By Sarada Mahesh
Earlier this month, residents from Madhya Pradesh were enrolled in the COVID-19 vaccine trial conducted by the People’s College of Medical Sciences and Research Centre – a private hospital in Bhopal. There were reports that neither were participants given a consent form nor were they informed of the vaccine’s side effects. The hospital administering the trial denied these allegations. India still does not have a Data Protection Act to address such situations, with the Bill remaining under discussion by a Joint Parliamentary Committee.
As the COVID-19 vaccination drive in India goes into full swing, it is important for a clear and enforceable privacy policy to be in place to protect the people to whom shots are being administered.
The government’s health privacy track record
The Government does not have the best history when it comes to collecting health data of people.
Take Aarogya Setu for instance, where an exception in the data retention provision rendered it inapplicable to anonymised data. The government agreed to share this data with institutions for further research, and reportedly even shared it with IIT Madras even before a privacy policy was drafted. It was only after much pressure that they came up with a quick fix policy that penalised institutes which tried to de-anonymise this data. Overall, the policy failed to live up to the standards established by the Puttaswamy judgement of 2017 which formally recognized the fundamental right to privacy.
Considering there are private pharmaceutical companies involved in these vaccination trials, one cannot do away with the possibility of vested commercial interests that surround the collection of this health data. Medical investigators are also working under intense pressure – if they know that the data is being accessed by companies, they might modify the results to only reveal what their parent companies or sponsors want to hear.
Legal provisions governing health data
Under the current provisions of the Data Protection Bill, health data has been classified as sensitive personal data. It is defined as:
“…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, [and/or] data associating the data principal to the provision of specific health services.”
Section 11 of the Bill states that explicit consent has to be received from the data principal when processing this type of data. They also have to be informed of any possible “significant harms” that may come as a consequence of this processing. This has to be done in clear terms after giving them the choice of “separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.”
India has a comprehensive legislative framework guiding medical trials. Some of these include the Drugs and Cosmetics Act, 1940 (and its rules from 2005), the India Medical Council Act, 1956 and the Biomedical Research on Human Subjects (Regulation, Control and Safeguards). As per Rule 4 of the Drugs and Cosmetics (IInd amendment rules), 2005, informed written consent must be obtained from each study subject. This must be done using an ‘Informed Consent Form’ and must be “in a language that is nontechnical and understandable by the study subject”. In case the subject is not able to give their consent (for example, due to a mental illness or disability), the same may be obtained from their legal representative. The Rules also provide for a checklist containing essential elements that must be included in the consent form. There is no provision regarding the protection of the health data that is being collected during these trials.
International medical research organizations like the Lancet have also highlighted this issue. For instance, if vaccine sponsors get access to the interim results of the study, they may be able to predict the success rate of the vaccine. Maintaining the confidentiality of the participants in the trial is of utmost importance — it is needed to protect the integrity of the trial. Care should be taken that the data is not de-anonymised and distributed in ways that could lead to more people having access to patients’ data than strictly necessary.
Apart from the regular information that participants are given (as provided in the Rules for informed consent), they must also be given details about the data retention policy, assurance that their health data will only be used for the purpose of the trial, and they should be made to submit only the necessary data required for the study.
Consent form not specific enough
However, the consent form for the vaccination drive which began on January 16 is very vague. The last paragraph of the form, , reads, in all caps:
I FURTHER EMPHASIZE THAT ANY INFORMATION PROVIDED BY ME PRIOR TO TAKING THE VACCINE WILL BE ARCHIVED IN THE DATABASE MAINTAINED BY THE IMMUNIZATION PROGRAM OF THE GOVERNMENT AND PRIVACY AS WELL AS CONFIDENTIALITY OF THE INFORMATION PROVIDED BY YOU WILL BE MAINTAINED.
This paragraph raises many questions. Who maintains and has access to the database of the immunization program? What is the data that is being collected, and will it be deleted once its initial purpose (that is, for the clinical trial) comes to an end? Considering the first recipients of the vaccine are frontline workers like pourakarmikas, is the privacy policy (and other terms of the form) explained to them in their regional languages? What if they decline to consent to one or more provisions of the form — will they be denied the vaccine? There are also reports of subjects who have died after getting the vaccine – what will happen to the deceased’s data? With the Digital Health India project coming up in full speed, the government is using every possible opportunity to collect the health data of citizens. Citizens may also be eager to participate in this process, if it means getting vaccinated at long last and having life return to the “old normal”.
Co-WIN and privacy
Adding fuel to the fire is the newly initiated COVID-19 Vaccine Intelligence Network (Co-WIN) application. It is being used to track the enlisted beneficiaries of the vaccine drive real-time. Apart from the fact that the UN Development Programme helped in the system’s development, very little information is available about its makers, with the government not providing the information even in response to an RTI application.
The application is already facing glitches within days of being introduced — it wouldn’t be wrong to worry about the possibility of the health data falling into the wrong hands because of weak public auditing of the code and substandard security. It does not yet appear to have a privacy policy and has already been linked to the health data management policy. While Aadhaar has not yet been made mandatory for getting the vaccine, there are legitimate fears that this linking will make it de facto impossible to obtain a vaccine without it.
A privacy policy is a realistic expectation
The UK Government managed to conduct a data impact assessment even during the rush to research a solution. The details of the assessment and the resultant policy can be found here. The policy is clear in its language and intention, and is also clearly explained to the subjects of the trial.
We can expect very little from a Government that has been actively undertaking data collection schemes in the name of promoting welfare of its citizens. This, however, is being done sans a data protection law, which can have worrying implications on the fundamental right to privacy. Clear privacy policies for the protection of the health data in the COVID vaccine clinical trials and the Co-WIN application have to be prepared and published without delay. The health data of the subjects of the largest vaccination drive in the world remains at stake until then.
Sarada Mahesh is a lawyer based in Bangalore. She works as a legal researcher and aims to make the law more simple and accessible.
