Health Data Management - survey needed
The government has released and opened public consultations for a data management policy to govern the National Digital Health Ecosystem. Only 1 week is given to public to give inputs on attached 27 page document. It seems quite weird that its being done amidst pandemic. Below is a summary of the key areas but LocalCircles should simplify and do a survey on key areas and submit to Govt. Biggest risk is peoples Health, Sex, Financial data making it to irresponsible private businesses who misuse it for marketing and sales.
Summary:
The draft policy adopts the Personal Data Protection Bill, 2019, as a mainframe, and was released on Tuesday evening. Public consultation is open just for a week, until September 3, 2020.
The Personal Data Protection Bill, 2019, was first made public in December, and is now being deliberated over by a parliamentary committee formed specifically for this purpose. The bill’s passage will follow due legislative process, which has already been delayed by the pandemic. The policy is essentially personal data protection framework for health data, and is clearly drafted to be in harmony with the personal data protection law, whenever it comes in force.
The policy will apply to everyone in the National Digital Health Mission ecosystem, such as people who have been issued Health IDs, healthcare professionals, governing bodies such as Health Ministry and National Heath Authority, any healthcare provider that collects health data, payers, pharma stakeholders, and anybody who collects or processes personal or sensitive personal data.
Key definitions under the policy
Most definitions under the policy are identical to that in the PDP Bill, including that of processing, data principal, data fiduciary, child, data, data processor, de-identification, harms, and so on. However, it details out some aspects around health-related data:
1. It expands sensitive personal data to include “physical, physiological, and mental health data”; and also information around various health conditions and treatments, such as Electronic Health Record (EHR), Electronic Medical Record (EMR), and Personal Health Record (PHR). Financial data also includes data related to bank account, credit and debit card, and other payment instruments.
2. Personal data will include Health ID and Personal Health Identifier, but inferences drawn for profiling are not personal data. Data fiduciaries will include Health Information Users and Health Information Providers, if they are determining the purpose and means of processing personal data.
3. Electronic Health Record is a repository of the digital health of an individual, which can be accessed by “multiple authorised users” and “represented in a commonly agreed logical information model”. Electronic Medical Record is a similar repository used by Health Information Provider to generate records to support patient diagnosis and treatment. “EMR may be considered as a special case of EHR, limited in scope to the medical domain or is focused on the medical transaction,” the policy says. A Personal Health Record, maintained by a user, is a “complete and accurate” summary of their health and medical history by “gathering data from as many sources and making it accessible online”.
4. A ‘Data Retention and Archival Policy‘ shall be formulated by the NHA. It may specify terms and conditions related to Health Information Providers and Health Information Users. HIPs will be those hospitals, diagnostic centres, public health programs and other such entities registered with the National Health Infrastructure Registry, which act as information providers in the ecosystem.
5. Personal Health Identifier is data that could potentially identify a specific data principal and can be used to differentiate one user from another. It can include a user’s demographic and location information, family and relationship information, and contact details. “PHIs could also be used for re-identifying previously de-identified data,” the policy says.
Consent
Data fiduciaries can collect and process personal and sensitive personal data with valid consent, the purposes will be limited to those specified by the NHA. Consent can be obtained via electronically or physically, either directly from the user or via a consent manager. Consent provided physically may be converted to physical form by the consent manager or data fiduciary.
A consent manager will interact with the user and obtain their consent for access to personal or sensitive personal data “where the role of the consent manager will be provided by the NHA or any other service provider”. When consent is taken electronically, a “consent artifact” will be generated (to initiate the sharing of the data) and will be shared with the user and with the HIP and HIU through a consent manager.
Children’s personal data
Data fiduciaries have to ensure that processing of a child’s personal or sensitive personal data takes place “only in such manner that is in the best interests of the child” and not “in a manner that is likely to cause harm to the child”. The parent or guardian’s consent needs to be taken to collect and process the personal and/or sensitive personal data of children.
User rights
The policy grants the user the rights to knowledge and confirmation, and right to correction, rights also granted under the Personal Data Protection Bill, 2019. However, this policy limits the right to data portability to “the extent technically feasible”. Under the right to erasure, the user can request their personal data be erased if its storage violates any data protection principles or if the purpose for which the data was collected has been satisfied. The user can also delete their uploaded personal data stored in the Health Locker.
Personal data can be blocked or restricted, rather than being erased, if the law prohibits its erasure “as it would impair the legitimate interests” of the data principal.
How the rights can be exercised: The user can exercise these rights by contacting the designated officer of the data fiduciary, either directly or via a consent manager. In case the user passes away, their legal heirs will have access to the data “owned by the data principal”, if the user consented to this.
Allocation & Creation of a Health ID
Creation: A data principal can request that their Health ID be created free-of-cost. This will be generated per policy the NHA lays down, and can be authenticated using the user’s Aadhaar number or any other identification document specified by NHA. Once created, the user’s personal data will be linked to the Health ID, and the user will “be deemed to be the owner”.
