SFLC.in's COMMENTS ON THE DRAFT HEALTH DATA MANAGEMENT POLICY, VERSION 02
1. Summary of existing Policy
The National Health Authority (“NHA”) under the Ministry of Health and Family Welfare ('MoHFW') on 14 December, 2020 released the Heath Data Management Policy (“HDMP-I”) for the National Digital Health Mission (“NDHM”). The NDHM was launched throughout India on 27 September, 2021. NDHM was later renamed as Ayushman Bharat Digital Mission (“ABDM”).
The HDMP-I resembles the Personal Data Protection Bill, 2019 (“PDP”) that is tabled before the Parliament. However, the HDMP-I fails to explain its interaction with PDP or the principles laid Justice K.S. Puttuswamy v. Union of India (2017) 10 SCC 1 (“Puttaswamy II”). The HDMP-I in itself, is a patchwork to avoid legal challenges to the Policy/ Framework for the lack of a specific legislation governing it. A policy does not have same force of law as a legislation which undergoes parliamentary scrutiny. Creation of a standalone horizontal policy in the absence of a data protection framework might create more problems than it could solve. The Policy has not stated anywhere that the proposed framework will be in consonance with the Open Source Software and Open Standards Policy of the Ministry of Electronics and Information Technology (“MeitY”).
2. Previous Recommendations
SFLC.in had submitted comments and recommendations to the draft HDMP-I when it was released for stakeholder consultation in August, 2020 and the same is available here. The draft HDMP-I was finalised and published by NHA on 14 December, 2020 without making any changes to the draft HDMP-I that was released for stakeholder consultation.
Our key recommendations to the draft HDMP-I are as follows:
There must be a legislation governing collection and processing of health data.
Data Collected for the purposes of this policy must be categorically specified in the Policy itself.
The Policy must exhaustively define the “sensitive personal data” for its purposes.
The Policy must specifically clarify the data third parties will get to access and view.
The Policy must clearly specify its interaction with the Personal Data Protection Bill.
The Policy must provide for categorical provisions for publicity that no service will be denied to any citizen who does not hold the health ID by any private or government entity, and inclusion of provisions penalising entities which deny services to a citizen for the lack of health ID.
Data collection and processing under the pilot mode of the National Digital Health Mission to be scrapped until a specific legislation governing health data, and the umbrella legislation safeguarding the personal data is enacted.
Provisions governing data sharing with health insurance companies or other third parties must be specifically included in the Policy.
The Policy to specifically list out all the instances where data principal could request deletion of its data.
The data principal must have absolute right to delete its stored, processed and collected health data by the data fiduciaries. The data principal must not be denied this right on the basis of vague, potentially discriminatory and arbitrary grounds.
The minors must have the right to opt-out of the Health ID as well as the National Digital Health Ecosystem on attaining majority. They must also be given the absolute right to delete their entire health data.
The consent framework envisaged under the Policy must be multilingual and differently-abled friendly.
There must be a strict segregation of consents into consents for activities related to providing medical services, and consent for collection, storage and use of health data respectively.
The “significant harms” having the possibility of aggravated effect must be inclusively laid down in the Policy.
The nature, role and functions of the consent managers needs to be specific and clearly laid down in the policy. It must be clarified if private entities shall be consent managers.
An analysis of cost of compliance and its impact on affordable healthcare must be undertaken by the National Health Authority as the added costs will have to be borne by the customers.
The National Health Authority must hold transparent consultations with states as well as local governments on the health data management policy, and the role of states and local governments must be specifically stated in the Policy.
The Policy must state security standards to be adopted by all data fiduciaries.
The Policy must clearly state the compensation to data principals, and penalties against data fiduciaries in case of security breaches.
The Policy must not unduly emphasise on linkage with Aadhaar. Instead of using the phrase “Aadhaar of other means”, it should be rephrased as “any government identification card”.
There must be a centralised system for grievance registration.
Instead of delegating the procedure and effective mechanisms to the data fiduciaries, the Policy must, in clearer terms stipulate uniform procedure and mechanisms which will have to be followed by the data fiduciaries.
The role of MoHFW in grievance redressal must be stated in clearer terms in the Policy itself, and a designated officer must be appointed by MoHFW for grievance redressal.
There needs to be a strong oversight mechanism independent of the government which should look at the implementation of the Policy as well as the fact that there are no oversights by the data fiduciaries.
