[This piece has been authored by Silvia Tomy Simon, a student at the Symbiosis Law School, Hyderabad.]
Recently, the Puducherry Directorate of School Education issued a circular instructing educational institutions to direct parents to create Health IDs for their children either using their Aadhar or phone number[1]. This circular raised concerns regarding the actions taken in relation to the National Digital Health Mission (hereinafter NDHM)- an initiative launched to digitize health care in India. Under this program, every user will be provided a 14-digit Health ID generated by the Ministry of Health and Family Welfare which can be used to access the users complete medical history stored on the National Health stack- a health database that is a “collection of cloud-based services”.
This blog post proceeds in three parts. Part I highlights that the consent framework under this initiative is inadequate. Part II argues the need for the NHS to introduce role-based access to provide better privacy protection to its users. Part-III analyses the likelihood of discrimination and exclusion which runs counter to the mission’s objective of ensuring increased access to health care services.
Key Words: Consent, Data Privacy, Exclusion, Access, Breach
Consent: To give or not to give?
The NDHM purports to be patient-centric as it mandates obtaining consent before accessing and disclosing patients’ health data to physicians, health care service providers, and other organizations empanelled with the NHS. This consent process is facilitated by a one-time password sent to patients’ phones or their Aadhar-based authentication systems by health data fiduciaries. Subsequently, the data shared is accessible to health care providers and entities consented to by the user. However, this framework is problematic for four reasons.
Firstly, the NDHM doesn’t elucidate the voluntary nature of the consent process, i.e., it doesn’t categorically state that refusal to provide consent will not result in the denial of health care services or medical aid. This leads one to believe that a patient must consent to digitize their data or its processing to avail of services. This misconception is further disseminated via media reports that had highlighted instances wherein Health IDs were generated for individuals without their consent when they registered for vaccination slots with their Aadhar or created IDs for medical professionals without their consent.[2]
Secondly, clause 9.2 (c) states that “consent will only be considered valid if it’s specific, where the data principal can give consent for the processing of personal data for a particular purpose.” This means that the data fiduciary can secure one-time consent from the data principal for processing their data for broad purposes. This is evinced in Clause 10(1)(b) and 10(1)(c), which states that data fiduciaries must give notice to data principals only when there is a change in the privacy policy or if the data is being processed for a “new or previously unidentified purpose.” [3]
This practice prevents the data subject from providing or refusing consent to process specific data. For instance, once a data subject consents to processing their personal data for a broad purpose, they will not be able to refuse consent for the digitization of specific data such as mental health disorders, STDs, terminal illnesses, etc. To provide greater control to data principals, it has been recommended that there should be a collection of broad consent coupled with specific consent “taken at each instance of data processing and sharing.”[4]
Moreover, the collection of this specific consent must comprise information about the entity that will receive such data, the purpose for which it is being shared, and the institution of processes by the data fiduciaries that will facilitate the masking of such data. Thirdly, although patients may consent to share their health data, there aren’t any safeguards to ensure that their health data isn’t taken out of the NHS sandbox.
In fact, as per RBI’s ‘Consumer Focused Data Sharing Regulation,’ private players can legally share data amongst each other, implying that citizens’ health data can be accessed by private players empanelled with the NHS and further shared among other private players. While it may be argued that the data shared among entities will be anonymized, how such data will be processed, the duration for which it will be stored, the number of entities that have access to it, and the data set these entities already possess (which ease their ability to profile individuals) remain unanswered highlighting the gaping information asymmetry that presently exists.
Lastly, although the consent metric of the NDHM purports to provide greater control to data principals, it gives greater discretion to data fiduciaries concerning the ‘right to erasure.’ Under the policy, Clause 14 stipulates that data can be erased when “personal data is no longer necessary for the purpose for which it was processed.” However, the discretion to decide what would constitutes ‘necessary’ is left to the data fiduciary, which effectively reduces the level of control that a data principal may possess in relation to their own data. [5]
This control is further exacerbated when examined in light of Clause 9.2 (c). It implies that once a patient consents to the processing of their data for broad purposes, specific aspects of their data (such as mental health disorders, terminal illnesses, and STDs) will also be collected, which can only be erased subject to the consent of the data fiduciary who must determine whether the personal data collected is “no longer necessary for the purpose for which it was processed“. Therefore, even though the framework prioritizes patients’ consent, they are provided with little to no control over their personal data.