The user’s participation in the ecosystem will be voluntary and every user will be able to opt-out and delink their personal data “across fiduciaries”. The NHA has to ensure that authentication means do not prevent a person not having an Aadhaar number or a mobile number from getting a Health ID. Moreover, nobody can be denied health services for not having a Health ID.
To create Health IDs for users, a fiduciary has to register with the NHA and “obtain an authorisation key to access the service required for generation of a Health ID”.
Creation of a Health Facility ID
Similarly, a Health Facility will have a single ID as well, it will allow a hospital or lab to share the user or patient’s personal data with them and with other health practitioners, subject to consent. Such a Health Facility will be included as part of the “National Health Infrastructure Registry”, which will have the power to verify the legitimacy of a health facility and check on its ability (among other things) to e-sign digital documents.
Obligations of the data fiduciary
The data fiduciary will be “accountable for complying with the measures which give effect to the privacy principles” while processing any personal data, even though the “true ownership and control” remains with the data principals. Among other things, the data fiduciary has to disclose which categories of personal data it is processing, the purposes, the grievance redressal process, and so on — a requirement also in the Personal Data Protection Bill, 2019.
The policy also separately places obligations on Health Information Users, which are data fiduciaries under the policy as well. HIUs have to follow principles of consent, data minimisation, and data retention. They also have to “take all reasonable steps” to ensure that a data principal can exercise their rights under the policy.
Data Protection Impact Assessment
The data fiduciary has to carry out an impact assessment before it undertakes any processing involving new technologies or any processing which can cause significant harm to users. The assessment needs to include measures for minimising or removing risks of possible harms.
Non-Personal Data: Sharing of de-identified or anonymised data by fiduciaries
Data fiduciaries may make anonymised or de-identified data in an aggregated form available for facilitating clinical and academic research, for policy formulation, archiving, statistical analysis, “development and promotion” of diagnostic solutions, and other purposes that the NHA may specify.
Grievance Redressal
The user can approach the data protection officer or grievance redressal officer (they can be the same person) of the daat fiduciary. If unsatisfied, they can approach the Data Protection Officer of the NDHM. The next step of appeal is the Health Ministry of via litigation more
Summary:
The draft policy adopts the Personal Data Protection Bill, 2019, as a mainframe, and was released on Tuesday evening. Public consultation is open just for a week, until September 3, 2020.
The Personal Data Protection Bill, 2019, was first made public in December, and is now being deliberated over by a parliamentary committee formed specifically for this purpose. The bill’s passage will follow due legislative process, which has already been delayed by the pandemic. The policy is essentially personal data protection framework for health data, and is clearly drafted to be in harmony with the personal data protection law, whenever it comes in force.
The policy will apply to everyone in the National Digital Health Mission ecosystem, such as people who have been issued Health IDs, healthcare professionals, governing bodies such as Health Ministry and National Heath Authority, any healthcare provider that collects health data, payers, pharma stakeholders, and anybody who collects or processes personal or sensitive personal data.
Key definitions under the policy
Most definitions under the policy are identical to that in the PDP Bill, including that of processing, data principal, data fiduciary, child, data, data processor, de-identification, harms, and so on. However, it details out some aspects around health-related data:
1. It expands sensitive personal data to include “physical, physiological, and mental health data”; and also information around various health conditions and treatments, such as Electronic Health Record (EHR), Electronic Medical Record (EMR), and Personal Health Record (PHR). Financial data also includes data related to bank account, credit and debit card, and other payment instruments.
2. Personal data will include Health ID and Personal Health Identifier, but inferences drawn for profiling are not personal data. Data fiduciaries will include Health Information Users and Health Information Providers, if they are determining the purpose and means of processing personal data.
3. Electronic Health Record is a repository of the digital health of an individual, which can be accessed by “multiple authorised users” and “represented in a commonly agreed logical information model”. Electronic Medical Record is a similar repository used by Health Information Provider to generate records to support patient diagnosis and treatment. “EMR may be considered as a special case of EHR, limited in scope to the medical domain or is focused on the medical transaction,” the policy says. A Personal Health Record, maintained by a user, is a “complete and accurate” summary of their health and medical history by “gathering data from as many sources and making it accessible online”.
4. A ‘Data Retention and Archival Policy‘ shall be formulated by the NHA. It may specify terms and conditions related to Health Information Providers and Health Information Users. HIPs will be those hospitals, diagnostic centres, public health programs and other such entities registered with the National Health Infrastructure Registry, which act as information providers in the ecosystem.
5. Personal Health Identifier is data that could potentially identify a specific data principal and can be used to differentiate one user from another. It can include a user’s demographic and location information, family and relationship information, and contact details. “PHIs could also be used for re-identifying previously de-identified data,” the policy says.
Consent
Data fiduciaries can collect and process personal and sensitive personal data with valid consent, the purposes will be limited to those specified by the NHA. Consent can be obtained via electronically or physically, either directly from the user or via a consent manager. Consent provided physically may be converted to physical form by the consent manager or data fiduciary.
