By Sarada Mahesh
Earlier this month, residents from Madhya Pradesh were enrolled in the COVID-19 vaccine trial conducted by the People’s College of Medical Sciences and Research Centre – a private hospital in Bhopal. There were reports that neither were participants given a consent form nor were they informed of the vaccine’s side effects. The hospital administering the trial denied these allegations. India still does not have a Data Protection Act to address such situations, with the Bill remaining under discussion by a Joint Parliamentary Committee.
The government’s health privacy track record
The Government does not have the best history when it comes to collecting health data of people.
Considering there are private pharmaceutical companies involved in these vaccination trials, one cannot do away with the possibility of vested commercial interests that surround the collection of this health data. Medical investigators are also working under intense pressure – if they know that the data is being accessed by companies, they might modify the results to only reveal what their parent companies or sponsors want to hear.
Legal provisions governing health data
Under the current provisions of the Data Protection Bill, health data has been classified as sensitive personal data. It is defined as:
“…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, [and/or] data associating the data principal to the provision of specific health services.”
Section 11 of the Bill states that explicit consent has to be received from the data principal when processing this type of data. They also have to be informed of any possible “significant harms” that may come as a consequence of this processing. This has to be done in clear terms after giving them the choice of “separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.”
India has a comprehensive legislative framework guiding medical trials. Some of these include the Drugs and Cosmetics Act, 1940 (and its rules from 2005), the India Medical Council Act, 1956 and the Biomedical Research on Human Subjects (Regulation, Control and Safeguards). As per Rule 4 of the Drugs and Cosmetics (IInd amendment rules), 2005, informed written consent must be obtained from each study subject. This must be done using an ‘Informed Consent Form’ and must be “in a language that is nontechnical and understandable by the study subject”. In case the subject is not able to give their consent (for example, due to a mental illness or disability), the same may be obtained from their legal representative. The Rules also provide for a checklist containing essential elements that must be included in the consent form. There is no provision regarding the protection of the health data that is being collected during these trials.
International medical research organizations like the Lancet have also highlighted this issue. For instance, if vaccine sponsors get access to the interim results of the study, they may be able to predict the success rate of the vaccine. Maintaining the confidentiality of the participants in the trial is of utmost importance — it is needed to protect the integrity of the trial. Care should be taken that the data is not de-anonymised and distributed in ways that could lead to more people having access to patients’ data than strictly necessary.
Apart from the regular information that participants are given (as provided in the Rules for informed consent), they must also be given details about the data retention policy, assurance that their health data will only be used for the purpose of the trial, and they should be made to submit only the necessary data required for the study.
Consent form not specific enough
However, the consent form for the vaccination drive which began on January 16 is very vague. The last paragraph of the form, , reads, in all caps:
I FURTHER EMPHASIZE THAT ANY INFORMATION PROVIDED BY ME PRIOR TO TAKING THE VACCINE WILL BE ARCHIVED IN THE DATABASE MAINTAINED BY THE IMMUNIZATION PROGRAM OF THE GOVERNMENT AND PRIVACY AS WELL AS CONFIDENTIALITY OF THE INFORMATION PROVIDED BY YOU WILL BE MAINTAINED.
Co-WIN and privacy
Adding fuel to the fire is the newly initiated COVID-19 Vaccine Intelligence Network (Co-WIN) application. It is being used to track the enlisted beneficiaries of the vaccine drive real-time. Apart from the fact that the UN Development Programme helped in the system’s development, very little information is available about its makers, with the government not providing the information even in response to an RTI application.
The UK Government managed to conduct a data impact assessment even during the rush to research a solution. The details of the assessment and the resultant policy can be found here. The policy is clear in its language and intention, and is also clearly explained to the subjects of the trial.
We can expect very little from a Government that has been actively undertaking data collection schemes in the name of promoting welfare of its citizens. This, however, is being done sans a data protection law, which can have worrying implications on the fundamental right to privacy. Clear privacy policies for the protection of the health data in the COVID vaccine clinical trials and the Co-WIN application have to be prepared and published without delay. The health data of the subjects of the largest vaccination drive in the world remains at stake until then.
Sarada Mahesh is a lawyer based in Bangalore. She works as a legal researcher and aims to make the law more simple and accessible.