National Digital Health Management = Health Data Nationalisation

DEPA is not specific to any sector and that is a good indication of how data is now considered to be shorn of any character – it doesn’t seem to matter if that is financial data or health data. While this may be true from the standpoint of data analysis, database managers and software engineers would be agnostic to the nature of data, the impact it has and the significance of health data is different from other forms of data like shopping preferences, travel data, choice of music, colours, etc. That the DEPA treats all data in a like manner should be a cause for worry – not just because it doesn’t distinguish but how such a significant matter was ignored. The alternative explanation is scary – policymakers wish to treat all data in a like manner.

Portability

Touted as one of the key benefits of the NDHM for patients, data portability is a myth given the economic incentives on service providers to sell more services and ignore all previous tests and data. This is true now and this behaviour is unlikely to change in the near-future. Portability of data will only benefit various service providers who will use health data to sell additional services to the patient. For example, the data from a lab test or a doctor’s consultation will automatically trigger advertisements from hospitals, other labs, pharmacies, etc. DEPA describes this as data empowerment. Nothing could be more ironic and tragic at the same time! None of this is either necessary or empowering and does not provide any additional benefits to the patient at the cost of their data.

There are several terms like ownership, consent, control, privacy, voluntary, and “privacy by design” that are sprinkled all over the policy but when one had digested the policy, one is likely to discover that one has had too much sugar and transfat for one’s own good.

Ownership

While the policy states that the “the true ownership and control of the personal data will remain with data principals”, the attributes of ownership and control - the right to share, sell, license, create rights, get back and bequeath, are completely missing. If all of these rights are subject to the beneficence of the data fiduciary, how is there any semblance of ownership of data with the data principal?

Consent

In reality, though, there are fundamental issues that are completely ignored –

1. A lack of information about the right to refuse consent;
2. The lack of awareness of the consequences of exclusion or participation.

The circumstances where consent is sought, in a hospital or other healthcare service provider, is such that the data principal is unable to exercise free consent. How can it be “informed consent” if risks are not fully disclosed to the data principal in a manner that is easily and fully understood? One shouldn’t expect the government to understand or appreciate the concept of consent given that the NDHM website requires one to agree to terms and conditions which don’t exist. Perhaps the government will tell us how may people agreed to these non-existent terms and conditions and thereby ‘proving’ the government’s stand that even educated Indians don’t care about informed consent.

These issues are amplified when health data about family members will be gathered and personal data may be collected without any pretense of consent. It isn’t clear how all such data be protected by the policy. Data principals are expected to use a consent manager – presumably an app. Given that the vast majority of the Indian population does not have a smartphone and broadband, it is unclear how this will work. Even those who own phones and have access to the internet, the reality is that in most parts of India, a phone is shared amongst family members. The use of one phone compromises both the confidentiality of data and control over it.

There seems to be an expectation that if UPI and other payments app can work, this will too. Thus will spread the myth that all data is alike and undermine the development of a culture of privacy. Payment transactions using known and “verified” phone numbers are simple to understand and execute and yet the number of financial frauds has been increasing. There is a risk that health data together with financial data, both linked to Aadhaar and a phone number, will increase vulnerability to infringement of privacy, breach of confidentiality, and fraud.

Control

The data principal ought to have control over data even after consent is given but the policy does not grant a right to the data principal full access to their own data. Even if such access is available, how will patients have control over, and be able to check the accuracy of the record and changes? If the data fiduciary is not liable for the accuracy of the records, and errors, there is a risk of fatal consequences. How will patients be able to get any recourse for the consequences of errors in their records?

Exclusion

There is a declaration in the policy that patients will not be denied health services due to the any absence of the health ID. Given how ‘voluntary’ Aadhaar was and is, and the exclusion that has been well documented, it is unlikely that this declaration will be anything more than a slogan.

Where Is The Substantive Legislation?

