Ed note: This is Part II of a two-part series on the National Digital Health Mission Policy. Part I can be accessed here. We would like to thank Nivedita Saksena for her valuable comments during the editorial process.
Lack of an Anchoring Legislative Framework
The Draft Policy relies heavily on the PDP Bill for its provisions dealing with privacy, without specifying the relation between the two. This can lead to the creation of a horizontal structure having a force of law which is considerably lesser than that available to a legislation which has been passed by the Parliament. As it has been held in M/S Ispat Industries Limited v. Commissioner of Customs, the statutory law is higher in hierarchy than administrative orders or executive instructions not having legislative backing. It is therefore imperative that governance of sensitive data, including but not limited to determining the categories of such data, is placed in the hands of a statutory body rather than an autonomous executive body i.e. National Health Authority. It is apparent that the government think tank NITI Aayog exercises considerable control and influence in the functioning of NHA. The NITI Aayog has already delegated a lot of private players to propose models for the creation of applications that would be required in the implementation of the Draft Policy. Such a great involvement of private parties in a matter dealing with the Fundamental Right to Privacy and Health of citizens does not seem to be conducive towards the aim of creating an accountable and transparent system of digitised health records.
Furthermore Paragraph 6 of the Draft Policy stipulates that the relevant structures, practices and standards dealing with different aspects of health data collection would be specified by the NHA from time to time. It must be noted, however, that the NHA was established specifically for the purposes of Ayushman Bharat. Therefore it is evident that the Draft Policy affords excessive powers of implementation to the NHA for which there exists no legal basis whatsoever as it was created as an agency only for the aforementioned scheme.
Additionally there is a requirement of bringing to the fore a major issue behind the implementation of this Draft Policy. While the Draft Policy borrows certain provisions/definitions from the PDP Bill, it disregards the protective framework which it seeks to establish. Owing to a lack of relief measures in the Draft Policy as well as disregard for the aforementioned vision of a supervising authority, i.e. the Data Protection Authority (Section 53 of the PDP Bill) the Rights of Indian citizens are potentially at risk under this regime of Digital Healthcare. Presently the collection, usage and processing of data is regulated by certain provisions of the Information Technology Act, 2000 (“IT Act”) coupled with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI”).
Dr. Praveen Gedam, the Additional CEO of NHA has clarified that the existing legal framework of IT Act along with related laws such as the Civil Procedure Code (“CPC”), the Code of Criminal Procedure (“CrPC”), the Indian Penal Code (“IPC”) and the Consumer Protection Act would be sufficient enough for successful implementation of the Draft Policy. It can hence be seen that this Draft Policy has been planned to roll out before and independent of the enactment of a separate legislation specifically dealing with personal data regulation. It must, however, be noted here that the existing laws are not broad enough to address the threat to privacy posed in the present times. Moreover, under Section 43(a) of the IT Act and the aforementioned SPDI 2011 Rules apply only on body corporates and not on the government. Owing to the fact that India not only lacks a specific law that provides for data protection but also because this policy and any law that would be implemented, based on the ideals of this policy, would by itself not attribute any liability for an instance of violation (as such a law would rely on the existing laws/legislations for the said purpose), there exist serious doubts with regard to the ideals proposed by the Draft Policy.
Examining the Draft Policy on the Touchstones of Proportionality
Additionally, the present Draft Policy also appears to be against the spirit of the right to privacy of individuals, guaranteed under the Indian Constitution. It may be argued here that the Right to Privacy is not an absolute right and is subject to reasonable restrictions. At this juncture, reference must be made to the ruling of the Supreme Court in the Privacy judgment where Justice Chandrachud laid down a three-fold test of proportionality and held that any encroachment upon the right to privacy can only be justified when the following prongs of the test are satisfied:
- Legality (i.e. there exists a valid piece of legislation justifying such encroachment)
- Necessity (i.e. the proposed action must be necessary in a democratic society for a legitimate aim)
- Proportionality stricto sensu (i.e. a balance must exist between the extent to which rights are infringed and the legitimate purpose of the State)
This Draft Policy however, fails to meet the very first prong laid out under the test due to the absence of a comprehensive legislative framework that allows the State to truncate the Right to Privacy of an individual. Furthermore, the benchmark of proportionality is also not satisfied here. While the test states that any infringement on the privacy of the individual must be achieved in the least restrictive means, the Draft Policy, as stated earlier, provides for a wide ambit of data that can be collected and processed.
It was held in the Privacy judgment that: “If the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available to it.” However, the same judgment also stated that such a truncation or curtailment could only be done under the regime of law, i.e. when it is backed by a definite legislative framework meeting the test of constitutionality (proportionality test).
As has been established earlier, this policy does not have an anchoring legislation justifying it and does not intend to pursue its objectives in the “least restrictive” sense as laid down in the Privacy judgment. While public health is a valid restriction to the fundamental Right to Privacy, the same cannot be a ground for its ‘disproportionate infringement’. Moreover, it is a settled proposition of law that the protection or promotion of one fundamental right (Right to Health, here) should not come at the cost of violation or disproportionate infringement of the other as is laid down in the Aadhaar Judgment (Para 1383).
Participation in the NDHE: Voluntary only in letter or also in spirit?
It would also be pertinent to note that the present Draft Policy (which has been released as a step towards creating a NDHE) states that the participation of an individual in the NDHE would be voluntary. However with the shift towards digital modes, as can be witnessed in most of the other sectors, rendering services digitally in the healthcare sector might become a standard practice in the near future. This could entail that the people, who did not participate in the NDHE initially, would not be provided with a similar access to healthcare services (and it would create an artificial distinction between the same classes of people). Fearing the same, a significant portion of the population, might participate in the NDHE, thereby putting their privacy at stake. It is essential to learn from the previous experiences (eg. implementation of Aadhaar) with such a non-exclusion clause, as provided in the Draft Policy, as such clauses if they remain only on paper lose their effectiveness in real practice. It is therefore imperative that comprehensive guidelines remedying instances of service denial and related violations be put in place to ensure complete protection of Fundamental Rights of non-participants.
Therefore, the present Draft Policy not only fails to show how the data of individuals would be protected and not be compromised but, at present, it itself seems to be against the privacy of individuals.
It is clear that this step towards digital privacy with respect to personal healthcare has a lot of upside to it but it is currently limited by the law of its time. The importance of a legislation backing the regulation of personal data is paramount for the successful implementation of such a revolutionary scheme. It is therefore necessary to secure a proper data protection framework reinforcing the Draft Policy so as to address the issues which can arise from the large scale collection of sensitive data.
The negative ramifications of digitizing personal healthcare with intricate data protection laws in place have been observed in nations such as Australia. In 2012, Australia launched a similar scheme, My Health Record, that provided the individuals and their healthcare providers the access health information, was launched. However it came in for heavy criticism due to the underlying privacy concerns, lack of transparency and the usage of such data. It therefore appears that India has failed to learn from the experiences of even the technologically advanced nations (such as Australia), that have had troubles in adopting and implementing such a framework, despite having dedicated data protection laws.
Thus, the Indian initiative towards a digitised health data registry seems to be rushed into. It should be realised that the need of the hour is not to digitise the health data of individuals but to address the lacunae of our current healthcare regime, as have been brought to light in the recent times.