of birth - and proven that any data set which includes these highly identifying characteristics cannot not be considered anonymized.

(v) Threat of data breaches

Executives in the healthcare sector have recognized the cybersecurity risks posed by the NDHM. Further, India has a past record of breaches of sensitive personal data like financial information. For instance, in 2016, 3.2 million debit cards were recalled by various banks due to a data breach. Any similar leak of sensitive health data collected as part of NDHM would cause severe and irreparable harm to millions of citizens which cannot be quantified or compensated in monetary terms. For this reason, it is essential that independent technical experts are provided more time to thoroughly scrutinize the National Digital Health Ecosystem’s technical design and there should be full disclosure of all information that is necessary to conduct such an independent evaluation.

Important Documents

  1. IFF’s submission dated 21.09.2020 to the National Health Authority (link)