New Delhi: The Modi government Wednesday released the draft Health Data Management Policy of the National Digital Health Mission (NDHM), which seeks to create a digital health ecosystem in India with a unique health ID for every citizen.
The draft policy aims to “set out a framework for the secure processing of personal and sensitive personal data of individuals” who form the digital health ecosystem. It also outlines a definition for “sensitive personal information” that can be collected from citizens under the project — it includes, among other things, one’s religious or political affiliation, as well as genetic data.
According to the policy, “sensitive personal information” means “such personal data, which may reveal or be related to, but shall not be limited to… financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health data; sex life; sexual orientation; medical records and history; biometric data; and genetic data”.
Other information that can be sought under the category are “transgender status, intersex status; caste or tribe; and religious or political belief or affiliation”, as well as data relating to various health conditions and treatments, such as medical and health records.
The information, the draft states, can be collected in accordance with the policy.
The data, whose ownership will lie with the individual whose information it is, will be stored at three levels — central, state or union territory, and, lastly, at the health facility level.
At each level, only that much data will be stored as is essential for functionality. If data is shared for clinical research or statistical analysis, it will have to be anonymised. Any data breach, the proposal states, could result in the termination of an employee’s service, or that of contracts where service providers are involved. Data owners can also opt out of the project and cancel the digital health ID the policy aims to create for every citizen.
The draft, issued by the National Health Authority (NHA), which is the implementing agency for the Modi government’s PM Jan Arogya Yojana, is now open for public comments and feedback until 3 September.
The NDHM, which is envisaged as the first step towards universal health coverage, was announced by Prime Minister Narendra Modi in his Independence Day address. Apart from a personal health ID for every Indian, the digital health ecosystem it seeks to create will host identifiers for doctors and health facilities, and personal health records — all accessible through an app or website.
In a statement accompanying the draft policy, NHA Chief Executive Officer Dr Indu Bhushan said it “is the maiden step in realising the NDHM’s guiding principle of ‘Security and Privacy by Design’ for the protection of individuals’ data privacy”.
“It encompasses various aspects pertaining to health data like data privacy, consent management, data sharing & protection etc,” he added.
Highlighting the significance of the policy and its potential impact, he said, “Government of India is working to ensure strong privacy of health data and, therefore, we are circulating the Draft Health Data Management Policy of NDHM to increase awareness of the importance of data privacy and instill a privacy-oriented mindset among all the stakeholders and participants of the ecosystem.
“I look forward to feedback, suggestions, and inputs from experts and members of the general public to help us finalise the policy make it and hence, the implementation of the mission stronger and more effective.”
Also Read: India needs a digital health mission. But it also needs data privacy law to ensure it works
‘Privacy by design’
According to the policy, partners who will have access to NDHM data will have a designated data protection officer who can be approached with inquiries or questions by holders of Digital IDs.
The details of the data protection officer will be available on the website. If data processing involves any new technology, a data protection impact assessment will have to be carried out in the interest of privacy.
Owners of the data, the policy states, will have complete control and decision-making power over the manner in which personal or sensitive personal information associated with them is collected and processed further.
All institutions who have the data would have to offer a clear and conspicuous privacy notice to data principals (citizens) prior to the collection of information, if there are any changes in privacy policy, and also before it is further processed for a previously unidentified purpose.
“In addition, any failure to comply with this policy may also result in action, such as, termination of service of employees or dismissal of interns/ volunteers of such entities, or termination of contracts or arrangements with any data processor/service provider entered into by such entities,” the draft policy states.
Generation of health ID
A digital health ID can be generated at no cost for citizens who are willing to have one, the draft states. The person can also choose to opt out or to de-link their personal data.
“Every data principal shall have the option of opting-out of the NDHE (National Digital Health Ecosystem) and de-linking their personal data across data fiduciaries (defined as entities collecting, processing data), cancelling their Health ID, and requiring the removal of any personal data linked with such ID in accordance with the terms of the Data Retention and Archival Policy and applicable law,” the policy states.
The data will only be accessible to medical professionals or institutions that also have IDs under the NDHM, provided the person gives consent for his or her data to be viewed.
Also Read: Ayushman Bharat and all other govt health schemes to integrate with digital health mission
Rubbish. There is every chance of misuse of details and the guilty seldom get identified, what to talk of punishment. Sufferer is the common man.