The NDHM Strategy Overview published in July 2020 assumes that the Personal Data Protection Bill is a law and expects that all the stakeholders will comply with its provisions. Since a Bill is not binding, implementing the NDHM in the absence of a robust data protection legislation will be a violation of the decision of the Supreme Court in the Puttaswamy case. The policy merely states the intention of government but can only be implemented by legislation. This policy seems to confirm that the current data processing practices are blessed by the government. Individuals and private entities can do everything that is not prohibited by law but government action is limited by law and is only permitted to regulate in accordance with legislation. Lack of legislation means that the government is not regulating any of these activities and private interests are free to do as they please without any fear of sanction.

The NDHM Strategy only lists (i) Personal Data Protection Bill and Non-personal Data Framework (ii) the Information Technology Act 2000 and the Aadhaar Act 2016. We know for the last few years that the Information Technology Act and the Aadhaar Act have been ineffective in the protection of privacy – there have been several well-documented instances of data and privacy breaches and there yet there hasn’t been a single instance of accountability or redress. The policy should map out all the legislation applicable to each transaction that is contemplated. This is required to ensure compliance and for audit. Leaving this vague will lead to uncertainty which denudes the little protection that the data principal may have.

Poor Drafting

There are parts of the policy, like paragraph 33, that have been drafted by competent lawyers who understand privacy law in the digital ecosystem. It appears that the policy was drafted initially by Vidhi Legal, but then technocrats who have a false sense of knowledge of legal documents seem to have tinkered with it by adding terms that lawyers would never use - can, cannot, may, should, will and must – and it is unclear what is meant by these different terms. If it is the intention that those terms are given their normal meaning, they are wrongly used. If the intention is to impose legal obligations, then “shall” should be used. If choice is to be given, then “may” should be used. There is really no place for “must”, “can”, “cannot”, “will” and “should” in binding regulations. Similarly, “subject to applicable law” is used randomly across the policy. Is the intention that only those parts of the policy are subject to applicable law and the rest of the provisions override applicable law? Surely this can’t be right!

Victim Has Some Rights But No Remedies

It is perhaps for the first time that a government policy proclaims that technology can limit people’s fundamental rights. Shouldn’t technology respect the law and be subjected to rights, especially when it is being “designed” from scratch? Since this is only policy one needs to look through a number of documents to understand what is expected from the stakeholders. The expectation that exclusion from the network will be a sufficient deterrent for data fiduciaries and data processors is naïve. Similar provisions did not deter fake enrolments in the Aadhaar database or frauds using the Aadhaar database and it is unlikely that there will be either any incentive on the stakeholder to comply or punishment for non-compliance.

The data principal who is likely to be the victim will have no access to any facts or documents to be able to establish the cause of his injury and administrative remedies in India are ineffective. If there is no effective remedy, is there really a substantive right? Legal theory says yes, but in the words of Dickens whose observations of the legal process ring true now more than ever and in India more than elsewhere - “If the law supposes that, … the law is an ass — an idiot. If that's the eye of the law, the law is a bachelor; and the worst I wish the law is, that his eye may be opened by experience.”

Sandbox

The National Health Authority has proposed a sandbox for various corporate interests to participate in the development of the health infrastructure for the NDHM. While this may seem reasonable and the consequences of any disaster can be contained, the best use case for the NDHM is the Central Government Health Scheme. It meets all the objectives of the National Health Stack – there is already a unique identity issued to each of the participants in the CGHS, there is a great to portability given that government employees are frequently transferred. Rather than roll out the NDHM to the poor unsuspecting people of this country, shouldn’t the CGHS be the sandbox? It is reasonable that if something is good enough for all the bureaucrats and their families, it is good enough for the common man.

Data Nationalisation

The government announced “Data of the People, by the People and for the People” in the Economic Survey of 2018 -19. With the “sharing” of the Vahan database of vehicle ownership for Rs 65 crore, this was expected to be replicated in other sectors as well. The prime purpose of the policy seems to be to bless the existing structure of nationalisation of personal data and then allow private players to use it without any compensation to the data principal.

Murali Neelakantan is an expert in healthcare laws.

The views expressed here are those of the author and do not necessarily represent the views of Bloomberg Quint or its editorial team.