What is the issue?
The CoWin portal for COVID-19 vaccines has come under criticism due to the absence of a privacy policy.
What is the Health Data Management Policy?
- CoWin follows the privacy policy of the National Digital Health Mission (NDHM) - the Health Data Management Policy.
- Other digital health initiatives, such as telemedicine, hospital management systems and insurance claims management, are also tied to this Policy.
- The Policy seeks to develop a national health information system.
- It facilitates the creation of Unique Health Identification (UHID) for individuals and healthcare providers.
- It also facilitates the collection, storage, processing and sharing of personal health information, as electronic health records (EHRs).
- Every individual’s UHID is linked to his or her EHR.
What are the shortcomings?
- Privacy - Despite the benefits, digitisation entails significant risks to privacy, confidentiality and security of personal health data.
- The Policy aims to mitigate these risks, through two guiding principles:
- “security and privacy by design”
- individual autonomy over personal health data
- But fundamental ‘design flaws’ may end up increasing instances of personal health data breaches.
- Legal backup - The Supreme Court, in Puttaswamy case, held that the right to informational privacy is a fundamental right.
- Any encroachment on this must be supported by law.
- It also calls for enacting a comprehensive data protection legislation.
- Contrary to this, the digitisation process being rolled out under the NDHM Policy is not supported by any law.
- Regulation - Setting up a regulatory authority entails a law that defines the boundaries within which it can function.
- It should also ensure independence from government interference and accountability to Parliament.
- But the Policy itself establishes the NDHM to function like a regulator.
- It authorises the NDHM to perform legislative, executive and quasi-judicial functions and define its own governance structure.
What are the risks involved?
- There is a possibility of secondary use of digital health data for research and policy planning, particularly by private firms.
- The Policy permits sharing of aggregate and anonymised health data on the premise that anonymisation conceals individuals’ identity.
- However, anonymised datasets can be easily de-anonymised to link back to personally identifiable information, risking individual privacy.
- The policy also does not stipulate ‘data masking’ as a measure available to individuals to ensure confidentiality of their data.
- [Data masking is a technique to hide specific sensitive health information in EHRs.
- Such information would be accessible even to health care providers only with the specific consent of the individual.]
- The Policy also does not limit the use of aggregate health data to public health purposes.
- Without strict purpose limitation, private firms may use people’s health data to enhance profits.
- The Policy also does not require reporting of personal data breaches to affected individuals.
- This impedes the rights to information and access to grievance redress, as well as increases the possibility of illegitimate state surveillance.
- Consent - The guiding principle of individual autonomy is invoked through ‘informed consent’ for collecting and processing personal health data.
- The Policy mandates informed consent only prior to the collection of data.
- It applies in case of any change in the privacy policy or in relation to any new or unidentified purpose.
- This suggests that one-time consent for one or more broad purposes may be sufficient.
- But with this, individuals may ultimately end up with little or no control over their data.
What lies ahead?
- In a country with an uncertain cybersecurity environment, poor digital literacy and weak state capacity, the adverse implications of the above can be severe and widespread.
- Addressing the gaps in the Policy is necessary, but it is not sufficient.
- So, a comprehensive data protection law (with health sector specific rules) is imperative for guiding the development of a digital health ecosystem.
Source: The Indian Express
