On 26 August, the government released the draft health data management policy of the National Digital Health Mission (NDHM), which seeks to digitize the health ecosystem in India and introduce a unique health ID for every citizen. The National Health Authority (NHA) had initially asked for public feedback on the policy by 3 September, which was then extended by a week, giving citizens a total of 2 weeks for their comments.
The draft policy looks to “set out a framework for the secure processing of personal and sensitive personal data of individuals” who will be part of the digital health ecosystem. “Sensitive personal information”, according to the policy, means “such personal data, which may reveal or be related to, but shall not be limited to… financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health data; sex life; sexual orientation; medical records and history; biometric data; and genetic data”.
In the backdrop of issues related to the limited time given for feedback as well as transparency and other issues—India does not have a data protection law yet—on 2 September, a legal team comprising lawyers Vrinda Bhandari, Sanjana Srikumar and Devdutta Mukhopadhyay of the digital rights organization Internet Freedom Foundation (IFF) filed a petition on behalf of Dr. Satendra Singh on the draft health data management policy before the Delhi High Court.
Mint spoke to Raman Jit Singh Chima, Asia Policy Director and Senior International Counsel at Access Now and founding volunteer with the SaveTheInternet.in Net Neutrality Coalition, on the privacy concerns around the policy as well as other challenges moving forward. Chima is also board chairperson at IFF.
From a privacy perspective, what are your biggest concerns regarding the policy, considering India is yet to enact a data privacy law?
The Union government should be focused on enacting a strong, horizontally applicable data protection law and creating an effective independent regulator— a data protection authority or privacy commission—that oversees further sectoral regulation making on data and provides Indian residents redress and remedy if their rights are harmed. Creating a standalone health data management policy, which may not have the force of law, creates confusion and would not adequately regulate the sector nor provide Indian patients adequate protection of their data protection rights on health data. Ideally, this policy and the collection and use of any health data in the NDHM should only come about after the enactment of a strong Data Protection Act and the establishment of an independent regulator.
The data that the government seeks to access through this reportedly includes points such as financial details, physical and mental health, sex life, medical records, gender and sexuality, caste, religious and political beliefs as well as genetic and biometric records. Your thoughts?
The health data management policy creates this confusion by directly copying definitional language from the current text of the data protection bill without explaining that or outlining their inter-relationship. The NHA and its drafters of this policy document may have believed they were advancing privacy by this, and have instead created confusion.
Any policy document from the NHA on health data should have referred to the data protection bill, indicated that it uses all the definitions outlined there, and only explained the additional, NDHM specific new terms and data they proposed to collect. Over-collection of data and types of information is a real issue across India, and previous experiences with Aadhaar linkage with other information (mobile phone related information, health records and pharma purchases) has shown that many Indians at the most risk often then suspect, shun medical care out of worries that their sensitive information, personal lives will be intruded upon.
You had raised questions on transparency and the haste with which the policy was put out. Could you elaborate on this and the repercussions it could have?
The usage of external consultants by the government in policy making requires not just following standards around public procurement, but also extra vigilance around transparency and preventing conflict of interest. This is especially so if a specific case of policymaking or regulatory development is being managed on an expedited basis. The government should clarify who all are involved in the development of this policy process, why they were chosen and the mechanisms taken to prevent conflict of interest, and how it builds on previous, public money supported research and drafting efforts such as the DISHA bill project. Lack of transparency in policy making and regulation impacts the constitutional rights of Indian citizens—other policymaking processes such as the Environmental Assessment Impact process have been legally challenged on such grounds—and also weaken trust and confidence in the topic of public healthcare and medical services at a time when they need most widespread support and avoidance of controversy.
Two weeks of consultation and public review is insufficient for this important, complicated topic, particularly given that health is a state subject in our federal structure and health practitioners, experts, and citizens across the wide span of the country would need to engage. The consultation documents are only available in English and currently made available for review for 2-3 weeks—even though Parliament right now is seized with the process of consulting, studying, and legislating on the data protection bill.
There are concerns about an additional ID, when Aadhaar already exists.
The usage of the Aadhaar ID has been restricted by the Supreme Court. The current policy document in fact makes it clear that the government intends to use the Aadhaar ID to generate this new health ID, which will be used by a range of government, medical, and other private sector actors across India. This new ID, in fact, still raises concerns about violating the spirit of the Supreme Court ruling, on sharing of sensitive data collected by the government with the private sector.
What are some other legal concerns you have on reading the policy?
The draft policy document does not sufficiently make it clear how this data will be protected by government surveillance and law enforcement access concerns, jeopardizing not just privacy but also potentially casting doubt and uncertainty of trust in medical services at a time when maintaining that is paramount, given the ongoing pandemic and its long-term response needs. Additionally, it proposes many systems and types of actors which are not well defined: who will be the "consent managers" and "digital health records" that the policy mentions? Who are "health information users": will these be private parties? Lastly, health is a state subject within the federal structure of the Indian Constitution—the states would need to not only be consulted on this, they would be critical actors in hosting and using data, and would also have the legal right to regulate it.