New Delhi: If you’ve used your Aadhaar card as an identification document to get your Covid-19 vaccine, chances are you’ve already been set up with a digital health ID. According to figures available with the National Health Authority (NHA), of the 12,46,26,994 Digital Health IDs that have been made, 12,27,11,046 were through CoWin.
Although Prime Minister Narendra Modi announced the nationwide rollout of the Ayushman Bharat Digital Mission (ABDM) only earlier this week, ThePrint found that the digital health ID, under the ABDM, had already been generated for people who used their Aadhaar card to register on the CoWin website.
It is not clear, however, whether or how consent was sought before the ID was generated. The ‘Unique Health ID’ is part of the details listed on one’s vaccination certificate.
Replying to a mail from ThePrint, the NHA said: “CoWIN has integrated with Ayushman Bharat Digital Mission (ABDM) for Aadhaar authentication of CoWIN beneficiaries, and further creation of Health IDs upon consent. The process of initiation of Health ID creation for a CoWIN beneficiary is triggered at the vaccination site, wherein the beneficiary provides their Aadhaar Number to the attending vaccinator for authentication purpose right before inoculation”.
The NHA response further stated that “at the same instance, the vaccinator communicates the consent language for Health ID creation to the user, and the use of Aadhaar for the same. After due collection of consent, the demographic details of the beneficiary are authenticated against their Aadhaar details, and a Health ID is created. For such beneficiaries, the Health ID created is printed on their vaccination certificate as ‘Unique Health ID (UHID)’.”
However, most recipients of the vaccine are not even aware that their unique health ID has been generated. Just 19,15,948 digital health IDs have been created through avenues other than CoWin.
In case a person used a different identification document to register on CoWin, such as driving license, PAN, or passport, the health ID has not been generated. The CoWin platform accepts six types of IDs, apart from Aadhaar, to register people.
The Unique Health ID has been planned as a 14-digit identification number that links to a person’s entire medical history, made available online at just a click.
However, since the plan was announced in 2020, concerns have been raised about the privacy and the safety of the enormous amounts of data that will be generated and linked to this system. The fact that the ID is being generated without seeking a user’s consent is also potentially problematic, say lawyers working in the field.
Also read: India needs a digital health mission. But it also needs data privacy law to ensure it works
Pilot programmes in six UTs
According to data on ABDM website, a total of 19,02,000 health IDs have been generated through the portal. On the CoWin portal, the number of vaccine registrations currently stand at 71,13,05,999. Most, officials said, were done using the Aadhaar card.
Before the nationwide launch on 27 September, ABDM pilots were being carried out in the Union territories of Puducherry, Chandigarh, Ladakh, Lakshadweep, and Daman and Diu and Dadra and Nagar Haveli. Registration for these had began last year.
Official sources told ThePrint that the bulk of the health IDs generated so far have happened through CoWin.
According to the digital mission policy, getting a Unique Health ID is voluntary.
“…. participation of an individual in the NDHE (National Digital Health Ecosystem) will be on a voluntary basis and where an individual chooses to participate, he/she will be issued a Health ID (as defined in this Policy) by the NDHM (National Digital Health Mission). Where an individual wishes to avail of any health services, the Health ID of the individual may be verified by the use of Aadhaar or any other method of identification as may be specified by the NDHM,” the health data policy document states.
According to officials in the know, the issue of lack of consent in the health IDs that were generated through CoWin was discussed internally, and there is a problem when it comes to the data generated from such IDs.
“For now, it is just the vaccination certificate, but many people do not even know that they have been enrolled. There is a privacy issue there. That is why the ABDM website no longer gives the total enrolments in the country, but only the number done through that portal,” a source told ThePrint.
‘Where is the law?’
Legal experts point out that while the generation of a Unique Health ID without consent does raise privacy concerns, the larger question remains — what is the legal framework behind the digital health mission?
“The health ID does not have a legal framework. You cannot have a national identifier for health without a legal framework. For everything they (central government) say that health is a state subject. How is the central government generating a health ID then?” said Prasanna S., a Supreme Court lawyer who deals in privacy matters.
“This is an ill-considered and ill-conceived scheme. There are definite privacy concerns in this. So the state has to justify and the first limb of that is a law. If it passes a law, then we will know that it is beyond the legislative competence of the Centre. The Supreme Court had said you must have a law, then why is this without a law? Did they even take legal opinion? Which law officer did they consult and what did they say?” Prasanna added.
(Edited by Manasa Mohan)
Also read: Surveillance power, diluting privacy: Why Modi govt’s data bill needs urgent modification