AIOCD expresses data privacy concerns in draft Health Data Management policy, submits comments, suggestions
Requests authorities to release draft policy in regional languages too
The All India Organization of Chemists & Druggists (AIOCD) has submitted its comments along with feedback to government authorities on the draft policy of Health Data Management Policy of the National Digital Health Mission (NDHM). The association has also urged the authorities to publish the draft policy in regional languages and also expressed its concern related to patient data privacy as well as safeguard mechanisms for the encryption of sensitive data.
Rajiv Singhal, General Secretary, AIOCD informed, “We have submitted our suggestions and recommendations on the draft policy of Health Data Management to PM Modi and Dr Indu Bhushan, CEO, National Health Authority. In principle, we support Government’s decision that customers and patients should receive the benefits of technology and digitalisation in health care services. However, through our submission we have highlighted that it is equally important to ensure that effective healthcare and patient-doctor-pharmacist confidentiality is not jeopardised in the haste of adopting technology. We condemn the hasty manner in which the National Health Authority is conducting public consultation in respect of the Health Data Management Policy. From a reading of the policy, it is evident that once the policy is implemented it shall have far-reaching consequences on the provision of healthcare services and the existing statutory framework i.e., the Indian Medical Council Act, 1956, Drugs and Cosmetics Act, 1940, Pharmacy Act, 1948 and Rules and Regulations framed thereunder.”
“A meaningful consultation process can happen only when there is a physical discussion and debate with all stakeholders, which is not possible in view of the circumstances due to COVID-19 pandemic. Moreover, due to COVID-19 the consumer protection groups, associations, NGOs, voluntary organisations etc. which are involved in healthcare, data protection, privacy rights etc., will not be able to meet and discuss the repercussions of policy,” he added.
“Even though the policy aims at creating a database of health records, we find it difficult to understand the premise behind framing of the policy as in India the adoption of technology is limited and data protection laws do not exist. In our opinion this policy would only serve as a data collection mechanism with no fruitful purpose in respect of health of the public in general, other than illegal surveillance. Therefore, the finalisation of the Policy should only be done after the Data Protection laws are in place,” expressed JS Shinde, President, AIOCD.
Reportedly, the draft policy was first published on August 26, 2020 and only seven days were given for consultation as well as for sending objections to the policy. However, due to public pressure, the Government has granted the extension up to September 21, 2020. Therefore, “We condemn the undue haste shown by the National Health Authority in passing the draft policy without giving a meaningful opportunity of public consultation,” stated the AIOCD letter.
In its submission, the association has pointed out that the policy seeks to create a unique ID for doctors, healthcare practitioners, health facilities and patients. And it also seeks to digitalise the health record of patients and to enable private stakeholders to get access to personal medical data.
However, in AIOCD’s opinion, the objectives stated in the policy cannot be implemented by making a standalone policy, which may not have the force of law. For implementing such a far-reaching policy, the Central Government should enact strong Data Protection Laws and introduce necessary amendments in the Drug Act and allied laws.
Concerns raised in AIOCD’s letter
1) The draft policy states that the participation of patient in the digital health ecosystem shall be on a voluntary basis, however, with the advancement of technology the doctors and healthcare practitioners will get accustomed and habituated to provide services digitally. The same trend is apparent in all e-commerce/technological sectors. As a result, the AIOCD’s letter mentions that they fear that a patient who chooses to not become a part of the digital health ecosystem will face hardship in getting access to cheap and speedy healthcare. Having said so, for majority population availing the digital health ecosystem will become a compulsion.
2) Once the proposed policy is implemented, it will involve collection of biometric and medical record. This would create world largest medical database of biometrics. The digital data is susceptible to hacking and unauthorised access and the AIOCD is not sure if Central Government will be in a position to safeguard the privacy of citizens from hacking and unauthorised access. The policy falls foul in many areas and the same needs revamp and reconsideration.
