Ed note: This is Part I of a two-part series on the National Digital Health Mission Policy. We would like to thank Nivedita Saksena for her valuable comments during the editorial process.
Affordable and efficient healthcare has been one of the top priorities of the incumbent Government since the fiscal year 2017-18. With the National Health Policy of 2017 and the injection of almost Rs 6,400 Crores into the Ayushman Bharat Scheme in 2019, the government has been making a conscious effort to ensure that the healthcare framework is overhauled for a better human development index of the nation.
Towards the end of fulfilling the objectives put forward by the 2017 policy, the National Health Authority (“NHA”) released the Draft Health Data Management Policy (“Draft Policy”) on 26th August, 2020 and invited comments from the public domain so as to ascertain the aspects which require fine tuning for better implementation of the National Digital Health Mission (“NDHM”). It aims at creating a digitised and comprehensive system of electronic health records available for access by the different classes of stakeholders in the healthcare sector. This has been termed as the first step towards a National Digital Health Ecosystem (“NDHE”) which will be based upon a federated structure with division of date among the three levels, i.e. Centre, States and Individual Health Facilities.
One of the main concerns that this Draft Policy has attempted to address is the need for inter-operability of data collected across the aforementioned levels so as to maximise the efficiency with which the data is utilised, as well as the privacy of confidential health information. This would help in generating a trust quotient across the envisioned NDHE and subsequently integrating the personal health records and associated data of every Indian citizen.
The Draft Policy has been termed as a revolution towards the Digital India vision of the government and has the potential to be a complete game changer in personalised healthcare. With the Telemedicine Guidelines, 2020 in place, a policy dealing with digitization of health records can revamp the industry practices of the healthcare sector. The proper division of data control, across three levels (i.e. Centre, State and health facilities), instead of a centralised system will facilitate technological independence and flexibility in data processing and handling.
As far as the NDHM is concerned, another draft framework that aims at fulfilling its objectives is the Digital Information Security in Healthcare Act (“DISHA” Bill) for the creation of National and State e-Health Authorities. The purpose of this framework was quite similar to the Draft Policy at hand, i.e. ensuring standardization and proper regulation of digital health data collection, storage, transmission and further use. DISHA however provides for a narrow scope as far as the use of digital health data is concerned since it does not allow for commercial as well as anonymised use of said data for research (or other purposes). In this sense, the Draft Policy has a broader perspective and can take precedence in coming into force over DISHA.
The intention behind bringing about this advancement, by creating and maintaining digital health records and a unified repository of health data, is extremely commendable. The same, however, will not be conducive in the current scenario because of the potential privacy issues that may arise due to inadequate data protection laws in India. Thus, it may overshadow the benefits that the Draft Policy seeks to bring in this developing interrelationship amongst law, technology and health practice.
Exploring the Privacy Concerns in the Draft Policy
The Draft Policy envisions maintaining a record of personal health data of the populace while ensuring standards of security and privacy with respect to this data collected. Paragraph 3 of the Draft Policy further stipulates that safeguarding personal data is one of its key objectives. However, while it states that it would maintain standards of privacy, the provisions contained therein, do not seem to be in line with the objectives set. The same is also reflected from the fact that this Draft Policy also does not establish any relation between specific instances of data breach/ data breach/leakage that may take place during the different stages of data collection and management and corresponding punitive measures.
1. Pointing towards the usage of Aadhaar
The Draft Policy provides for creation of Health ID under paragraph 15.2 and states that a Health ID may be generated by producing “Aadhaar number or any other document of identification” (without actually specifying the alternative documents however laying explicit focus on the usage of Aadhaar Card). It must be noted here that Aadhaar could not have been used as a health ID, as per the judgment of the Apex Court in K.S. Puttaswamy v. Union of India (5 J.) (“Aadhaar Judgment”). The scope of Aadhaar’s application was diluted through this verdict and it was held that Aadhaar cannot be used for any purpose other the receipt of subsidies which are drawn from the Consolidated Fund of India.
It is a settled position in law that something which cannot be done directly shall not be done or sought to be done indirectly. However, in the present case Aadhar would invariably be used by a vast majority of individuals, as a document of identification, since it is recognised as a primary proof of identity in India. Therefore, the Aadhaar Card of such individuals would get linked to their health data and it thus seems to be an attempt to bypass the directions issued by the Court (limiting the use of Aadhaar) in its judgment.
