By Shweta Mohandas and Pallavi Bedi
The places where we share data such as temperature and oxygen levels have significantly changed since the pandemic began. We now unwittingly share what could come under the definition of health data with not just healthcare providers but also airports, educational institutions, shops, theatres, and other public and private spaces which earlier did not collect or process health data. With the setting up of the CoWin API that will make it easier for establishments to verify the vaccination status of people, the health ID generated with the vaccination certificate becomes another health data point that gets shared. However, with the newly-revised definition of health data under the Data Protection Bill 2021 released by the Joint Parliamentary Committee (JPC), there seems to be a lot left for speculation especially keeping in mind the places that can now collect health data.
What is health data?
When the revised Data Protection Bill 2021 becomes an Act, it will be the primary legislation that governs health and medical data including its collection, storage, processing, and sharing. The 2021 Bill defines health data as follows:
“…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”
While health data comes under the definition of sensitive personal data, providing greater responsibility on the data fiduciary, the Bill in its present iteration fails to provide a comprehensive definition of what is health and what specifically can be considered as health data. The current definition of the term “health data” can be construed to mean a number of health indicators that are now being collected by multiple organisations. This is also confusing when there are now a number of fitness devices and applications that are collecting and processing health data, such as heart rate, oxygen levels, and menstrual cycle; these applications and devices are still unregulated in India.
Another issue overlooked by the drafters of the Bill is how this definition would correlate with the Health policies specifically on health data published between 2019 and 2021. The National Digital Health Mission (“NDHM”) (now known as the Ayushman Bharat Digital Mission ) which stemmed from the National Health Policy 2017 and the National Digital Health Blueprint 2019 (Blueprint), seeks to standardise and digitise health records. This would be done by creating electronic health records for all and creating registries of healthcare professionals and health facilities in order to ensure a smooth and standardised system across public and private healthcare institutions.
In 2020, the Central Government released the National Digital Mission: Health Data Management Policy. This policy laid the foundation of the guiding principles of “Security and Privacy by Design ” for the protection of a data principal’s personal digital health data privacy. While these documents mention in detail the architecture for electronic health records and specify individuals’ consent, the 2021 Data Protection Bill will be the only legislation dealing with regulating and protecting health data.
In 2017, the Digital Information Security in Healthcare Act (DISHA) was introduced and was open to public consultation. The aim of this draft legislation was to establish National and State eHealth Authorities and Health Information Exchanges; to standardise and regulate the processes related to collection, storing, transmission, and use of digital health data; and to ensure reliability, data privacy, confidentiality, and security of digital health data. The draft Act defined “digital health data as “an electronic record of health related information about an individual and shall include the following: (i) Information concerning the physical or mental health of the individual; (ii) Information concerning any health service provided to the individual; (iii) Information concerning the donation by the individual of any body part or any bodily substance; (iv) Information derived from the testing or examination of a body part or bodily substance of the individual; (v) Information that is collected in the course of providing health services to the individual; or (vi) Information relating to details of the clinical establishment accessed by the individual.” DISHA was not discussed further and the essence of it was converted into the various Health ID policy documents. However, these policies as well as the PDP Bill failed to incorporate the comprehensive definition that was already drafted in DISHA.
While the definition of health data needs more clarity, there is one more aspect of health data that warrants greater thought and responsibility — health ID. At the outset, there is little clarity on whether the unique health ID, like the Aadhaar ID, is meant to be a confidential number. If this is so, then by virtue of the ID being published on vaccine certificates, the privacy of the ID has already been jeopardised. The requirement of vaccine certificates at various public places such as airports, hotels, restaurants means that the ID is available to those who have no business storing it.
Further, if we were to look at the protection to be afforded to health ID, we would have to rely upon the definition of health data in the 2021 Bill, as health ID has not been separately identified or referred to in the Bill. Looking at the definition of health data, it is difficult to verify whether health ID would come within its domain.
While the definition covers “data related to the state of physical or mental health of the data principal including the past, present or future state of the health of such data principal”, it is unclear whether the health ID number in itself would fall under this category since it is not data about a person but a number that can be used to identify the individual (as each number is unique to a person) as well as the health records of that person. Similarly, the second part of the definition includes health data to be “data collected in the course of registration for, or provision of health services”, here too it seems that the data protected as health data is the information related to the person provided during the registration but not the number in itself. This could mean that health data would constitute data such as name, age, and phone number which were provided during the registration, but it still does not clarify what would happen to the health ID number which could grant access to all these sensitive personal data. The final part of the definition which was added in the new interaction of the Bill includes “data associated with the data principal” which can be construed as including Health ID, but it leaves a lot open to interpretation.
Health IDs have been generated on the basis of Health Data Management Policy – there is no legislative basis for such an identification number and therefore, no separate statutory protection has been afforded to it, The Health ID numbers have been generated during vaccinations (without the informed consent of the concerned person) and will be used as a common point for all health-related information. Additionally, this ID is also being shared with entities that fall outside the definition of health service providers as defined in the health ID documents. For example, in December 2021 there were reports of private companies such as Paytm facilitating the creation of Health ID on their app.
The reason why we emphasise that Health ID must be clearly defined under the definition of health data is that the other protection as sensitive personal data under official identifier cannot be afforded to health ID. The Bill in all its versions defines “official identifier” as “any number, code, or other identifier, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal”. The Health ID is the outcome of the Health Data Management Policy, hence it does not fall under the definition of ‘official identifier.
The more services and applications require Health IDs, the more is the need to ensure that this ID is processed and protected as sensitive personal data — meaning that they are only processed based on the explicit consent of the data principal and that data fiduciaries have more responsibility. There is a need to ensure this because, if unregulated, the Health ID could be used to derive a number of other sensitive information about a person and, since the ID is being used for multiple services, could give way to profiling and targeting.
Pallavi Bedi is a Senior Policy Officer at the Centre for Internet and Society (CIS), where she works on privacy and data protection. Shweta Mohandas is a researcher at CIS, focusing on AI, privacy, and India’s policies around them.
[gravityform id=”1″ title=”true” description=”true”]
- Clause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study
- How Function Of State May Limit Informed Consent: Examining Clause 12 Of The Data Protection Bill
- Facing The Consequences Of The Data Protection Bill On Children’s Digital Privacy
Have something to add? Subscribe to MediaNama here and post your comment.