Health Data Management Policy - Privacy Concerns - VISION

Material For Exam

Recent Update

Saturday, July 17, 2021

Health Data Management Policy - Privacy Concerns

 What is the issue?

The CoWin portal for COVID-19 vaccines has come under criticism due to the absence of a privacy policy.

What is the Health Data Management Policy?

  • CoWin follows the privacy policy of the National Digital Health Mission (NDHM) - the Health Data Management Policy.
  • Other digital health initiatives, such as telemedicine, hospital management systems and insurance claims management, are also tied to this Policy.
  • The Policy seeks to develop a national health information system.
  • It facilitates the creation of Unique Health Identification (UHID) for individuals and healthcare providers.
  • It also facilitates the collection, storage, processing and sharing of personal health information, as electronic health records (EHRs).
  • Every individual’s UHID is linked to his or her EHR.

What are the shortcomings?

  • Privacy - Despite the benefits, digitisation entails significant risks to privacy, confidentiality and security of personal health data.
  • The Policy aims to mitigate these risks, through two guiding principles:
    1. “security and privacy by design”
    2. individual autonomy over personal health data
  • But fundamental ‘design flaws’ may end up increasing instances of personal health data breaches.
  • Legal backup - The Supreme Court, in Puttaswamy case, held that the right to informational privacy is a fundamental right.
  • Any encroachment on this must be supported by law.
  • It also calls for enacting a comprehensive data protection legislation.
  • Contrary to this, the digitisation process being rolled out under the NDHM Policy is not supported by any law.
  • Regulation - Setting up a regulatory authority entails a law that defines the boundaries within which it can function.
  • It should also ensure independence from government interference and accountability to Parliament.
  • But the Policy itself establishes the NDHM to function like a regulator.
  • It authorises the NDHM to perform legislative, executive and quasi-judicial functions and define its own governance structure.

What are the risks involved?

  • There is a possibility of secondary use of digital health data for research and policy planning, particularly by private firms.
  • The Policy permits sharing of aggregate and anonymised health data on the premise that anonymisation conceals individuals’ identity.
  • However, anonymised datasets can be easily de-anonymised to link back to personally identifiable information, risking individual privacy.
  • The policy also does not stipulate ‘data masking’ as a measure available to individuals to ensure confidentiality of their data.
  • [Data masking is a technique to hide specific sensitive health information in EHRs.
  • Such information would be accessible even to health care providers only with the specific consent of the individual.]
  • The Policy also does not limit the use of aggregate health data to public health purposes.
  • Without strict purpose limitation, private firms may use people’s health data to enhance profits.
  • The Policy also does not require reporting of personal data breaches to affected individuals.
  • This impedes the rights to information and access to grievance redress, as well as increases the possibility of illegitimate state surveillance.
  • Consent - The guiding principle of individual autonomy is invoked through ‘informed consent’ for collecting and processing personal health data.
  • The Policy mandates informed consent only prior to the collection of data.
  • It applies in case of any change in the privacy policy or in relation to any new or unidentified purpose.
  • This suggests that one-time consent for one or more broad purposes may be sufficient.
  • But with this, individuals may ultimately end up with little or no control over their data.

What lies ahead?

  • In a country with an uncertain cybersecurity environment, poor digital literacy and weak state capacity, the adverse implications of the above can be severe and widespread.
  • Addressing the gaps in the Policy is necessary, but it is not sufficient.
  • So, a comprehensive data protection law (with health sector specific rules) is imperative for guiding the development of a digital health ecosystem.

 

Source: The Indian Express