A consent manager will interact with the user and obtain their consent for access to personal or sensitive personal data “where the role of the consent manager will be provided by the NHA or any other service provider”. When consent is taken electronically, a “consent artifact” will be generated (to initiate the sharing of the data) and will be shared with the user and with the HIP and HIU through a consent manager.
Children’s personal data
Data fiduciaries have to ensure that processing of a child’s personal or sensitive personal data takes place “only in such manner that is in the best interests of the child” and not “in a manner that is likely to cause harm to the child”. The parent or guardian’s consent needs to be taken to collect and process the personal and/or sensitive personal data of children.
User rights
The policy grants the user the rights to knowledge and confirmation, and right to correction, rights also granted under the Personal Data Protection Bill, 2019. However, this policy limits the right to data portability to “the extent technically feasible”. Under the right to erasure, the user can request their personal data be erased if its storage violates any data protection principles or if the purpose for which the data was collected has been satisfied. The user can also delete their uploaded personal data stored in the Health Locker.
Personal data can be blocked or restricted, rather than being erased, if the law prohibits its erasure “as it would impair the legitimate interests” of the data principal.
How the rights can be exercised: The user can exercise these rights by contacting the designated officer of the data fiduciary, either directly or via a consent manager. In case the user passes away, their legal heirs will have access to the data “owned by the data principal”, if the user consented to this.
Allocation & Creation of a Health ID
Creation: A data principal can request that their Health ID be created free-of-cost. This will be generated per policy the NHA lays down, and can be authenticated using the user’s Aadhaar number or any other identification document specified by NHA. Once created, the user’s personal data will be linked to the Health ID, and the user will “be deemed to be the owner”.
The user’s participation in the ecosystem will be voluntary and every user will be able to opt-out and delink their personal data “across fiduciaries”. The NHA has to ensure that authentication means do not prevent a person not having an Aadhaar number or a mobile number from getting a Health ID. Moreover, nobody can be denied health services for not having a Health ID.
To create Health IDs for users, a fiduciary has to register with the NHA and “obtain an authorisation key to access the service required for generation of a Health ID”.
Creation of a Health Facility ID
Similarly, a Health Facility will have a single ID as well, it will allow a hospital or lab to share the user or patient’s personal data with them and with other health practitioners, subject to consent. Such a Health Facility will be included as part of the “National Health Infrastructure Registry”, which will have the power to verify the legitimacy of a health facility and check on its ability (among other things) to e-sign digital documents.
Obligations of the data fiduciary
The data fiduciary will be “accountable for complying with the measures which give effect to the privacy principles” while processing any personal data, even though the “true ownership and control” remains with the data principals. Among other things, the data fiduciary has to disclose which categories of personal data it is processing, the purposes, the grievance redressal process, and so on — a requirement also in the Personal Data Protection Bill, 2019.
The policy also separately places obligations on Health Information Users, which are data fiduciaries under the policy as well. HIUs have to follow principles of consent, data minimisation, and data retention. They also have to “take all reasonable steps” to ensure that a data principal can exercise their rights under the policy.
Data Protection Impact Assessment
The data fiduciary has to carry out an impact assessment before it undertakes any processing involving new technologies or any processing which can cause significant harm to users. The assessment needs to include measures for minimising or removing risks of possible harms.
Non-Personal Data: Sharing of de-identified or anonymised data by fiduciaries
Data fiduciaries may make anonymised or de-identified data in an aggregated form available for facilitating clinical and academic research, for policy formulation, archiving, statistical analysis, “development and promotion” of diagnostic solutions, and other purposes that the NHA may specify.
Grievance Redressal
The user can approach the data protection officer or grievance redressal officer (they can be the same person) of the daat fiduciary. If unsatisfied, they can approach the Data Protection Officer of the NDHM. The next step of appeal is the Health Ministry of via litigation more
Viewed by 1530
View all 8 comments Below 8 comments
How can this possibly be a good move? The voting system only attracts approx 8,000 on local circles so it is hardly representative of the people. This is not about our health at all. Our health, mental state, financial records, sexual orientation and so on is our personal property and no ones business. I don't trust the internet and security of our personal and private information cannot be guaranteed by any Government. What if in the future a bad government takes charge? What control will they have over the citizens. No we are a democracy and our sovereignty, privacy and freedoms must be any GOI's first priority. more
Aug 30
I am not sure how much it's going to help the patient...it's however sure to help the agencies like fiduciary, medical (hospitals -- who may start pestering you for treatments), legal, insurance, etc. who can use your information for promoting their business.. This requires more transparency and the benefits to all the parties should be made threadbare.. more
Aug 29
Who says the country is facing unemployment? Look at the author,she is gainfully employed copying and pasting a document available to any one who wants it.I do not want to read the lengthy document and equally long comment.Are you being paid by Pakistan or China? more
Aug 29
The author is escalating an important issue and u are saying gainfully employed. By who the congress party u will say or AAP?? more
Aug 29
When there are more urgent issues for the government to deal with including economy, I think that this issue should be taken up later with widespread consultations. Personal Data security and confidentiality is also an issue. more
Aug 29
