IFF wrote to the National Health Authority (NHA) as part of the consultation conducted for the Ayushman Bharat Digital Mission’s Draft Health Data Management Policy (“Draft policy"). Through our inputs, we have tried to highlight the existence of a weak legal foundation and inadequate preparatory groundwork; excessive delegation; a constricted digital consent, confidentiality and privacy framework; over-reliance on an Aadhaar-based authentication system; and, vague systems for anonymisation and de-identification, as well as the complete absence of strict access control requirements for personal health data.
Why should you care?
Increasing levels of digitisation across sectors come with opportunities as well as challenges. There can also be significant risks when accompanied by insufficient safeguards and or attention to privacy. These concerns are exacerbated in the health sector since healthcare data can also be sensitive personal data. Such data is also of great value to data brokers who may sell this data to private companies and researchers. As these records and databases transition to an online setting, users of healthcare services face an uphill challenge to protect this data.
In September 2020, we sent comments on the National Digital Health Mission’s Health Data Management Policy (NDHM-HDMP) as a part of a consultation process. Subsequently, in June 2021, the Centre for Health Equity, Law, and Policy, and IFF drafted a working paper analysing the NDHM-HDMP. The earlier version of the Policy (NDHM-HDMP) was the subject of intense controversy. In a petition filed before the Delhi High Court by Dr. Satendra Singh, a noted disability rights activist, concerns were raised about the unreasonably short deadline for submission of feedback at the height of the COVID-19 pandemic. The petition also highlighted how the existing process excludes persons with disabilities, non-English speakers and people without internet access (Read more here). While the latest version of the Draft policy provided a reasonable deadline for inviting comments during the consultation process, it didn’t address many of the other concerns. The concerns and demands voiced in our earlier comments and working paper are echoed in our latest comments, since most concerns around the policy remain unaddressed. Through our comments, we have highlighted related legal, socio-economic and implementation issues, by analysing the Draft policy based on six criteria:
(a) Prerequisites to a digital health records system;
(b) Governance framework;
(c) Consent and confidentiality;
(d) Data privacy and security;
(e) Inclusion; and
(f) Access to health data by private entities.
For the purpose of this post and in the interest of not being repetitive, we will only point out the fresh changes in the draft policy and its concerns.
What’s new (...and worse)
- What’s in a name: Multiple names have changed under the National Digital Health Ecosystem, with the primary one being National Digital Health Mission (“NDHM”) changing to Ayushman Bharat Digital Mission (“ABDM”). Similarly, the Unique Health IDs (“UHIDs”) as conceived by the earlier version are now referred to as Ayushman Bharat Health Account (“ABHA”).
- Out of sight, out of mind: The detailed standards that the policy would adhere to have been diluted. From explicitly mentioning “international standards and/or other relevant standards related to data interoperability and data sharing as may be notified for the implementation of NDHM from time to time”, the Draft policy just restricts compliance to “relevant standards” and omits “international standards”. Furthermore, the shortened objective in the latest policy takes away the obligation from the Ministry of Health and Family Welfare (MoHFW) for notifying relevant standards related to data interoperability and data sharing to enable the implementation of ABDM.
- Issued in public (dis)interest: Clause 13.5 of the draft HDMP adds new exceptions that allow the processing of data without consent in the following three situations: a) Medical emergency where there is a threat to the life or health of the data principal; or b) Interest of Public health; or c) Order of the competent court. The first condition was a feature of the NDHM-HDMP as well, while the third condition may be understandable. However, the second condition’s ambiguous framing implies a considerable amount of arbitrariness that may provide the discretion to extract significant amounts of personal data in the name of public health. Additionally, the NDHM-HDMP explicitly provided users with the Right to correction and erasure, something which is conspicuously absent in the draft HDMP. Another notable change is that while the previous version provided that “a data principal may request for the creation of a Health ID at no cost”, the latest version reads “ABHA (number) may be created at no cost”, essentially taking away the agency from the patient to decide whether or not to get an ABHA number (Clause 15.1).
- My data, their rules: Clause 26.1 in the NDHM-HDMP, which states the obligations of the data fiduciaries while processing personal data, reads, “They will be accountable for complying with measures which give effect to the privacy principles while processing any personal data by it or on its behalf. However, the true ownership and control of the personal data will remain with data principals.” The draft policy, in the same Clause, has removed the term “ownership’’, which is a huge blow to the idea that and demand that data principals should be owners of their personal data.
Our recommendations to remedy the aforementioned issues remain consistent. There still exists a necessity to identify the need, purpose, and safeguards for healthcare data. The digitisation of health records and creation of digital health IDs must be reassessed by comprehensively studying the same in the context of efficacy and privacy concerns. An underlying legal foundation and a data protection framework along with a thorough evaluation of health system preparedness and government capacity must form prerequisites to a digital health records system. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms. For specific recommendations, please see the table below.
Summary of our recommendations
- IFF’s comment on the Draft Health Data Management Policy (link)
- Ayushman Bharat Digital Mission’s Health Data Management Policy (link)
- National Digital Health Mission’s Health Data Management Policy (link)
- IFF and C-HELP Working Paper: ‘Analysing the NDHM Health Data Management Policy’ (link)
- IFF’s comments on the National Digital Health Mission’s Health Data Management Policy (link)
This post was primarily drafted by Tejasi Panjiar, Associate Policy Counsel, and reviewed by Prateek Waghre, Policy Director.