We recommend that the Policy must provide for provisions governing the misuse of electronic health records and electronic medical records.
The Policy must be in compliance with the Central Government’s Open Standards and Open Source Software Policy, and must be open to audit by third parties. This must be specifically stated in the
3. Comments on the HDMP-II
On 23 April, 2022 the NHA released the Draft Heath Data Management Policy, Version 02 (“HDMP-II”) and invited stakeholders to submit their comments by 21 May, 2022. NHA has stated that HDMP-I was revised and released as HDMP-II after contemplating on the feedback received from various stakeholders and from the learnings from pilot and national roll-out of ABDM.
The HDMP-II, apart from a few revisions to HDMP-I remains same to a large extent. However, the small amount of revision made under HDMP-II could lead to adverse consequences on the rights of the data principals in safeguarding their data and could lead to misuse of the sensitive personal data, personal data and non personal data of the users. It is also pertinent to mention that all the comments and recommendations that SFLC.in has made to the HDMP-I still stand true since the comments and recommendations made by SFLC.in to HDMP-I have neither been taken into consideration and nor have been incorporated into HDMP-II by the NHA.
3.1. Creation of ABHA Number
Clause 17 under the HDMP-I that provided for the creating of Health ID is replaced by Clause 16 under the HDMP-II. Clause 16.2 provides that “ABHA Number shall be issued to data principal visiting government healthcare institutions or participating in government healthcare programs for availing healthcare services”. The Clause further provides that “This will be applicable across all government healthcare institutions and programs”.
The “voluntary” nature of data principals participating under the ABDM has now been made “mandatory” to avail services from the government healthcare institutions and programs by the HDMP-II. The mandatory nature of issuing ABHA Numbers by the government healthcare institutions and programs goes against the primary objectives of the ABDM. Clause 3 (c) provides that the objective of ABDM is to “create a system of digital health records which is easily accessible to individuals and healthcare service providers and is voluntary in nature, based on the consent of individuals, and in compliance with relevant standards”.
By making it mandatory on the government healthcare institutions and programs to create ABHA Numbers, the HDMP-II is violating the Puttaswamy II wherein the Hon’ble Supreme Court under laid down the three-fold requirement of legality; need, defined in terms of a legitimate state aim; and proportionality for the invasion of any right guaranteed under Article 21 of the Constitution. The mandatory nature of issuing ABHA Numbers to all data principals who avail services from government healthcare institutions and government programs is a violation an individual’s right to personal autonomy and right to public health. The provision for issuing of ABHA Number to all data principals lacks legal coherence.
It is recommended the mandatory compliance on the government healthcare institutions and programs be scrapped off and the creation of ABHA Number be made voluntary and the process of initiation for creation of the ABHA Number must always be made from the data principal’s.
The HDMP-II replaces the “consent manager” with “Health Information Exchange & Consent Manager” (“HIE-CM”). The HIE-CM refers to the digital system which facilitates exchange of health information and management of consent whereas “consent manager” under HDMP-I referred to an electronic system that interacts with the data principal and obtains consent from him/her for any intended access to personal data.
The HDMP-II provides that HIE-CMs would facilitate the “exchange of health information and management of consent”. However, the HDMP-II is silent on how the HIE-CMs would operate between different data principals and data fiduciaries and on the nature, role and functions of the HIE-CMs. With HDMP-II enabling multiple HIE-CMs to obtain consent from data principals, it is quite possible that the data principals might not understand on what they are consenting to and who they are consenting. Further, the trail of metadata generated by these HIE-CMs could result in creating a detailed profile of an individuals user engagement online. This, coupled with the revocation of choice to opt out, the right of correction and erasure of data by the data principal, would lead to the collection of a large amount of data going completely against the principles of “purpose limitation” and as laid down under the Statement of Object and Reasons of the PDP Bill, 2019.
“Consent Managers” under explanation to Section 23 of the PDP Bill, 2019 refers to a data fiduciary which enables a data principal to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform. The PDP Bill, 2019 under Section 23 (5) further provides that all consent managers are to be registered with the Data Protection Authority (“DPA”).
