The National Health Authority’s (NHA) proposal to develop an Aadhaar-based self-verification platform for citizens to check whether they are eligible for the Ayushman Bharat scheme has raised quiet a few eyebrows. The apex health body set up by the entity has proposed to integrate several databases in the backend for users to conduct a self-search to check if he/she is eligible for the Ayushman Bharat scheme and register for the same.
According to a tender floated by the National Health Authority, Aadhaar will be mandatory for the intended beneficiary, and for his or her family the portal aims to make use of available family IDs such as ration card, household ID and so on for enrolment.
“Aadhaar number may also be used by the beneficiary to search his or her details at once across multiple databases. It may be noted that databases may be integrated at the backend using the Aadhaar number or other common unique IDs,” the tender said adding that all information has to be stored on the Pradhan Mantri Awas Yojana program’s cloud-server.
So what are the databases that will work in the backend of the application?
- Identity details like ration card no, household ID, PMJAY ID, mobile number
- Ability to sieve through demographic details of the beneficiary like name, father’s name, gender, State, district, village and so on
For enrolling family members, the NHA plans to make use of the existing digital infrastructure of Prime Minister Arogya Mitra (PMAM), where officials are able to search for a beneficiary’s family through databases such as ration card, socio-economic caste census, AB-PMJAY ID and so on.
“Add Member functionality should also be provided as part of the Self BIS module wherein source Family ID should be considered to get list of family member s and approved added members. This feature is already developed and is currently being operated by the PMAM. This may be integrated with the Self BIS module,” the tender read. After submitting the application, the platform will send it to an auto-approval mechanism or to State level health authorities as per a State’s policies.
NHA stresses security and privacy in/by design
The process involves the collection, processing and storage of sensitive information including personal identifiable information (PII), personal health information (PHI) during different stages. NHA said that multiple stakeholders will require access to the data at different stages.
“Considering the sensitivity of the data pertaining to residents, it is prudent to protect information from breaches that may have severer ramifications… Beneficiaries’ PII and health data is required to be kept encrypted even within PM-JAY data centres/cloud,” the tender read.
NHA has also directed service providers to ensure that the platform has the option to mask data, anonymise personal health data or have methods of de-identification. Apart from that, the registration page for the application will have an Aadhaar-OTP mechanism besides having a separate login credential.
In the case of audits, the platform is required to submit it free from any tamperings. “The logs must have chained to further enhance the immutability of the logs and make changing logs at a later date an extremely tedious difficult task. The log must be pseudonymise to protect privacy but should be able to trace the user in the event a transaction is contested,” it said.
Privacy concerns remains
Prasanth Sugathan, legal director at Software Freedom Law Centre said, “The government, especially the NHA, has been heavily relying on unfettered tech-solutionism without delving into the data protection principles as espoused in the Puttaswamy I case. This is clearly against the principle of proportionality, necessity, and data minimisation. What is the point of introducing these technologies when the smartphone and internet penetration in the country is significantly low and digital literacy is abysmal as well.”
Divij Joshi, a lawyer and independent researcher, said, “Using digital services can in some situations expand access, but the Government must take care to ensure that there are adequate exception handling mechanisms and alternatives to online registration, given the long history of database failures we have seen in the past.”
“Integrating and linking beneficiary details across all kinds of beneficiary databases can also have privacy implications.There should be a well defined legal basis for a technology which integrates all of this information, as well as clear limitations and procedures for how the information can be accessed and used”—Divij Joshi, lawyer and independent researcher
Ayushman Bharat data shared with Insurance cos
In a 2019 report, the NHA and the Insurance Regulatory and Development Authority of India formed a working group which submitted a list of 56 transaction level variables settles under the Ayushman Bharat scheme will be collected by NHA and Insurance Information Bureau (IIB). The group said that the data collected would be exchanged on a monthly basis. “Both NHA and IIB shall explore the possibility for real-time data transfer in the future,” the report said.
“As per IIB formats, the details of policyholders are captured to understand the profile of the policyholders in various aspects such as Age-group, Gender, State-wise, Rural vs Urban, Occupation, etc,” the report said.