Health Data Management - survey needed

The government has released and opened public consultations for a data management policy to govern the National Digital Health Ecosystem. Only 1 week is given to public to give inputs on attached 27 page document. It seems quite weird that its being done amidst pandemic. Below is a summary of the key areas but LocalCircles should simplify and do a survey on key areas and submit to Govt. Biggest risk is peoples Health, Sex, Financial data making it to irresponsible private businesses who misuse it for marketing and sales.

Summary:

The draft policy adopts the Personal Data Protection Bill, 2019, as a mainframe, and was released on Tuesday evening. Public consultation is open just for a week, until September 3, 2020.

The Personal Data Protection Bill, 2019, was first made public in December, and is now being deliberated over by a parliamentary committee formed specifically for this purpose. The bill’s passage will follow due legislative process, which has already been delayed by the pandemic. The policy is essentially personal data protection framework for health data, and is clearly drafted to be in harmony with the personal data protection law, whenever it comes in force.

The policy will apply to everyone in the National Digital Health Mission ecosystem, such as people who have been issued Health IDs, healthcare professionals, governing bodies such as Health Ministry and National Heath Authority, any healthcare provider that collects health data, payers, pharma stakeholders, and anybody who collects or processes personal or sensitive personal data.

Key definitions under the policy

Most definitions under the policy are identical to that in the PDP Bill, including that of processing, data principal, data fiduciary, child, data, data processor, de-identification, harms, and so on. However, it details out some aspects around health-related data:

1. It expands sensitive personal data to include “physical, physiological, and mental health data”; and also information around various health conditions and treatments, such as Electronic Health Record (EHR), Electronic Medical Record (EMR), and Personal Health Record (PHR). Financial data also includes data related to bank account, credit and debit card, and other payment instruments.

2. Personal data will include Health ID and Personal Health Identifier, but inferences drawn for profiling are not personal data. Data fiduciaries will include Health Information Users and Health Information Providers, if they are determining the purpose and means of processing personal data.

3. Electronic Health Record is a repository of the digital health of an individual, which can be accessed by “multiple authorised users” and “represented in a commonly agreed logical information model”. Electronic Medical Record is a similar repository used by Health Information Provider to generate records to support patient diagnosis and treatment. “EMR may be considered as a special case of EHR, limited in scope to the medical domain or is focused on the medical transaction,” the policy says. A Personal Health Record, maintained by a user, is a “complete and accurate” summary of their health and medical history by “gathering data from as many sources and making it accessible online”.

4. A ‘Data Retention and Archival Policy‘ shall be formulated by the NHA. It may specify terms and conditions related to Health Information Providers and Health Information Users. HIPs will be those hospitals, diagnostic centres, public health programs and other such entities registered with the National Health Infrastructure Registry, which act as information providers in the ecosystem.

5. Personal Health Identifier is data that could potentially identify a specific data principal and can be used to differentiate one user from another. It can include a user’s demographic and location information, family and relationship information, and contact details. “PHIs could also be used for re-identifying previously de-identified data,” the policy says.

Consent

Data fiduciaries can collect and process personal and sensitive personal data with valid consent, the purposes will be limited to those specified by the NHA. Consent can be obtained via electronically or physically, either directly from the user or via a consent manager. Consent provided physically may be converted to physical form by the consent manager or data fiduciary.

A consent manager will interact with the user and obtain their consent for access to personal or sensitive personal data “where the role of the consent manager will be provided by the NHA or any other service provider”. When consent is taken electronically, a “consent artifact” will be generated (to initiate the sharing of the data) and will be shared with the user and with the HIP and HIU through a consent manager.

Children’s personal data

Data fiduciaries have to ensure that processing of a child’s personal or sensitive personal data takes place “only in such manner that is in the best interests of the child” and not “in a manner that is likely to cause harm to the child”. The parent or guardian’s consent needs to be taken to collect and process the personal and/or sensitive personal data of children.

User rights

The policy grants the user the rights to knowledge and confirmation, and right to correction, rights also granted under the Personal Data Protection Bill, 2019. However, this policy limits the right to data portability to “the extent technically feasible”. Under the right to erasure, the user can request their personal data be erased if its storage violates any data protection principles or if the purpose for which the data was collected has been satisfied. The user can also delete their uploaded personal data stored in the Health Locker.

Personal data can be blocked or restricted, rather than being erased, if the law prohibits its erasure “as it would impair the legitimate interests” of the data principal.
How the rights can be exercised: The user can exercise these rights by contacting the designated officer of the data fiduciary, either directly or via a consent manager. In case the user passes away, their legal heirs will have access to the data “owned by the data principal”, if the user consented to this.

Allocation & Creation of a Health ID

Creation: A data principal can request that their Health ID be created free-of-cost. This will be generated per policy the NHA lays down, and can be authenticated using the user’s Aadhaar number or any other identification document specified by NHA. Once created, the user’s personal data will be linked to the Health ID, and the user will “be deemed to be the owner”.

The user’s participation in the ecosystem will be voluntary and every user will be able to opt-out and delink their personal data “across fiduciaries”. The NHA has to ensure that authentication means do not prevent a person not having an Aadhaar number or a mobile number from getting a Health ID. Moreover, nobody can be denied health services for not having a Health ID.

To create Health IDs for users, a fiduciary has to register with the NHA and “obtain an authorisation key to access the service required for generation of a Health ID”.

Creation of a Health Facility ID

Similarly, a Health Facility will have a single ID as well, it will allow a hospital or lab to share the user or patient’s personal data with them and with other health practitioners, subject to consent. Such a Health Facility will be included as part of the “National Health Infrastructure Registry”, which will have the power to verify the legitimacy of a health facility and check on its ability (among other things) to e-sign digital documents.