The nature, role and functions of HIE-CM under HDMP-II lack clarity and definition. In addition to this, the term “integrated HIE-CM” is even more problematic since it fails to explain the kind integration the HIE-CM would have and who would be the entities / services / individuals that the HIE-CMs would be integrated to / integrated with. It is further not clear if HIE-CMs are government entities or private entities. The HDMP-II further fails to provide any compliance mechanism on HIE-CMs as provided by the PDP Bill, 2019.
It is recommended that the nature, roles and functions of the HIE-CMs be provided in detail.
3.3. ABHA Address
ABHA Address is a new concept introduced under HDMP-II. The ABHA Address essentially looks like an additional ID that is provided to the data principal in the format (username)@HIE-CM which would also be used to link and share health records.
Clause 17 of HDMP-II provides that data principles may take services of ABDM or an “integrated HIE-CM” for the creation of ABHA Address. Clause 18.1 and 18.2 of HDMP-II further provide that a data principal “may hold multiple ABHA Addresses at a time” and that HIE-CMs wishing to issue ABHA Addresses can integrate with the ABDM. Clause 18.3 further makes it mandatory on the government facilities and government healthcare programmes to issue ABHA Address to data principals by default that would be in the format (ABHANumber)@HIE-CM and further provides that the data principals may also create another ABHA Address of his/her choice that would be in the format (userchosen)@HIE-CM.
The concept of having multiplicity of ABHA Addresses under HDMP-II goes entirety against the principles of “purpose limitation” and “data minimisation” as laid down under the Statement of Object and Reasons of the Personal Data Protection Bill, 2019. HDMP-II fails to provide any clarity on the purpose behind providing multiple ABHA Addresses to a single data principal.
3.4. Right of data principals to request for correction and erasure
The HDMP-I under Clause 14.1.b expressly guaranteed data principles the right to correct and erase their personal data under ABDM. Datta principals under HDMP-I were entitled to the right to correct/ rectify any inaccurate or misleading personal data, complete any incomplete personal data and update any out-of-date personal data, the right to erase personal data if the storage violates any of the data protection principles or if the personal data is no longer necessary for the purpose for which it was processed, the right to delete uploaded personal data, right to block and restrict personal data in instances where the law prohibits erasure and the right to anonymisation or other method(s) of removal of the personal data where erasure is not possible without disproportionate effort due to the specific type of storage.
However, in HDMP-II, this right to correction and erasure has been completely scrapped off and has now been replaced with “any other right(s) prescribed under applicable laws of the land”. The removal of these rights under the HDMP-II is a complete violation right to privacy of the data principals. The right to privacy was recognised as a right conferred under Article 21 of the Constitution of India by the Supreme Court under “Puttaswamy I”. The Hon’ble Supreme Court, under Puttaswamy II further emphasised on the importance of the right to be forgotten as it recognised that the impact of the digital age results in information on the internet being permanent and that the people are entitled to re-invent themselves and reform and correct their mistakes. Hon’ble Supreme Court, under Puttaswamy II held that “It is privacy which nurtures this ability and removes the shackles of unadvisable things which may have been done in the past”.
The Committee of Experts under the Chairmanship of Justice B.N.Srikrishna in its report titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” (“B.N.Srikrishna Report”) right to be forgotten refers to the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic. The PDP Bill, 2019 takes into account these observations and under Section 18 provides for the right to correction and erasure, which includes the right to correction of inaccurate or misleading personal data; completion of incomplete personal data; updating of personal data that is out-of-date; and erasure of personal data which is no longer necessary for the purpose for which it was processed.
It is recommended that the data principal must have absolute right to delete its stored, processed and collected health data.
3.5. Right to opt-out
The HDMP-I under Clause 16.2 expressly guaranteed data principles the choice of opting-out and while exercising the choice of opting out, the data principals further had the right to delete their Health ID, de-link their personal data across data fiduciaries and require the removal of personal data linked with such ID.
However, in HDMP-II, this choice of opting-out and right to delete their Health ID, de-link their personal data have been completely scrapped. This violates the Clause 19 of the HDMP-II and Clause 16 of HDMP-I which provides participation of users would be on a “voluntary basis”. By doing away with the choice of the data principals to opt out of the ABDM, the HDMP-II is making the participation of users “mandatory” rather than “voluntary”.
It is recommended that the earlier provision that provided for the data principal to opt out of ABDM be brought back. In addition to this, it is reiterated that minors too must have the right to opt-out of ABDM on attaining majority.
