Digital highways are in construction, says the National Digital Health Mission (NDHM), and will form the backbone of the country’s integrated health infrastructure to bridge the existing gaps between stakeholders. However, legal and policy experts feel that in the absence of a strong personal data protection law in the country, these digital highways would be riddled with potholes.
Earlier this week, the centre approved NDHM’s health data management policy, meant to set out the minimum standard in data privacy protection, for all participants in the National Digital Health Ecosystem (NDHE).
A full-scale rollout of NDHM would mean health IDs for every citizen, encapsulating their medical history, personal health and electronic medical records, diagnosis, and other relevant data to inform better health treatment. These Health IDs could be integrated with one’s Aadhaar or mobile number and would help the central government target the key beneficiaries for its welfare schemes.
Other offerings such as DigiDoctor, a comprehensive repository of licensed doctors practising acceptable forms of medicine, would be developed by the NDHM, by leveraging the digital health infrastructure that it’s looking to build through voluntary signups for Health IDs.
However, domain experts are of the opinion that while certain concerns raised about the draft policy have been duly addressed by the government, some nagging issues remain in the final policy that’s been passed.
Health Data Policy Before Data Protection Law?
Prasanth Sugathan, legal director at Software Freedom Law Centre or sflc.in, pointed out that the health data management policy will operate in the absence of robust legislation governing personal data — India’s Personal Data Protection Bill is currently before a standing committee of Parliament.
Further, the policy is not in compliance with the Supreme Court’s judgment in Justice KS Puttaswamy (Retd) vs Union Of India And Ors, 2017, which categorically states that there must be a law governing data collection and processing.
And while the policy has provisions on non-compliance, which talk about non-compliant actors being excluded from NDHE or losing their IDs, they don’t include penal provisions or levy a fine as punishment. That is because penal provisions can only be passed by Parliament.
“The provisions on non-compliance are hollow in the sense that they cannot legally penalise any healthcare provider, health information provider, or any of the other persons who form a part of NDHE,” Sugathan told Inc42.
Sugathan also pointed out that while the policy provides for data deletion or correction on the request of the data principal (the person to whom the data relates), it doesn’t provide adequate grounds for data principal to delete their data.
The policy says that data principals can request for the erasure of their data if the storage of the personal data violates any of the data protection principles. However, given the limited nature of the data protection principles laid out in the policy, this clause would only create friction between the data principal, who’s requesting the erasure, and the data fiduciary, who will assess that complaint.
“Interestingly, while at one place the policy recognises the absolute right of the data principal over their data, it does not give an absolute right to the data principal to delete their data,” added Sugathan.
What Does Sensitive Personal Data Mean?
One of the contentious passages in the draft policy was where it said that sensitive personal data for the purpose of collection, could pertain to one’s finances, physical and mental health data, sex life, medical records, gender and sexuality, caste, religious and political beliefs as well as genetic and biometric records.
The same has been edited in the final policy as saying, “sensitive personal data” means sensitive personal data as defined under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and shall include official identifiers (Aadhaar or any other government-issued identification).”
Sugathan felt that concerns raised about the nature of the ‘sensitive personal data’ have been addressed by the government in the final policy. But Rajat Prakash, managing partner at law firm Athena Legal, said that the edited portion could be a clever diversion to an existing regulation, which may mean the same thing.
“The SPDI (sensitive personal data or information) rules don’t include genetic data, transgender data, sex life, intersex status, caste, or tribe, or religious or political belief or affiliation. However, the rules state, ‘any data relating to the above clauses as provided to body corporate for providing service’,” Prakash told Inc42.
“Thus genetic data, transgender data, sex life, and intersex status might be included through ‘sexual orientation and medical records and history’. Nevertheless, it does seem that the government has taken notice of the concerns raised about the description of sensitive personal data in the draft policy,” he added.
It is worth noting that data pertaining to one’s sex life, intersex status and sexual orientation, could be useful for the diagnosis and treatment of a range of medical problems, including those relating to mental health.
What About Stakeholder Consultations For Draft Policy?
The government claims that the health data management policy has been passed after a month of soliciting feedback from stakeholders and the general public, from August to September 2020, during which time, the draft policy was in the public domain.
But the Internet Freedom Foundation (IFF), an Indian digital liberties organisation that seeks to ensure that technology respects fundamental rights, has previously flagged several issues about the manner in which stakeholder consultations for the health data management policy took place.
The IFF has claimed that the process of stakeholder and public consultations actually took place for 15 days, which during the middle of the pandemic, proved insufficient for many to analyse the policy and form an opinion on the same.
On September 3, 2020, the Delhi High Court heard a writ petition, filed by Satendra Singh, a doctor and disability activist. Singh had written in his petition about the consultation process for the draft policy not respecting the right of participation of disabled persons. The petition also talked about the government limiting access to the policy for a huge mass of the population by releasing it only in English. It also flagged the purely online process of submitting comments, since only 54% of India’s population has access to the internet.
There is also the matter of the de facto mandatory nature of the Digital Health ID program, even though the government and its policy state otherwise. Recently, a Caravan report talked about doctors in Chandigarh’s Post-Graduate Institute of Medical Education and Research being asked to mandatorily register for the program. Experts Inc42 spoke to, felt that the Digital Health ID program could be very similar to Aadhaar, which is also ‘voluntary’ on paper, but made mandatory by certain institutions, both government-owned and private.
How Can India Leverage Health Data?
According to Aryaman Tandon, practice leader for healthcare at Praxis Global Alliance, the health data management policy could furnish a host of innovative use cases, subject to an amelioration of digital and tech literacy in the smaller towns and rural areas.
“In a lot of tier 2/3 regions, adoption of tech is low. How is the training provided to users will be key. Finally, what do we do with the data – analytics, preventive measures, disease outcome studies, will make it truly useful,” he said.
Meanwhile, we have analysed whether the digital Health IDs, talked about in NDHE, will end the data drought for India’s healthtech startups.