Role Based Access and Privacy:
Under the present framework of the NDHM, numerous healthcare administrators can access the health data of beneficiaries. This is problematic because if an individual is not directly involved with providing clinical care or services to patients, they should not have access to a patient’s entire medical history. This is further exacerbated by the fact that the NDHM doesn’t demarcate role-based access to data processors, account aggregators, consent managers, and data fiduciaries. [6]
Data fiduciaries like the public health department of the State should be permitted to access aggregated data but barred from accessing personally identifiable data. Even if it’s pertinent for the department to inquire into spatial clustering, access should only be provided to data fiduciaries to the extent that the GPS location of the patient doesn’t reveal their identity. Similarly, although the account aggregator may have access to citizens’ sensitive personal information, the privacy design of the NDHM should possess the safeguards to ensure that no natural person working at the account aggregator will be able to access said sensitive information.
Since data processors like state employees that delivers medications to an HIV patients’ home are likely to have access to the identity of patients, there arises a need for instituting legal obligations in place to ensure that the identity of the patients or their illnesses aren’t revealed. Therefore, there must be clear sector specific laws pertaining to access for processing health data. Furthermore, in the event that a data breach occurs and personal information is leaked, the data fiduciary is required by law to notify the ‘required entities’ of said breach. However, under the NDHM, the data fiduciary is not required to notify the data principal of the breach of their personal data. This goes against the foundational principal of transparency and accountability upon which the NDHM rests.[7]
Access vs Exclusion:
One of the primary objectives of this initiative is to increase the accessibility of health care services to citizens. However, under the mission, there are many concerns about the exclusion of a vast number of individuals from health care services. For instance, since the NDHMs consent framework is subject to the provisions of the data protection bill, mainly Section 14 (1)(a), there is a likelihood of discrimination. This is because Section 14 (1)(a) of the bill states that the process of obtaining consent can be foregone when “processing is necessary for such reasonable purposes after taking into consideration the interest of the data fiduciary.”
But, the fiduciary framework- wherein the interests of the fiduciary are taken into consideration over the clients, would allow corporations to prioritize the obligations of their stakeholders rather than the interests of their beneficiaries. Therefore, since the general objective of most organizations is profit maximization, they are likely to discriminate amongst individuals (like denying insurance claims), resulting in exclusion from healthcare services. [8]
Furthermore, Clause 29 of the NDHM states that data fiduciaries can share both de-identified and anonymised information with other entities for the purpose of research, policy making, statistical analysis, etc. However, the terms de-identified and anonymised, though used interchangeably are entirely different. Anonymisation of data is an irreversible process which implies that the identity of data principals cannot be revealed, whereas in de-identification the identity can be uncovered. This means that by sharing de-identified data, insurance companies and other health care enterprises can profile individuals which may reveal information pertaining to pre-existing health conditions, genetic disorders, problematic family history causing companies to hike up premiums, deny insurance claims/coverage, etc.
Conclusion: The generation of Health IDs and the digital storage of billions of citizens health data in the absence of a robust data protection regime in India closely resembles the collection of Aadhar information of citizens in the absence of an Aadhar act, resulting in a plethora of data breaches and monetisation of data sets by exploiting the absence of a regulatory framework. It forces us to question whether the NDHMs objective is really accessibility or increased transparency since linking three forms of identification i.e., one’s phone number, Aadhar card number and Health ID allows fiduciaries to track one’s location, financial transactions and health information. In light of the above- mentioned concerns, it’s imperative that a robust data protection framework is enacted to avoid the misuse and abuse of citizens personal data.