By Shefali Malhotra, Rohin Garg & Shivangi Rai
The CoWin portal got here beneath criticism because of the absence of a privateness coverage. In February 2021, the minister of state for well being knowledgeable the Lok Sabha that CoWin follows the privateness coverage of the National Digital Health Mission (NDHM), which is the Health Data Management Policy (the Policy). Other digital well being initiatives, comparable to telemedicine, hospital administration methods and insurance coverage claims administration, are additionally tied to this Policy. It is not any exaggeration to say that the Policy varieties the spine of the NDHM.
The Policy seeks to develop a nationwide well being data system, by facilitating the creation of Unique Health Identification (UHID) for people and healthcare suppliers; and the gathering, storage, processing and sharing of private well being data, as digital well being information (EHRs). Every particular person’s UHID is linked to his or her EHR. While digitisation permits seamless and environment friendly change of knowledge, it additionally entails vital dangers to privateness, confidentiality and safety of private well being knowledge. The Policy purports to mitigate these dangers, by way of two guiding rules: “security and privacy by design” and particular person autonomy over private well being knowledge. However, elementary design flaws could find yourself growing situations of private well being knowledge breaches.
The Supreme Court, in Puttaswamy, held that the precise to informational privateness is a elementary proper and any encroachment on this should be supported by regulation, additionally calling for enacting a complete knowledge safety laws. Contrary to this, the digitisation course of being rolled out beneath the Policy isn’t supported by any regulation. This stays a priority as unauthorised disclosures and breaches would trigger critical and irreparable hurt to people.
The Policy itself establishes the NDHM, which is able to perform like a regulator performing legislative, government and quasi-judicial features. Setting up a regulatory authority entails a regulation that defines the boundaries inside which it may perform, whereas guaranteeing independence from authorities interference and accountability to Parliament. Instead, the Policy leaves it totally to the NDHM, an government authority, to outline its personal governance construction.
The privateness by design framework could also be slowed down by weak accountability mechanisms vis-à-vis secondary use of digital well being knowledge for analysis and coverage planning, notably by personal corporations. The Policy permits sharing of combination and anonymised well being knowledge, on the premise that anonymisation conceals people’ identification. However, a number of research have proven that anonymised datasets might be simply de-anonymised to hyperlink again to personally identifiable data, risking particular person privateness.
The Policy additionally doesn’t restrict using combination well being knowledge to public well being functions, and prohibit knowledge monetisation. Without strict function limitation, personal corporations could use folks’s well being knowledge to reinforce earnings, at the price of particular person rights and societal pursuits. For instance, insurance coverage corporations could freely use granular well being knowledge to profile and rating people, resulting in denial of protection for high-risk teams and volatility in premium quantities. Recently, the Insurance Regulatory and Development Authority of India warned insurers in opposition to utilizing leaked private well being information of COVID-19 sufferers to disclaim protection or block claims.
The drawback of weak accountability extends to private well being knowledge as nicely. For instance, the Policy doesn’t require reporting of private knowledge breaches to affected people. This not solely impedes the rights to data and entry to grievance redress, but in addition will increase the potential of illegitimate state surveillance. For occasion, a current RTI question revealed that the chief medical officer of the Kulgam district in Jammu and Kashmir was surreptitiously sharing Aarogya Setu customers’ knowledge with native police authorities.
The different guideline of particular person autonomy is invoked by way of ‘informed consent’ for gathering and processing private well being knowledge. However, the proposed consent framework is so constricted that people could finally find yourself with little or no management over their knowledge. For one, the Policy mandates knowledgeable consent solely previous to the gathering of knowledge, in case of any change within the privateness coverage or in relation to any new or unidentified function.
This means that one-time consent for a number of broad functions could also be ample, versus knowledgeable consent for each occasion of private knowledge processing.
The Policy additionally lacks readability on two different measures. First, it doesn’t stipulate ‘data masking’ as a measure accessible to people to make sure confidentiality of their knowledge. In easy phrases, knowledge masking is a method to cover particular delicate well being data in EHRs, disclosure of which may trigger critical stigma and discriminaiton to a person. Such data could be accessible even to well being care suppliers solely with the particular consent of the person.
Second, the Policy doesn’t expressly mandate knowledgeable consent for creating UHIDs. It appears to recommend that knowledgeable consent shall be taken for digitisation of medical information, and consenting people shall be issued a UHID. However, in observe, UHIDs are being issued with out taking knowledgeable consent for digitisation or for UHID. Innumerable situations have been reported the place UHIDs have been allotted to people, who bought COVID-19 vaccinations utilizing Aadhaar, with out their information or consent.
The Policy rightly units out privateness by design and particular person autonomy as its guiding rules. However, obscure provisions and on-ground implementation are failing to stick to those rules. In a current working paper, revealed by the Internet Freedom Foundation and the Centre for Health Equity, Law and Policy, we study varied implications arising from the Policy. In a rustic with an unsure cybersecurity atmosphere, poor digital literacy and weak state capability, the hostile implications might be notably extreme and widespread.
While addressing the gaps within the Policy is critical, it’s not ample. A complete knowledge safety regulation (with well being sector particular guidelines) in addition to significant and sustained stakeholder engagement, are crucial for guiding the event of a digital well being ecosystem in an efficient, environment friendly and equitable method.
Malhotra is analysis marketing consultant and Rai is deputy coordinator with the Centre for Health Equity, Law and Policy, ILS Law College, Pune. Garg is affiliate coverage counsel with the Internet Freedom Foundation, New Delhi