3) The draft policy stipulates that the Government will be collecting medical and private information of its citizens. The AIOCD members were not able to think any workaround or a legitimate interest of the state in collecting the personal medical data of its citizens and link it with a centralised ID. Moreover, the Government will then also have access to every medical visit and diagnosis of the citizens as it will be uploaded and linked to the health ID. In our opinion this is a breach of citizens informational privacy and unconstitutional.
4) The draft policy says that it will enable surveillance by the state authorities. In the AIOCD’s opinion, using the personal medical records of citizens for the purpose of surveillance by the state is an unwarranted intrusion into the privacy rights of the citizens and it is also a malafide objective.
5) The draft policy doesn’t take into account that most people desire anonymity and privacy to defend themselves from being profiled. If the health ID is linked to citizens’ biometrics or Aadhar then it is against the concept of anonymity and inconsistent with it.
In addition to the above, the policy also does not clarify its main purport in respect of processing of personal and sensitive data’s of individuals/citizens. That the patients’ medical data will be processed and profiled is an anti-thesis of privacy and confidentiality rights of patient, as per the AIOCD.
“The draft policy does not even whisper about the protection of sensitive individual data, which will eventually become prone to commercial/monetary gains of various private as well as government/semi-government companies involved in healthcare services if the data is given to them for processing,” stated the letter.
The letter significantly mentioned that the draft policy is silent or has no consideration for possibility towards the sensitive data being used for commercial or monetary gains. Although the policy casts absolute duty to the data fiduciaries to determine the purpose and means of processing personal data, it does not clarify whether such sensitive data could be used for commercial gains or not which jeopardizes the sensitive information of a citizen who in good faith and trust submits his/her health data.
It also highlighted that the draft policy being framed for the purpose of digitisation of medical records of an individual seeks to demand too much from an individual in the guise of sensitive personal data, such as financial details, religious or political belief or affiliation, intersex status, sex life, sexual orientation etc. The definition of sensitive personal data should be narrowed down.
Suggestions provided by AIOCD
1) In so far as de-identified data are concerned the policy should clearly state the entities with whom the data could be shared and even if it is shared the same should strictly be for the purpose of research, policy formulation, analysis or any other public related issue and the same should be properly regulated and should not be allowed to be used for commercial gains.
2) There should be a sample template of an example in the policy in respect of the privacy notice for the purpose of the providing of services of data fiduciary.
3) The draft policy does not mention about the place of storage of data by the Data Fiduciary. The location of the data storage is important, so as to ensure that the same is not being stored in a private server. And it does not contain sufficient safeguards for the encryption of sensitive data, which also needs to be considered while finalising it.
4) The policy should also clearly lay down the lawful procedures for the authorities authorised under the policy /data fiduciaries or other health service providers for accessing the sensitive and or personal data of an individual so that an amount of ‘checks and balances’ is maintained and also to ensure that the privacy of an individual is safe at all times.
5) The Policy should also entail a provision/ a clause, which would make the intruders including those who illegally access and provide the sensitive and personal data to other interested parties, accountable for their act and it should have a proper punishment mechanism for not only the illegal provider of sensitive information and the receiver but also accountability towards the data that would be illegally hacked by hackers.
6) The Policy should also address the issue in respect of semi-urban and rural areas wherein the doctors would be reluctant to do a tedious job of putting the data in electronic format, thereby, completely defeating the objective of the policy being healthcare delivery.
7) The present draft policy is discriminative and so far as it does not address the issue of accessibility by persons with visual impairment. Therefore, there is a need for the looking into these aspect as well.
8) The Policy should mandate the data fiduciary to also inform the individual about the risks involved in providing the sensitive health data at the time of collection so that the consent taken if any of individual is an informed one.
9) The policy in so far relates to e-prescriptions, the AIOCD suggests that the Government should come up with a national portal on which the registered medical practitioner can directly upload e-prescriptions or if the e-prescription is being uploaded by the patient the policy should also entail that the said prescription would be authenticated by the prescriber/ registered medical practitioner before it is dispensed and the same should be properly recorded so that a case of multiple dispensation of drugs from same e-prescription can be avoided.