wordpress blog stats
Connect with us

Hi, what are you looking for?

Centre for Internet & Society’s comments on NDHB: Literacy and benefits of PHR, access to anonymised data, consent as product

The Centre for Internet & Society has made its submission to the National Digital Health Blueprint 2019 public, it addresses challenges and caveats in implementing an EHR system in India, wherein digital literacy and literacy levels are low. It explains that PHR benefits have been useful to those who are technically competent. It also flags issues with Digilocker and eSign, both of which are building blocks in the Blueprint. It also recommends that consent frameworks be designed around consent as a product.

Comments for the Blueprint closed on August 4, and haven’t yet been made public. The Ministry of Health held a public consultation on the Blueprint; our report of the day here. A summary of the Blueprint document is here.

Here are detailed notes from CIS’ submission (embedded below):

Anonymisation: DPA should create standards, only authorized bodies should access anonymised data

The Srikrishna Committee report has talked about the failure of anonymisation/de-identification, which can become redundant if quasi-identifiers are used. The EU and South Africa, among others, have put anonymised data outside the scope of data protection law. India has similar provisions in the PDP Bill, and additionally, also criminalises de-identification of anonymised data, without the consent of the data fiduciary.

  • The Data Protection Authority, as envisioned in the PDP Bill, should “create​ these standards that the health data under NDHB should follow​, to ensure the privacy of individuals”, as the Srikrishna Committee report has also recommended.
  • To address the possible failure of anonymisation, CIS recommends that the NDHB include an exhaustive list of bodies/individuals that can access the anonymised data and a list of cases cases for which they can access the data; this is to ensure that anonymised data is access by authorized agencies identified by the government. It also points out a provision in the DISHA Bill:

This should consider the recommendations made in the MoHFW’s Draft Digital Information Security in Health Act (DISHA) bill, which includes ​“​Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government​.”

PHRs just won’t work in India, given current illiteracy and digital illiteracy rates and workload of health workers

PHR system described in blueprint will increase workload

Advertisement. Scroll to continue reading.

Earlier health data management systems like HMIS and RCH have suffered because health works are overburdened and data entry operators cannot devote enough time to it. Capacity limitations have also led to gaps between a health episode and its digitisation, this could be a concern in the NDHB as data may not be digitised at source. The PHR prescribed in the NDHB will lead to more workload.

Assumes widespread digital literacy

The NDHB says service delivery under it will be facilitated by ‘near universal coverage’ of smart phones across India, but this premise assumed widespread digital literacy, a Digital Empowerment Foundation report revealed that nearly 90% of the population are not digitally literate.

PHRs benefit technically competent users, adoption needs high digital and heath literacy

CIS also argues that evidence suggests that the touted benefits of PHR – such as self-management of health – only accrue to technically competent users, and one need health literacy and digital literacy for effective use of PHRs, which in India is low. Again, adoption and benefits from PHRs depends on frequency of use. Phew.  “Those that stand to lose out on the use of PHRs then stand to be communities that are already underserved in the delivery of health services.” These communities already faced risk of exclusion from care delivery.

Also, PHRs’ benefits are also dependent on use of EHR systems by health care providers. “Importing the success of these electronic health programs from other high-income contexts does not factor in the endemic reasons for clinicians’ inertia in the adoption of EHRs.”….”As a result, doctors in India tend to be more problem-oriented, time-strapped, and pay less attention to the elaborate documentation of clinical notes.”

Advertisement. Scroll to continue reading.

Demarcate levels at which data will be stored

The blueprint talks about creating a federated architecture for collecting and storing health information, but does not demarcate categories which is be stored in regional centres or with the care providers, versus data which will stored in the NDHB’s central repository, says CIS.

Its unclear how the Consent management frameworks will ensure that data principals are in control of their PHR while being stored at the central or regional site, or “or enforce the use of the recommended standard ISO/TS 17975:2015.”

While the focus on open standards and interoperability is commendable, it is far more difficult to operationalise the interoperability given the array of open standards to choose from. Often, in the case of decentralised personal data stores, interoperability then gets reduced to the use of open standards.

Consent frameworks should consider digital and general illiteracy; should be treated consent like a product, subject to liability

CIS reminds everyone that 90% of the population is not digitally literate and 30% is illiterate. There’s also widespread boilerplate contracts in the online world, something also acknowledge by the Srikrishna Committee report. Most people who consent to these may not read or understand them; which is why a revised consent framework is needed.

CIS recommended that the above-mentioned illiteracy numbers should be accounted for while implementing consent management frameworks; consent forms should be treated like a product, subject to product liability, to ensure that people provide informed and specific consent with respect to their digital health data. “The data fiduciaries are then obligated to design consent contracts/frameworks such that there are no pre-checked boxes or boilerplate contracts. They are required to design them in a manner such that they are read and understood by the data principals, thus allowing the latter to provide informed, affirmative consent.”

Digilocker has security issues, consent should be taken for Healthlocker

The Digilocker  on which the Healthlocker would be modeled  has inadequate security measures, raising concerns about the biometric data stored in it. Sensitive health data will become vulnerable if this model is followed. “Additionally, there is no method to take explicit consent from the users of DigiLocker  the consent is assumed when individuals sign up for the service.” Consent should be taken for Healthlocker.

eSign has security issues too; third-parties for Blueprint should be vetted

The eSign framework for Aadhaar also has security concerns since third-parties are involved; CIS recommends that “a transparent and rigorous vetting process for third parties involved, as well as strict access limitations for all third parties.”

Advertisement. Scroll to continue reading.

Use of GI Cloud

The Blueprint recommends building the H-Cloud on MeitY’s Government Community Cloud and that says that key data hub management services must be deployed on it. MeitY’s consultation paper on the Cloud lists one of risks with it as risk of compromise of confidential information and intellectual property, CIS pointed out. “If healthcare systems are standardised across India, high costs will be involved. Costs should be laid out in significant detail before any steps are taken to implement it.,” said CIS.

The blueprint should have Right to be Forgotten

The NDHB includes a provision on immutability, which states that a record cannot be deleted without following due process. Such due process should consider the right of the data principal to delete specific entries or the entire set of records containing their personal information – aka Right to be Forgotten.

What do to in case of privacy breach?

The NDHB doesn’t mention any procedure to be followed in case of a data breach. Although it does mention creation of a Security Operations Centre (SOC) and a NDHB Security Policy, it doesn’t present the procedures they should follow in case of a privacy breach. CIS recommends creating a clear SOP for this.

[embeddoc url=”https://www.medianama.com/wp-content/uploads/NDHB-2019-Comments-Centre-for-Internet-and-Society.pdf” download=”all”]

Advertisement. Scroll to continue reading.
Written By

I cover health, policy issues such as intermediary liability, data governance, internet shutdowns, and more. Hit me up for tips.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