Less onerous requirements for consent, removal of the clause for data localisation, change in the definition of Sensitive Personal Data (SPD) – these are some of the recommendations given by Amazon Web Services (AWS) in its submission to the National Health Authority (NHA) for the public consultation undertaken on the Health Data Management Policy (HDMP).
Apart from these, in its recommendations AWS also asked that the NHA tweak the policy to keep it in line with provisions of the pending Data Protection Bill and thus also refrain from creating policies for non-personal data- which the policy mentions would be issued later.
In April, the NHA had released a revamped version of the HDMP for public consultation. Essentially a data protection framework for health data under the government’s Ayushman Bharat Digital Mission (ABDM), it contains clauses related to storing sensitive personal data of users in India only, taking informed consent before processing someone’s health data, informing users about whom their data is shared with, etc. An earlier version, released in August 2020, had received criticism for allowing private entities access to health data, allowing linkages with Aadhaar, a lack of backing by a data protection law, and so on. The NHA subsequently released a revamped version, citing feedback and learnings from the pilot and nationwide roll-out of the ABDM since December 2020.
AWS’s submissions are an important indicator of issues that the private sector continue to perceive in the revised policy. AWS was also involved in the creation of the Ministry of Health and Family Welfare’s vaccine registration platform CoWIN.
HDMP’s inconsistencies with the Data Protection Bill
1. The data localisation requirement
“No personal data shall be stored beyond the geographical boundaries of India, subject always to the provision of applicable laws”
AWS said that these requirements could end up becoming very broad. It pointed out that personal data is defined as any data ‘ about or relating to a natural person who is directly or indirectly identifiable, having regard to characteristics, traits or any feature of the identity of the person’. Thus, per the policy, any data stored by an entity that is part of the ABDM – on whom the policy is applicable- will have to store all personal data in India even if its not health data.
It also said that this was not in line with the data protection bill which asks for only Sensitive Personal Data and Critical Personal Data to be stored in India.
2. Plans for a framework for non-personal data
NHA: As aforementioned, the NHA said in the HDMP that it would devise a procedure for sharing of non-personal or anonymised data.
AWS pointed out that multiple policies were already in the works on non-personal data governance such as the Data Protection Bill (DP Bill), India Data Accessibility and Use Policy, 2022 and a possible regulatory structure for the same through the Committee of Experts (aka Kris Gopalakrishnan committee) constituted by MeitY. It thus asked that no rules on Non-personal data (NPD) be released until-
(a) the DP Bill has been passed
(b) the DPA (Data Protection Authority) has issued appropriate standards, rules and regulations on anonymisation
(c) the CoE (Committee of Experts) on NPD has concluded its deliberations and published its recommendations after inviting comments from all relevant stakeholders, including from the public
3. Other divergences from the data protection bill
AWS says that the policy introduces the following requirements, in divergence from the provisions of the data protection bill:
- The creation of a ‘consent artefact’
- Requirement for Data Fiduciaries (entities that handle user data) and Data Processors (entities that process such data, possibly through outsourcing of such functions by data fiduciaries) to comply with data retention and archival guidelines to be notified.
The DP Bill does not explicitly mention consent artefact and only asks fiduciaries to retain data for the time it is necessary to complete the purpose for which the data was collected.
The cloud service provider asked the NHA to clarify on how the HDMP will align itself with the DP Bill once the latter comes into force and how entities should comply with the HDMP in case it contradicts or is inconsistent with the DP Bill.
Restrict definition of SPD to health data
NHA: In the HDMP, NHA defines SPD as including:
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information
(vii) any detail relating to the above clauses as provided to body corporate for providing service;
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
AWS said that the definition was broad and could extend the ambit of the policy to other types of personal data, beyond health data. It further said that the definition does not provide more clarity on the types of health data in particular that could be considered as sensitive personal data.
Thus it asked that the NHA narrow the definition, restrict it to health data, and include the health conditions, treatments of the data principal, Electronic Medical Records (EMR), etc, that could fall under SPD. Electronic Medical Record means the lifelong longitudinal electronic health record of an individual.
Need to loosen up requirements for consent and sharing
1. Taking consent before processing and sharing
NHA: The HDMP requires a fiduciary to take consent from an individual before collecting, processing, as well as sharing their data with another entity.
AWS, in response to these requirements, asked the NHA to reduce the dependence on consent.
“The grounds for processing should be expanded to include (i) processing when it is necessary for the performance of a contract to which the data subject is a party; (ii) where the processing is necessary to protect the vital interests of the data subject; (iii) for legitimate interests such as fraud prevention; and (iv) ensuring the network and information security of an organization. We therefore recommend that the Policy explicitly allow for both express and implied consent, as well as allowing personal data to be processed on broader bases than just consent,” it said in its submission.
Taking informed consent from an individual for every processing activity would be onerous for the fiduciary and, further, the requirement to take an individual’s consent before sharing their data could lead to consent fatigue, AWS said.
2. Securing electronic consent against breaches
“Specifically, in case of electronic consent, data fiduciaries should make use of appropriate technological means to prevent security breaches and to guarantee integrity of access permissions given by data principals. Such technological means must be in conformance with the relevant national and international standards” – the HDMP
AWS said that it was unclear why electronic consent i.e consent gained through electronic means was being given a special threshold than other types of consent. Instead such safeguards should be in place for storage, collection, and processing of personal data for which provisions are also there in the policy. Thus it recommended that the clause be amended to the following:
“Specifically, in case of electronic consent, data fiduciaries should make use of appropriate technological means to
prevent security breaches and to guarantee ensure integrity of access permissions given by data principals. Such technological means must be in conformance with the national and international standards, as may be applicable.”
Quick recap: Progress on the ABDM so far
The ABDM- the government’s mutli-tiered, federated, digital health initiative- was rolled out nationwide in October 2021 and has since had some core components launch, some put out for public consultation, and yet some that are still in the works:
Consultations ongoing to create the Drug Registry which is proposed to be a comprehensive database of all drugs sold in India as well as drug demand, supply, and other characteristics.
40 third-party entities completed integration with ABDM’s UHI to provide services on it. The Unified Health Interface (UHI) proposed under the ABDM will offer various services such as teleconsultations, booking lab tests, etc., to citizens.
Decisions made on Health Facility Registry and Healthcare Professionals Registry which included modifications in functions, prioritisation of stakeholders groups, etc. The HFR and HPR were opened for public consultation in June 2021 and envisage creating registries of the information about all healthcare professionals and facilities enrolled in the ABDM.
The Health Data Retention Policy (HDRP) has been in the consultation phase since November 2021. The HDRP proposes conditions on how to handle citizens’ health data for entities enrolled in the government’s ABDM and, potentially, those beyond it as well.
- AWS suggests changes to Unified Health Interface and other building blocks of NDHM
- NHA releases new and revised Health Data Management Policy
- Insurance companies seek health data registered under Ayushman Bharat