The recent months have amply shown us the importance of developing and maintaining healthcare infrastructure, whether digital or physical. Each day has seen us critically scan the statistics to try and understand the impact of the novel coronavirus (“Covid 19“) on our towns and cities. The Government, in its turn, launched several apps and services such as Aarogya Setu, to control and monitor the spread of the disease. All such initiatives relied on significant amounts of data collection in order to be effective.
The Ministry of Health and Family Welfare (“MoHFW“) has released a draft policy, termed the Health Data Management Policy, 2020 (“Policy“)1 with the aim of digitising the entire healthcare ecosystem of India. The Policy stems from the National Health Policy of 20172, which laid out the broad goals to be achieved in the healthcare space. Pursuant to the same, the MoHFW came out with the National Digital Health Blueprint (“NDHB“)3, which was intended to complement the overall vision of the Government by creating an enabling and interoperable digital framework to support universal health coverage while ensuring the security of the sensitive personal medical data of the citizens. The NDHB recommended the establishment of a new entity, called the National Digital Health Mission (“NDHM“), a purely governmental organisation with complete functional autonomy. It is in accordance with the prescribed building blocks of the NDHB and the guiding principle of the NDHM that the new Policy has been drafted.
Key Features of the Policy
The Policy states that it incorporates the concept of “Security and Privacy by Design” and is meant to act as the guiding document across the National Digital Health Eco-system (“NDHE“) and sets out the minimum standards for data privacy protection that should be followed across the board. The Policy applies to all entities involved in the NDHM and partners of the NDHE including, inter alia, (i) entities and individuals who have been issued an ID under the Policy; (ii) healthcare professionals; (iii) relevant professional bodies and regulators; (iv) Health Information Providers; (v) any health care provider who collects, stores and transmits health data in electronic form in connection with its transactions; (vi) payers i.e. Central and State Governments, insurers, charitable institutions, etc.; (vii) pharmaceuticals; (viii) research bodies; (ix) Health ID holders i.e. patients; (x) all individuals, teams, entities or ecosystem partners who collect or process personal or sensitive personal data as part of the NDHE; and (xi) all methods of contact.
The alignment with the Personal Data Protection Bill, 2019 (“PDP“) is evident throughout the Policy, to the extent that it utilises similar definitions and bases itself on the same principles. Article 8 of the policy clearly lays down that the data principals 4 must exercise ultimate control over the manner in which their personal or sensitive personal data is collected and processed. The parameters of consent enshrined in the Policy are similar to what have been encapsulated in the PDP, confirming that consent, for any data collected by the relevant data fiduciary 5 has to be: (i) given freely; (ii) has to be informed; (iii) has to be specific to the purpose; (iv) clearly given; and (v) capable of being withdrawn at any time 6. Furthermore, all data fiduciaries must necessarily provide a clear and conspicuous privacy notice to the data principals not only prior to the collection of data but also at the time of any amendments thereof, including a change in purpose of the data collection 7, in which instance fresh consent would have to be obtained for any change. Article 10 also contains the information requirements which the privacy notice must include. The data principals have been granted certain rights with respect to the data collected under the Policy, as below 8:
- Confirmation and Access: The data principal is at liberty to obtain a confirmation from the data fiduciary as to whether it has processed any personal data of the data principal; and if so, the data principal can request a summary of the same. Furthermore, it is entitled to raise any query in relation to the privacy notice;
- Correction and Erasure: The data principal has the authority to rectify any inaccurate or misleading personal data, complete any incomplete personal data and update any out-of-date personal data. Additionally, the data principal can request that their personal data be erased in certain circumstances;
- Restrict or Object to Disclosure: The data principal is permitted to restrict or object to the disclosure of their personal data by the data fiduciary; and
- Data portability: The data principal can request for a copy of: (a) personal data provided to the data fiduciary; (b) personal data generated in the course of provision of the services by the data fiduciary; or (c) the personal data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained. Importantly the Policy states that the data principal can request that the above personal data be transferred to another data fiduciary.
Additionally, the Policy envisages the creation of a Health ID framework. A data principal can request for the creation of a Health ID at no cost, by which they can participate in the NDHE and the personal data of the data principal will be linked to its Health ID, recognising such data principal as the owner of the personal data so shared 9. The Health ID is intended to function as a single point of reference for all instances of data collection and processing in accordance with the provisions of this Policy. The participation of the data principal in the NDHE will be on a voluntary basis and shall be given the option to opt-out of the same. Additionally, the Policy provides the data fiduciary the ability to create the Health ID on behalf of the data principal 10. In pursuit of a holistic digital ecosystem, the Policy also encompasses the creation of Health Practitioner IDs as well as Health Facility IDs 11.
Chapter V of the Policy explores the obligations of the data fiduciaries in relation to the processing of personal data and lays down the foundations on which any collection of personal data shall rest, including the following 12:
- Privacy by Design (Data protection requirements shall be considered as part of the implementation and design of the systems, products and business practices by the data fiduciaries);
- Choice and Consent Driven Sharing (Option of opting in/out);
- Purpose Limitation;
- Collection, Use and Storage Limitation (Retention only till the purpose is satisfied after which explicit consent is required);
- Empowerment of Data Principal;
- Data Quality (data to be complete, updated and accurate with regard to the purpose for which it is processed); and
- Reasonable Security Practices and Procedures.
In addition to the above, the data fiduciary is required to carry out a data protection impact assessment prior to implementing any new technologies which carries a risk of significant harm, maintain complete and up-to-date records and a strict audit trail of all activities with access to personal data 13. Data fiduciaries are permitted to share anonymised data in an aggregated form for certain specific purposes as elaborated upon in the Policy 14. The Policy has carved out the role of the Data Protection Officer (“DPO“), similar to what has been provided for under the General Data Protection Regulation of the European Union, the gold standard of data protection legislation. Data principals are entitled to approach the DPO with any questions or queries they may have with regard to the processing of their personal data, and the details of such DPO shall be specified on the website of the data fiduciary along with the format and process for filing any and all inquiries and questions. While there is a separate provision for a Grievance Officer for complaints relating to the contravention of this Policy, it has been clarified that the DPO could be designated as the Grievance Officer where possible 15.
While the Policy is in the draft stage and has not emerged in its final form yet, the provisions indicate a conscious step towards meeting global standards of data privacy and protection.
4 “Data Principals” means the natural person/individual to whom the personal data relates.
5 “Data Fiduciaries” means any person including the State, a company, any juristic entity or any individual who alone, or in conjunction with others, determines the purpose and means of processing of personal data. For the purpose of this Policy, data fiduciaries would include Health Information Providers and Health Information Users if such entities are determining the purpose and means of processing of personal data.
6 Article 9.2, Data Health Management Policy, 2020
7 Article 10.1, Data Health Management Policy, 2020
8 Article 14, Data Health Management Policy, 2020
9 Article 15, Data Health Management Policy, 2020
10 Article 17, Data Health Management Policy, 2020
11 Articles 20-25, Data Health Management Policy, 2020
12 Article 26, Data Health Management Policy, 2020
13 Article 27, Data Health Management Policy, 2020
14 Article 29, Data Health Management Policy, 2020
15 Article 32, Data Health Management Policy, 2020