Highlighting the variety of ways in which health data can be exploited, Kazim Rizvi, Founder, The Dialogue and Gautam Kathuria, Research and Engagement Associate, The Dialogue emphasise that building a system which prioritises transparency and holds data fiduciaries accountable is the need of the hour and therefore it is important for citizens to actively engage with the Draft Health Data Management Policy policy considering how it is going to govern an extremely important and deeply personal part of our lives
The Ministry of Health and Family Welfare (MoHFW) released the Draft Health Data Management Policy – an important part of the National Digital Health Mission – for public consultation in August 2020. The policy outlines a framework explaining the manner in which storage and access of health data will be governed, while also introducing a health ID where information will be stored in an anonymised, centralised database. Healthcare data is one of the most important elements of an individual’s private data and such a policy is especially relevant considering the lack of a comprehensive governance framework regulating this data.
The COVID-19 pandemic has shone a spotlight on various structural deficiencies in healthcare systems, both in India and globally. It has also sped up the transition to a relatively data-heavy approach to healthcare, with a significant shift towards telemedicine services, as well as the increasing prevalence of contact tracing apps such as Aarogya Setu. This has further exacerbated the structural vulnerabilities of the current framework governing the storage and transfer of citizen health data.
On the whole, the medical industry around the world is extremely susceptible to data breaches. With electronic health records and storage on cloud based servers becoming the norm, the possibility of a data breach or third parties retaining sensitive user information raises several concerns. In the US alone, estimates suggest that over 100 million health records are breached annually. Earlier this month, the security of citizen healthcare data in India was also brought under the scanner due to a Delhi-based diagnostic lab leaking the data of over a million patients.
However, there is a glaring lack of understanding regarding why vulnerabilities to the privacy and security of our health data should be a major concern. This lack of understanding leaves citizens unaware of the gravity of the issue at hand, and hence more open to exploitation by the state, corporations and other third party interests. Before examining the various facets covered in the health data management policy, it is important to create a fundamental understanding of how this data can be exploited and why health data breaches are harmful to both individuals as well as the collective.
The vulnerability of citizen health data is directly tied to the various incentives that third parties have to gain access to an individual’s data. In today’s times, a variety of individuals’ private data is being commodified, ranging from financial data to health, education and consumption patterns, amongst others. On the black market, healthcare data is the most valuable of these commodities, on average priced at more than ten times the price of credit card data. One of the major reasons why it is so valuable is because it usually contains the majority of an individual’s personally identifiable information, rather than a single marker that would usually be extracted from a breach of most other types of datasets.
Health data is inherently the most intimate form of our private data, and often includes not just our medical history and prescribed medication, but also invasive metrics such as an individual’s heart rate during different activities as well as one’s sleeping patterns. A breach to the privacy of this data can affect us in a multitude of ways and it is imperative for us to have an insight into how this can be hazardous to us on an individual level.
As an individual, our first layer of privacy is at a family level. Considering the traditional manner in which family structures in India function, the health data of an individual is often de facto made accessible to older members of the family. This becomes especially relevant in some sections of the population, where there is a social stigma attached to certain diseases or medical procedures. Hence, the ramifications of having an abortion, a mental illness, or a disease like HIV/AIDS can leave the individual whose confidentiality has been breached in a vulnerable position. This breach in privacy often translates to the affected individual facing judgement and discrimination, both within the family as well as at a societal level.
Apart from social stigma faced at a family level, individuals’ health records and associated personal information being made privy to employers can lead to discriminatory practices at the workplace as well. A Harvard Business School study from earlier this year discussed the rising trend of employee wellness programmes and their invasive nature. They examine how data in this context is unregulated and can be used as a conduit for worker surveillance as employers access a wealth of employees’ personal information and non-anonymised health data.
On a broader level, current and potential future employers have a vested interest in the health data of an individual, as it helps govern important business decisions such as whether to offer an individual a job or a promotion. In such a scenario, health concerns such as heart disease, mental illness and other factors have the potential to be considered proxies for workload management and an ability to excel in stressful situations.
In the past, insurance companies have been known to use proxies such as race, area of residence and consumption patterns as proxies for judging the health risk potential of a client. To this end, they have introduced schemes incentivising individuals to allow insurers to track their eating, sleeping and exercise patterns using wearable technology. While the intention behind such a move is to promote positive behaviour on the part of the individual, companies are also gaining the opportunity to use advanced data analytics to gain insights from this data. These insights are of increasing value to insurers and it allows them to increase the accuracy of their prediction mechanisms while fixing their rates. Furthermore, they are able to utilise this data in a relatively unregulated environment, and individuals are often left uninformed regarding the specifics of how their data will be used.
The cases discussed above are just a fraction of the variety of ways in which our health data can be exploited. There must be a shift in the manner in which Indians think about the privacy of our health data, be it at the social, professional or government level. The risk to the privacy of citizen health data is very real and hence, it is imperative for us to work towards creating a secure framework for storing and transferring this data.
Building a system which prioritises transparency and holds data fiduciaries accountable is the need of the hour. The Draft Health Data Management Policy is meant to do just that and it is important for citizens to actively engage with this policy considering how it is going to govern an extremely important and deeply personal part of our lives.