Update on September 1, 10:50 IST: The government on Monday evening extended the deadline for public comments by a week to September 10.
The government has released and opened public consultations for a data management policy to govern the National Digital Health Ecosystem, which is being driven by the National Health Authority. The draft policy adopts the Personal Data Protection Bill, 2019, as a mainframe, and was released on Tuesday evening. Public consultation is open just for a week, until September 3, 2020.
The Personal Data Protection Bill, 2019, was first made public in December, and is now being deliberated over by a parliamentary committee formed specifically for this purpose. The bill’s passage will follow due legislative process, which has already been delayed by the pandemic. The policy is essentially personal data protection framework for health data, and is clearly drafted to be in harmony with the personal data protection law, whenever it comes in force.
The policy will apply to everyone in the National Digital Health Mission ecosystem, such as people who have been issued Health IDs, healthcare professionals, governing bodies such as Health Ministry and National Heath Authority, any healthcare provider that collects health data, payers, pharma stakeholders, and anybody who collects or processes personal or sensitive personal data.
Key definitions under the policy
Most definitions under the policy are identical to that in the PDP Bill, including that of processing, data principal, data fiduciary, child, data, data processor, de-identification, harms, and so on. However, it details out some aspects around health-related data:
1. It expands sensitive personal data to include “physical, physiological, and mental health data”; and also information around various health conditions and treatments, such as Electronic Health Record (EHR), Electronic Medical Record (EMR), and Personal Health Record (PHR). Financial data also includes data related to bank account, credit and debit card, and other payment instruments.
2. Personal data will include Health ID and Personal Health Identifier, but inferences drawn for profiling are not personal data. Data fiduciaries will include Health Information Users and Health Information Providers, if they are determining the purpose and means of processing personal data.
3. Electronic Health Record is a repository of the digital health of an individual, which can be accessed by “multiple authorised users” and “represented in a commonly agreed logical information model”. Electronic Medical Record is a similar repository used by Health Information Provider to generate records to support patient diagnosis and treatment. “EMR may be considered as a special case of EHR, limited in scope to the medical domain or is focused on the medical transaction,” the policy says. A Personal Health Record, maintained by a user, is a “complete and accurate” summary of their health and medical history by “gathering data from as many sources and making it accessible online”.
4. A ‘Data Retention and Archival Policy‘ shall be formulated by the NHA. It may specify terms and conditions related to Health Information Providers and Health Information Users. HIPs will be those hospitals, diagnostic centres, public health programs and other such entities registered with the National Health Infrastructure Registry, which act as information providers in the ecosystem.
5. Personal Health Identifier is data that could potentially identify a specific data principal and can be used to differentiate one user from another. It can include a user’s demographic and location information, family and relationship information, and contact details. “PHIs could also be used for re-identifying previously de-identified data,” the policy says.
Data fiduciaries can collect and process personal and sensitive personal data with valid consent, the purposes will be limited to those specified by the NHA. Consent can be obtained via electronically or physically, either directly from the user or via a consent manager. Consent provided physically may be converted to physical form by the consent manager or data fiduciary.
A consent manager will interact with the user and obtain their consent for access to personal or sensitive personal data “where the role of the consent manager will be provided by the NHA or any other service provider”. When consent is taken electronically, a “consent artifact” will be generated (to initiate the sharing of the data) and will be shared with the user and with the HIP and HIU through a consent manager.
Children’s personal data
Data fiduciaries have to ensure that processing of a child’s personal or sensitive personal data takes place “only in such manner that is in the best interests of the child” and not “in a manner that is likely to cause harm to the child”. The parent or guardian’s consent needs to be taken to collect and process the personal and/or sensitive personal data of children.
The policy grants the user the rights to knowledge and confirmation, and right to correction, rights also granted under the Personal Data Protection Bill, 2019. However, this policy limits the right to data portability to “the extent technically feasible”. Under the right to erasure, the user can request their personal data be erased if its storage violates any data protection principles or if the purpose for which the data was collected has been satisfied. The user can also delete their uploaded personal data stored in the Health Locker.
- Personal data can be blocked or restricted, rather than being erased, if the law prohibits its erasure “as it would impair the legitimate interests” of the data principal.
How the rights can be exercised: The user can exercise these rights by contacting the designated officer of the data fiduciary, either directly or via a consent manager. In case the user passes away, their legal heirs will have access to the data “owned by the data principal”, if the user consented to this.
Allocation & Creation of a Health ID
Creation: A data principal can request that their Health ID be created free-of-cost. This will be generated per policy the NHA lays down, and can be authenticated using the user’s Aadhaar number or any other identification document specified by NHA. Once created, the user’s personal data will be linked to the Health ID, and the user will “be deemed to be the owner”.
The user’s participation in the ecosystem will be voluntary and every user will be able to opt-out and delink their personal data “across fiduciaries”. The NHA has to ensure that authentication means do not prevent a person not having an Aadhaar number or a mobile number from getting a Health ID. Moreover, nobody can be denied health services for not having a Health ID.
To create Health IDs for users, a fiduciary has to register with the NHA and “obtain an authorisation key to access the service required for generation of a Health ID”.
Creation of a Health Facility ID
Similarly, a Health Facility will have a single ID as well, it will allow a hospital or lab to share the user or patient’s personal data with them and with other health practitioners, subject to consent. Such a Health Facility will be included as part of the “National Health Infrastructure Registry”, which will have the power to verify the legitimacy of a health facility and check on its ability (among other things) to e-sign digital documents.
Obligations of the data fiduciary
The data fiduciary will be “accountable for complying with the measures which give effect to the privacy principles” while processing any personal data, even though the “true ownership and control” remains with the data principals. Among other things, the data fiduciary has to disclose which categories of personal data it is processing, the purposes, the grievance redressal process, and so on — a requirement also in the Personal Data Protection Bill, 2019.
The policy also separately places obligations on Health Information Users, which are data fiduciaries under the policy as well. HIUs have to follow principles of consent, data minimisation, and data retention. They also have to “take all reasonable steps” to ensure that a data principal can exercise their rights under the policy.
Data Protection Impact Assessment
The data fiduciary has to carry out an impact assessment before it undertakes any processing involving new technologies or any processing which can cause significant harm to users. The assessment needs to include measures for minimising or removing risks of possible harms.
Non-Personal Data: Sharing of de-identified or anonymised data by fiduciaries
Data fiduciaries may make anonymised or de-identified data in an aggregated form available for facilitating clinical and academic research, for policy formulation, archiving, statistical analysis, “development and promotion” of diagnostic solutions, and other purposes that the NHA may specify.
The user can approach the data protection officer or grievance redressal officer (they can be the same person) of the daat fiduciary. If unsatisfied, they can approach the Data Protection Officer of the NDHM. The next step of appeal is the Health Ministry of via litigation.