A medic collects samples from a person with physical disability for COVID-19 rapid antigen testing amid the complete bi-weekly lockdown to curb COVID-19 spread
The draft Health Data Management Policy of the National Digital Health Mission has been released for public comment. This is an extremely complex area because of the intersection of sensitive personal data, health care service, associated insurance implications, and medical research. Thus, there are huge commercial and social implications as well as concern about privacy. The pandemic has imposed new paradigms, leading to the explosive increase in online consultation, telemedicine usage, as well as the online ordering of drugs. The mass vaccination of a billion-plus citizens may soon be necessary. There is already a vast amount of digitised health data floating around, and this will expand exponentially. The sooner there is legal protection for that data, the better. However, a very short period has been allowed for public comment on the draft policy. There are also serious legislative lacunae since the health data management policy is built upon the foundations of legislation that doesn’t exist: India doesn’t have a law protecting personal data. Proposed legislation has been pending since 2018 and the drafts released into public domain raise serious concern.
In the proposed health policy, citizens are “data principals”, hospitals and doctors “health information providers”, and the government and its agencies “health information users”. The policy envisages creating an integrated data storage system. Records may be held by different service providers but linked through a unique health ID. This ID would be on the lines of Aadhaar but not Aadhaar itself, although it may be linked to it. That is an unnecessary duplication of an already extant ID system. Such an integrated system with common data standards and format would allow individuals to be treated anywhere, with full access to medical history. “Data fiduciaries” will be allowed to collect and store “sensitive personal data”. This includes a wide range of data which seems irrelevant and unnecessary. It could include financial information; physical, physiological, and mental health data; sex life and sexual orientation; genetic data; and “religious or political belief or affiliation”. It is hard to understand why much of the above is necessary for health care. A large number of institutions down to the local pharmacy could be considered fiduciaries under this policy. While this means they would be legally covered by policy, it also means a higher probability of data leakage. It is unrealistic to assume such a wide range of fiduciaries will be data-secure.
Moreover, this data will be shared with government, and agencies designated by government. Anonymised or de-identified data will also be made available in aggregate form for facilitating health and clinical research, academic research, archiving, statistical analysis, and policy formulation. This is a very wide-ranging clause, which basically justifies sharing data for practically any purpose. In theory, the consent of the individual will be asked for before data collection. That consent could also be withdrawn in theory. In practice, given a system where data on so many parameters can be collected by such a wide range of fiduciaries, and disseminated for so many purposes, consent and privacy will be irrelevant. There is clearly a need for a national health data management policy. Sensible policy formulation could certainly enable better health care. But this policy seems designed to enable the commercial exploitation of data without paying much heed to protecting the privacy of citizens.