2. Excessive Data Collection
Moreover, the draft forwards an overly broad definition of sensitive personal data that can be collected, which includes financial information, physical, physiological and mental health data, medical records and history, genetic and biometric data, sex life, sexual orientation, caste and religious and political affiliation of the individuals. Paragraph 4(ee) while defining sensitive personal data makes use of the phrase “shall not be limited to”, thus widening its ambit in a manner which stands in clear violation of the principle of data minimisation or collection limitation. This concept states that only the data which is necessary for a particular purpose shall be collected and processed, as was recognised in the case of K.S. Puttaswamy v. Union of India (9 J.) (“Privacy judgment”) and is envisioned by clause 6 the Personal Data Protection Bill, 2019 (“PDP Bill”).
The wording of Draft Policy raises several doubts over the understanding of Personal Data and its application, especially at the time of collection and subsequent processing. The lack of an operational structure while creating a NDHE reflects how the Privacy by Design concept laid down under Paragraph 26(3) is more of an afterthought rather than being the grundnorm of all clauses provided for in the Draft Policy.
The other flaw with the envisioned Draft Policy is that it simply delegates the task of data collection rather than operationalising said activity (Paragraph 7). This can be done through providing a uniform procedure which is mandatory for data fiduciaries to adhere to. The use of broad wording while defining sensitive personal data in the Draft Policy combined with excessive delegation of data collection and processing to both State as well as private players can lead to the creation of disjointed medical health records since each data fiduciary may follow different mechanisms (which also may or may not be in consonance with the core principle of Data Minimisation) for furthering of the objectives laid down under Paragraph 3.
The excessive collection of personal information of individuals may have huge negative ramifications with respect to the use of such extensive data. There exists a high chance of misuse by both Government as well as private third parties handling the data to further their interests such as undue surveillance, influencing behaviour, soliciting consent for research, creating tailored advertisements to target different kinds of data principals. There is a high chance of arbitrary and unreasonable classification among different classes of stakeholders by said data fiduciaries and subsequently the health practitioners owing to non-standardized collection of information, which in turn is a consequence of the broad net which has been laid down due to the Draft Policy’s wording.
3. The Risk of Data Re-identification
The Draft Policy provides for the sharing of anonymised and de-identified data with third parties so as to facilitate “health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA.” However, it must be noted here that experts maintain that anonymised data can be re-identified by combining various data sets. A research, conducted in the United States, revealed that 87% of the US population could be identified by using merely three data points: zip code, date of birth and gender of the person. Another study suggests that 99.98% of the US citizens can be correctly re-identified using 15 demographic attributes. This raises severe concerns as regards to the de-identification model proposed by the Draft Policy. Anonymization and re-identification of basic attributes such as gender, birthdate and PIN Code are the aspects which are carefully analyzed during such research activities. On the basis of aforementioned empirical findings it is clear that ensuring extremely high standards of data anonymization is imperative for preventing re-identification of data and failure of the Draft Policy to adhere to them is a genuine cause for worry.
It is essential to refer to the recommendations of the Justice BN Srikrishna’s Committee to understand how the concept of anonymisation forms a crucial link between law and technology. Owing to the lack a proper framework dealing with data protection, there has not been research on the same in India. For the same reason even the Srikrishna Committee had to rely on research conducted in other jurisdictions while analyzing the different aspects of data minimisation, anonymisation and privacy by design as a whole to formulate a balanced legislative approach towards the adoption dynamic and free flowing standards of secure data collection and processing.
Anonymisation is the process of removing identifiers from personal data in a manner which ensures that the risk of identification becomes insignificant. While analyzing different jurisdictions such as the EU and South Africa, the Committee concluded that there is a need for a balanced approach towards preventing identification of personal data through providing a broad definition of the same and ensuring that the standards of anonymisation and/or pseudo-nymisation are flexible as well as contextual to the nature of data processing. The Committee concluded that a rigid standard of anonymisation would do more harm than good and therefore was of the opinion that a generally accepted standard needs to be prescribed for a statutory body. Such a body can then create the requisite rules and dynamic standards for data fiduciaries to keep in touch with the technological advancements in data re-identification as well as ensure that privacy by design percolates to every level of data collection, processing, storage and anonymisation.
It is therefore imperative to take into account the individual risk of re-identification and balance it against the legally recognizable privacy-enhancing systems and security measures that would allow for data to be used in an effective manner while preserving the privacy of individuals. These systems include adoption of data minimisation techniques, employing secure file sharing, approved anti-tracking tools, tools masking privacy preserving computations and encrypting the stored data at rest. This would go a long way in bridging the gap that exists between the technology and the legal framework that is aimed at backing it.
Another drawback of the policy is that it is being pushed for implementation, independent of the PDP Bill. This argument shall be discussed in Part II of the article.