IT for Change seeks safeguards for use of aggregated data, in submission on Health Data Retention Policy

“Anonymisation of the retained data should not be allowed to be employed for indiscriminate and/or otherwise inappropriate data sharing… particularly as involving commercial actor(s),” IT For Change (ITfC), a Bengaluru-based think tank, said in its response to the National Health Authority’s Health Data Retention Policy (HDRP) consultation paper. Such a policy brings in more data retention and changes for those healthcare entities which may not have maintained records earlier, ITfC stated.

The HDRP proposes conditions on how to handle citizens’ health data for entities enrolled in the government’s ABDM and, potentially, those beyond it as well. The ABDM is the government’s project that looks to digitise the health records of citizens as well as develop analytics systems based on anonymised and aggregated health data for research, epidemiology, and other purposes, among other components.

The abuse of such data could lead to discrimination against, for instance, a community of patients with a rare disease or an ethnic group having unique genetic or other health-related data which is sensitive. But, ITfC revealed, the strict implementation of the HDRP could lead to it becoming a compliance burden on smaller healthcare entities.

How would the HDRP be implemented?

NHA: How should the implementation of the policy be done in case the policy is made applicable for the ecosystem beyond ABDM?

One of the key questions with the HDRP was whether the policy should apply to all entities in the healthcare sector in India, including those who opt-out of ABDM (Option 1) or only to entities opting into the ABDM.

Restrict the application of the HDRP: ITfC suggested that the policy be rolled out in a phased manner.

• Initially, only facilities participating in the ABDM should be subject to the policy.
• “Applying the policy first to ABDM-registered ‘health facilities’ can in various ways become an incentive for ‘health facilities’ across the country to undertake appropriate digitalisation,” the think-tank said.
• Capacity and awareness-building programmes through the Indian Council for Mdical Research and the National Medical Commission could push smaller health facilities into digitising.

The policy should also clearly outline which healthcare entities are subjected to it or not, as the policy could also become an excuse for entities to undertake non-consensual processing or storage of data, ITfC said. If the need arises for any other entities to be included under it over time, ITfC suggested that they can be included after holding consultations. Such entities would also have to be subjected to other existing laws and regulations covering ‘traditional’ healthcare entities, it added.

NHA: How can smaller clinics or centres, both public and private, build capability in a timely and cost- efficient manner to take responsibility of data retention for long time periods?

NHA needs to support smaller clinics in getting resources: The NHA should supplement the budgets of public health facilities initially to aid in the procurement of data storage facilities. Additionally, they should also build skills among the smaller facilities in negotiation, related to matters of data security and access as well as create an empanelled list of service providers.

The Internet Freedom Foundation had also similarly suggested that the NHA provide financial support to smaller or public health facilities.

How should retention periods be specified in the policy?

NHA: What should be the ideal duration for these different health data types? Should a blanket retention duration be adopted for all health records in India or different schedules be defined as per a classification? Which is a better approach of retention?

Classification of data should keep in mind their objectives and nature: ITfC batted for more granularity in the classification of data, saying that the principle of minimisation needs to be kept in mind and that granularity of data captures key attributes, outputs, and trends related to such data. This would ensure that data that is less important to retain is not over-retained and that which is more important is not under-retained, it said.

“For example, data that may be used for research purposes (such as cancer diagnostic images) should have a higher retention period with adequate safeguards against misuse.” — ITfC

The policy should be very clear about what data is included under it although, ITfC said that more types of data could be added following consultations.

Concerns related to sharing of non-personal data

Provision to opt out of non-personal data sharing: Citizens should be given the option to opt out of sharing their data in anonymised or aggregated form for research and other purposes, through an opt-out provision specifically, ITfC suggested. In response to the HDRP provision to allow blocking health data when it cannot be deleted due to legal requirements, ITfC cited examples from the UK and Canada:

“For example, UK’s National Health Service (NHS) launched a national ‘opt-out’ program in 2018 that created a single opt-out point applied across the system for patients unwilling to have their data shared outside the NHS for purposes of research planning, and provided a mechanism for people to register their choice.”

“For instance, in Ontario, Canada, the ‘lockbox provision’ enables a health facility to put patient data in a sealed envelope for the duration of retention when the patient wants the data deleted, which thereupon cannot be disclosed without consent, or if otherwise required by law.”

In contrast, the Federation of Indian Chambers of Commerce & Industry (FICCI) batted for sharing of anonymised data for reference and analysis in epidemiology, clinical data analytics, machine learning, etc. This could be done by removing all PHI (personal health identifiers) and then storing them in cloud-based servers permanently, FICCI said.

Prohibition from discriminatory uses of such non-personal data: ITfC suggested that rules, codes, and regulations be put in place to protect against data-related harms and sharing of benefits received from (non-personal) data use as the health sector is tightly regulated. The sharing of non-personal, health-related data can be harmful and ITfC further reasoned that:

• Non-personal, anonymised data is not regulated by any law
• The second draft report of the Committee of Experts on Non-Personal Data Governance Framework recommended legal provisions both for prevention of collective harm by putting an obligation of ‘duty of care’ on collectors of non-personal data and enabling any member of the community/group concerned to take to the court any complaint of collective harm.
• The report also provides a legal basis and means for benefit-sharing in connection with the use of non-personal data related to a group or community.

Questions that ITfC does not answer

1. 1. As ABDM has a provision for opt-out, in such a scenario what may be the possible implications from the perspective of health data retention?
   2. Should there be a provision for extension of duration or retention of health data under the policy being proposed? What considerations should be made in defining the guidelines, allowing for such an extension?
   3. Who shall have the apex authority to oversee and implement health data retention? Which entity as part of the ecosystem should be rolling out this policy at the macro-level?
   4. How can business continuity be ensured in case of fall of the establishment, platform or service providers?
   5. Will the governance model as per Health Data Management Policy be sufficient for the retention policy?
   6. How will the policy regulation be enforced and what should be the structure across relevant entities responsible for retaining the health data?
   7. Is there an alternative model or policy approach which could be considered?

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

What will be the future of digital health in India?

Do you want to keep track of the digitisation of health in India but don’t have the time? Relying on scattered content from across the web makes it feel harder than it needs to be.

Subscribe to MediaNama and get crisp, timely updates on tech policy developments in India and across the world.

Also Read:

• FICCI cautions against violating consent of citizens on Health Data policy
• Include all healthcare organisations under the health data retention policy, recommends IFF
• Summary: Health Data Retention Policy proposed under ABDM

Have something to add? Subscribe to MediaNama here and post your comment.