Obligations of the data fiduciary

The data fiduciary will be “accountable for complying with the measures which give effect to the privacy principles” while processing any personal data, even though the “true ownership and control” remains with the data principals. Among other things, the data fiduciary has to disclose which categories of personal data it is processing, the purposes, the grievance redressal process, and so on — a requirement also in the Personal Data Protection Bill, 2019.

The policy also separately places obligations on Health Information Users, which are data fiduciaries under the policy as well. HIUs have to follow principles of consent, data minimisation, and data retention. They also have to “take all reasonable steps” to ensure that a data principal can exercise their rights under the policy.

Data Protection Impact Assessment

The data fiduciary has to carry out an impact assessment before it undertakes any processing involving new technologies or any processing which can cause significant harm to users. The assessment needs to include measures for minimising or removing risks of possible harms.

Non-Personal Data: Sharing of de-identified or anonymised data by fiduciaries

Data fiduciaries may make anonymised or de-identified data in an aggregated form available for facilitating clinical and academic research, for policy formulation, archiving, statistical analysis, “development and promotion” of diagnostic solutions, and other purposes that the NHA may specify.

Grievance Redressal

The user can approach the data protection officer or grievance redressal officer (they can be the same person) of the daat fiduciary. If unsatisfied, they can approach the Data Protection Officer of the NDHM. The next step of appeal is the Health Ministry of via litigation more  

View all 8 comments Below 8 comments
Also reliable and r reasonable health care services are required more  
How can this possibly be a good move? The voting system only attracts approx 8,000 on local circles so it is hardly representative of the people. This is not about our health at all. Our health, mental state, financial records, sexual orientation and so on is our personal property and no ones business. I don't trust the internet and security of our personal and private information cannot be guaranteed by any Government. What if in the future a bad government takes charge? What control will they have over the citizens. No we are a democracy and our sovereignty, privacy and freedoms must be any GOI's first priority. more  
I am not sure how much it's going to help the patient...it's however sure to help the agencies like fiduciary, medical (hospitals -- who may start pestering you for treatments), legal, insurance, etc. who can use your information for promoting their business.. This requires more transparency and the benefits to all the parties should be made threadbare.. more  
Who says the country is facing unemployment? Look at the author,she is gainfully employed copying and pasting a document available to any one who wants it.I do not want to read the lengthy document and equally long comment.Are you being paid by Pakistan or China? more  
The author is escalating an important issue and u are saying gainfully employed. By who the congress party u will say or AAP?? more  
Are you nuts? more  
When there are more urgent issues for the government to deal with including economy, I think that this issue should be taken up later with widespread consultations. Personal Data security and confidentiality is also an issue. more  
Post a Comment

Related Posts

    • Clowns in Paradise

      Really pissed off. Time is ticking - already effectively, nearly 15% of the 3rd term is over (because you can't do anything in last few months leading up to elections). And the Government appears t...

      By Sudesh Rai
      /
    • Clueless parliamentarians of India

      Successful countries talk about their present. Struggling countries keep talking about their past. China talks about its dominance in the EV industry. China talks about trains that run ...

      By Ruchika L Maheshwari
      /
    • Why tourism sector is broken in India

      There is an easier hypothesis why holidays in India have become Ultra expensive. Most of the luxury hotels in India are not a source of livelihood for the people who run them. It is not ...

      By Satvik Singh
      /
    • Major squeeze in middle class

      Our savings rate is at 5 decade low. Our consumption of even essential FMCG goods has slowed down. Two key essentials of every kitchen - wheat and oil, hugely impacted by infl...

      By Radha Puri
      /
    • Rampant Milk Adulteration

      Over 21700 kilos of chemicals recovered from the factory of Ajay Agarwal of Agarwal Traders of Bulandshahr. 500 liters of milk can be prepared from 1 kg of chemical. One man in one city. In the e...

      By Ashima Gupta
      /
    • Electric Cars in India

      Our friends undertook a Bengaluru to Hyderabad journey in an all Electric car attempting to be at mercy of roadside EV Charging Stations. They left Bengaluru at 230 pm and reached Hyder...

      By Shikha Chhabra
      /
    • Lost Decade of India

      Basic problems India had in 2014:- - Corruption - Reservation - Pollution - Lack of jobs - Not growing fast enough to build genuine wealth Basic proble...

      By Rohit Garg
      /
    • Tourism in India

      I am a yoga expert who has spent considerable amount of time learning the same in India. Many of my friends are unsure about visiting India because of visa process and then having to figure out how...

      By Ashley Jones
      /
    • Fuel price cuts needed

      Crude price has fallen by 15%-17% in last 6 months Fuel price in India, has not fallen in last 6 months to that extent (of crude price decline) Inflation continues to remain high; o...

      By Ruchika L Maheshwari
      /
    • One nation one election approved bh cabinet

      Something that I had demanded on this very platform has been approved by cabinet of India today.

      By RN Chopra
      /
    • Excessive pricing of food at airport

      I am glad LC manager ran this poll. During Diwali travel coffee and croissant for 6 of us at Delhi airport was 2300 rupees. Clearly something that at market rates would be 1200 rupees an...

      By Mukul Puri
      /
Share
Enter your email and mobile number and we will send you the instructions

Note - The email can sometime gets delivered to the spam folder, so the instruction will be send to your mobile as well

All My Circles
Invite to
(Maximum 500 email ids allowed.)