Proposed health data policy puts question mark on privacy concerns

The propesed policy is built on the foundations of legislation that doesn't exist. It also seems to be more concerned about monetisation of such data, than with the protection of privacy

In September, an Australian cyber security researcher, Sami Toivonen, discovered that Dr Lal Path Labs had left the data of over a million customers exposed and unencrypted on the Amazon Web Services cloud. The data was recorded in some 9,000 spreadsheets, containing name, address, gender, date of birth, contact number, details of booking, doctor details, payment details, patient’s unique identification numbers, and details of when, where and in what lab that tests were done.

Earlier, in February, an even larger set of data breaches was revealed. German research outfit Greenbone Networks found patient records, scans and images from some 97-odd medical institutions across India exposed. Details included the name of over 120 million — yes, 120 million — patients, their dates of birth, Aadhaar numbers, names of the medical institutions, medical history, physician names and other details. To the credit of Dr Lal Path Labs, the pertinent records were secured within hours of the breach being notified. However, the German study indicates that carelessness about health data is endemic.

This is undoubtedly private personal data, and it could be deeply embarrassing for the patients. Consider the reluctance with which politicians and people in public life disclose details of their medical history.

There are social implications of such data being freely available, as well as deep concerns about privacy. That’s quite apart from monetary value. Any health insurer would kill to have access to large datasets, with such granular details. So would the healthcare and pharmaceuticals industry.

As the above incidents indicate, there are already lots of digitised health data floating around. These will expand exponentially. There’s been an increase in online consultations and telemedicine, as well as online ordering of drugs, digital prescriptions, et al. Mass vaccination of a billion-plus citizens may soon be necessary.

The sooner there is legal protection for that data, the better. But safeguarding it will be complex, given the intersection of sensitive personal data, healthcare services, insurance implications, and the need for medical research.

India doesn’t have a law protecting personal data. There are no specific penalties for failing to keep such data secure. A proposed law on Personal Digital Privacy Protection has been pending since 2018, and drafts in the public domain raise concerns about widespread surveillance.

The recently released draft “Health Data Management Policy” of the National Digital Health Mission is supposed to specifically guard medical data. This is built on the foundations of legislation that doesn’t exist (see above). It also seems to be more concerned about monetisation of such data, than with the protection of privacy.

The proposed health policy refers to citizens as “data principals”; hospitals and doctors are “health information providers”; government agencies are “health information users”. The policy envisages an integrated data storage system.

Records held by different service providers will be in common formats and linked through a unique health ID (Aadhar or something new). The justification: An integrated system with common standards would allow easy access to medical history and make it possible for individuals to be treated anywhere.

“Data fiduciaries” will be allowed to collect and store “sensitive personal data”. This could include financial information; physical, physiological and mental health data; sex life and sexual orientation; genetic data; caste or tribe data; and “religious or political belief or affiliation”. It’s impossible to understand why much of this is necessary. The draft also suggests that even the local pharmacy could be considered a fiduciary. This means higher probabilities of data leakage since it’s very unrealistic to assume every fiduciary will be secure.

Importantly, this data will be shared with the government, and “agencies designated by government”. Anonymised or de-identified data will be made available in aggregated form for facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions, etc.

That essentially means the government can grab any data, and share it for any purpose, under such wide-ranging clauses. In theory, the consent of the individual will be asked for, before data collection. That consent could also be withdrawn, in theory. In practice, consent is a joke, if data on so many parameters is collected by a wide range of fiduciaries, and disseminated for so many purposes.

If you fall ill, once this policy goes through, your health might not be your only concern.