While the Draft Health Data Management Policy broadly draws from the draft Personal Data Protection Bill, and the National Digital Health Blueprint and the National Health Stack, Deeksha Manchanda, a counsel at Chandhiok & Mahajan analyses that it lacks clarity and provides a very superficial view of data protection in the integrated, interoperable National Digital Health Eco-system that the Blueprint and NHS envisage
The launch of the National Digital Health Mission (NDHM) was followed by the release of the Draft Health Data Management Policy (Policy) to ensure data protection. While concerns are being raised around the efficacy of protection through a policy which is not based on any statutory law and does not provide judicial oversight, the implementation of the Policy seems inevitable. The Policy extends to patients, doctors, hospitals, pathology labs, pharmacies, pharmaceutical companies, health apps, and insurance companies. With its broad coverage, it will impact business practices of all stakeholders. This makes examination of the Policy and its implications on businesses very relevant.
The Policy broadly draws from the draft Personal Data Protection Bill (PDP Bill), and the National Digital Health Blueprint (Blueprint) and the National Health Stack (NHS). However, it lacks clarity and provides a very superficial view of data protection in the integrated, interoperable National Digital Health Eco-system (NDHE) that the Blueprint and NHS envisage.
Framework under the Policy
The main actors in the Policy are the (i) Data Principal (DP) – the individuals/patients whose data will be collected and processed; (ii) Data Fiduciaries (DF) – entities who determine the purpose and means of processing of data; (iii) Data Processors (DPr) – entities who would process the personal data on behalf of the DFs.
The Policy also identifies two special categories of DFs – the Health Information Providers (HIPs) and the Health Information Users (HIUs). HIP means hospitals, diagnostic centers, public health providers. HIUs are defined as entities who “are permitted to request access to the personal data” of the DPs, “with appropriate consent of the DPs.” Based on the NHS, it is expected that doctors, insurance providers, health apps would be included within the ambit of HIUs.
The National Health Authority (NHA) tasked with implementation of the NDHM, is also in-charge of laying down various standards and procedures under the Policy. The responsibility to ensure compliance will be tasked to a government official – the NDHM Data Protection Officer (NDHM-DPO) who also serves as the appellate forum for complaints made to the Grievance Officer.
Rights and obligations under the Policy
The Policy, gives prominence to DPs consent. Data can be collected, processed and shared only where the DP has appropriately consented. A DF will be required to ensure that consent is taken within the framework described by the Policy. It can be taken either physically or electronically, directly from the DP or through a consent manager. All sharing of data, including with the HIU, would require explicit consent of the DPs. Since HIU will take data from another DF, it is not clear if the consent to share data with a specific HIU needs to be obtained by the DF granting access or the HIU seeking access.
The Policy also gives a DP the right to access their data, require correction and/or erasure of data, seek transfer of data from one DF to the other, object to disclosure of data. The DF cannot reject such requests by the DP for restriction to disclose and transfer cannot be rejected.
The policy also imposes many other obligations on the DF, which include:
- requirement to give a “privacy notice” to all DPs in a “clear, concise and easily comprehensible to a reasonable person”, clarifying things like, the nature of data collected and processed, the purpose of collection and processing, the entities it is shared. The notice has to be made “available in all regional languages” in which the DF provides its services.
- appoint a Grievance Officer to provide information and address complaints.
- publish a “privacy policy” on their website with details of how data is protected, including, the managerial, organisational procedures, and security practices.
- undertake a Data Protection Impact Assessment before processing data using new techniques which carry risk of significant harm to DPs.
- maintain records and audit trails about the important operations in data lifecycle.
- conduct due diligence of the DPr they appoint. The DPr is required to be appointed pursuant to contractual arrangements including, confidentiality arrangements.
Is it voluntary?
The Policy applies only to DPs and DFs who choose to become a part of the NDHE. For a DP, this implies creating their Health ID and for some DFs (hospitals, labs, pharmacies, doctors), this implies creating Health Practitioner ID or Health Facility ID. However, for others DFs like pharmaceutical companies, health apps, insurance companies etc., it is not clear how they can opt-in or opt-out of the NDHE.
The Policy clarifies that participation in NDHE is voluntary. However, insistence of participation by any stakeholder directly or indirectly would make the voluntary nature illusory. For instance, if insurance companies offer better terms, make claim redressal easier, or limited to hospitals and doctors included within the NDHE, the latter may be forced to register themselves with the NDHE.
Brevity is not always a virtue
One of the biggest concerns with the Policy is introduction of concepts without dealing with them in detail. The Policy defines “electronic health records”, “electronic medical records”, “Personal Health Identifier” without these terms being used elsewhere in the Policy. Similarly, details regarding important concepts like, “health locker” “consent manager” are absent. Various relevant concepts are also left to be formulated by the NHA at a later stage. This include the data retention policy, role of consent manager, terms and conditions in relation to HIPs and HIUs, information policy to be followed by the DFs.
Consequence for non-compliance
Non-compliance would result in suspension of an entity’s participation in the NDHE. The procedures regarding this will be set out by the NHA. The Policy does not exclude the possibility of prosecution under other laws.
Concluding thoughts
As evident, the Policy, once implemented will place a significant burden of compliance on the DFs. However not all the obligations have been spelled out clearly. Dynamic creation of procedures and policies may increase the compliance costs and burden on DFs. It may also lead to many unintentional lapses on their part. The Blueprint recognised that adequate data privacy will be central to the success of NDHM. Clarity to the DFs about their role in the ecosystem is essential for success of data protection regime. The Policy however fails to achieve this.
(Views expressed are personal)