3.6. Personal Health Record Applications
The HDMP-II introduces “Personal Health Record Applications” (“PHR Apps”) that is said to enable functionalities of creating ABHA addresses, discovery and linkage of health records from Health Information Providers (“HIP”) and allows individuals to view and share their records. HDMP-II further provides that the PHR Apps would work closely with HIE-CMs. This introduction of PHR Apps into the ABDM and the National Digital Health Ecosystem (“NDHE”) could lead to large-scale data breaches and violation of right to privacy.
HDMP-II much like the HDMP-I nowhere categorically states that health data collected and processed by data fiduciaries will not be sold to any other third parties which could use it for targeted advertising, insurance pricing and other purposes. For instance, in the United States of America, under the Health Insurance Portability and Accountability Act, 1996 (“HIPAA”), health information is only meant to be shared for secondary uses with a data principal’s name, address and other personally identifying information omitted i.e . in the form of anonymised sets.
We are already witnessing how different health apps are exploiting user data by sharing them with third party entities. An investigation by Privacy International found out that 61% of popular apps transferred data to Facebook the minute the user opened the app.
In addition to the unauthorised sharing of data, these Apps could also lead to users being fed a huge amount of misinformation on different health issues. With the rise in health apps that enable users to keep track of their sleeping patterns, fitness routines, diet plans, menstruation cycles, pregnancy issues etc., users have started to incline towards these apps to take care of their health. However, the results and analysis of most of these apps are based on algorithms rather than actual medical knowledge. A recent study on the working of health apps for pregnant women showed that only 28% of apps cited actual medical literature.
During the COVID-19 pandemic we have witnessed the devastating effects of misinformation when it comes to healthcare. A recent study in 2021 analysed misinformation amongst 138 countries and found that India produced the largest amount of social media misinformation. This high rate of misinformation is attributed to India’s higher Internet penetration rate, increasing social media consumption and users’ lack of Internet literacy.
It is recommended that the PHR Apps, be clearly defined and there must be a procedure to verify the PHR Apps before granting access to data under ABDM. It is further recommended that PHR Apps be categorised on the basis of the service services provided. Failure to do so could lead to a catastrophic effect on healthcare in India.
3.7. Data of Children
The HDMP-II still lacks provisions to provide for the minors, the right to opt-out of ABDM on attaining maturity. The Joint Parliamentary Committee in its Report on the PDP Bill, 2019 (“JPC Report”) under recommendation no. 5 recommends that a fresh consent must be obtained from a child when he attains the age of majority, which shall be 18 years as per the Majority Act. And that this fresh consent must be obtained before three months of the child attaining majority. However, the provision of services shall not cease unless and until the person opts out or gives fresh consent.
In addition to this, the JPC Report under recommendation no. 37 recommended that the concept of “Guardian Data Fiduciary” be done away. The JPC Report further under recommendation no. 47 recommends that a fiduciary exclusively dealing with data of children has to be registered with the DPA and accordingly it has been added as a Significant Data Fiduciary under clause 26(1)(g) (recommendation 47). The HDMP-II does not seem to have taken into account any of the recommendations made by the JPC Report.
It is recommended that HDMP-II be further revised where the minors must have the right to opt-out of the ABDM on attaining majority. In addition to opting out, they must further be given the absolute right to delete their entire health data.
3.8. Processing of personal data of certain persons in exceptional situations
The HDMP-II under Clause 13.5 provides that personal data of data principals who are seriously ill or mentally incapacitated or in response to medical emergency may be accessed without consent in exceptional situations of medical emergency, interest of public health or the order of the competent court. However, the term “public health” as used here lacks definition and clarity. Without such a clear definition or clarity, it is possible that there could be a lot of data breaches in the name of “public health”.
It is recommended that the definition of “public health” be made clear.
With the absence of a stringent data protection law even after the release of HDMP-II and adequate safeguards to protect the personal data of individuals such a massive data collection can be a major risk. The HDMP-II neither shows learning based on the experiences after rolling out ABDM across India nor shows any contemplation on the feedback received. The HDMP-II assumes a high level of digital literacy from data principals across India. This, coupled with the lack of a data protection law is going to be extremely problematic because, HDMP-II, like HDMP-I is just another policy document that could at most act as a guideline, but it is not going to be actionable for any aggrieved citizen.