On 04 August 2019, we submitted our comments on the National Digital Health Blueprint to the Ministry of Health and Family Welfare. Our comments are available below.

Executive Summary

The Ministry of Health & Family Welfare released the report on National Digital Health Blueprint (NDHB) on 15th July 2019. The objectives of the report include establishing core digital health data infrastructure for its seamless exchange, creating a system for Electronic Health Records (EHR) and promoting health data analytics and medical research. A committee under the chairmanship of former Secretary, MeitY and Chairman of Unique Identification Authority of India (UIDAI) prepared this report to create a framework and implementation plan for National Health Stack which was proposed by NITI Aayog in July 2018.

The Government of India has formed multiple committees and held multiple rounds of consultations to decide upon the issue of Privacy and Data Protection. Justice A.P. Shah Committee formed by the Planning Commission released a report on privacy in 2012.^[1] In its report, nine National Privacy Principles were recommended.^[2] In 2017, a nine-judge bench of the Supreme Court of India unanimously recognized the existence of a fundamental right to privacy under Article 21 of the Constitution of India.^[3] In 2018, TRAI released its recommendations based on its public consultation on privacy, security and ownership of data in the telecom sector.^[4] The same year, Justice B.N. Srikrishna Committee submitted its report^[5] and draft Personal Data Protection Bill, 2018 to MeitY based on a public consultation held by the Committee. This report proposed certain rights for the citizens and principles.^[6] Since then, MeitY has held another consultation for the draft Personal Data Protection Bill, 2018.^[7]

The pressing concern with the National Digital Health Blueprint (NDHB) report is that it suggests a framework that severely infringes upon the fundamental right to privacy. These concerns are heightened in the absence of a comprehensive data protection law. The report also ignores a series of advancements on privacy and data protection that have taken place over the years. It does not adhere to the privacy principles recommended by Group of Experts on Privacy (Justice A.P. Shah Committee) and the more recent, Justice B.N. Srikrishna Committee report whose recommendations on data protection form the core foundation for the draft Personal Data Protection Bill, 2018.

The proposed framework under NDHB intrudes upon the right to privacy of individuals without satisfying the tests laid down by the Supreme Court in the Privacy Judgement in 2017.^[8] The report recommends that the privacy and security of Electronic Health Records (EHRs) will be implemented through the use of EHR (Electronic Health Records) Standards for India, 2016 (EHR Standards). However, these standards as well as the law^[9] that authorizes the use of the EHR Standards lack procedural guarantees against abuse of EHRs. These thereby fall short of passing the tests laid down by the Supreme Court in the Privacy Judgement.

The report also ignores the Aadhaar Judgment^[10] passed by the Supreme Court of India in 2018 in so far as it provides for the use of Aadhaar for services that are not permitted by the judgment and the law. Additionally, it does not provide sufficient safeguards against commercial exploitation of Sensitive Personal Information (SPI) that can be caused by abuse by private entities that will be linked to public entities under this system. These include insurers, pharmaceutical companies and device manufacturers. The use Aadhaar for online electronic signature service (e-Sign) as a quick and convenient tool to access various medical services under the NDHB framework is an example of this.

The downsides of making medical data available to third parties go beyond the harms that can be caused by data sharing in other sectors. The fundamental rights and interests of individuals supersede any supposed benefits that may arise for businesses. This data must not be made available to private third parties that would use the data for purposes other than providing health services. Third parties such as insurance companies, pharmaceutical companies, employers and data brokers must not be given access to the data.

The report also brings back concerns about data ownership and control. Previously, the Draft National E-commerce Policy which was released on 23rd February 2019 disclosed that the State views personal data as a new oil; a national asset that government holds in trust, and will have the authority to decide what rights individuals can have over it. The rights based and ethical arguments were overshadowed by arguments of economics, with the aim to help businesses innovate and grow by cashing in on personal data. The Draft National E-commerce Policy was widely criticized for contradicting the Supreme Court’s Privacy Judgment, and for ignoring earlier developments and making its own paradigm for data ownership.

This report makes similar heath sector specific recommendations. For example, the EHR standards confer partial control to patients over their own SPI. Even though the Supreme Court in the Privacy Judgement held that the control over information is a cornerstone over which the fundamentals of informational privacy stand, the right of the patients to control their own data is not acknowledged in NDHB. The patients are only given “sufficient privileges” to make a few changes to their data. There are various ambiguities such as lack of clarity about the extent of information each key actor^[11] in the healthcare system can view and whether the patient will be informed prior to the disclosure of his/her information. Further, even though the aim of NDHB is to enable quick access to medical records, strangely the EHR standards give a long window of up to 30 days to the health care providers for providing a copy of the medical records. This introduces ambiguity and can frustrate patients’ access and control over their own data.

We recommend that patients should be given control over their data as a right. These must include their right to complete incomplete personal data, update out of date data and correct misleading data. The patients must also be notified every time their data is accessed or updated by anyone through any medium for any purpose, including in instances where their de-identified data is re-identified. The information provided to people should include who accessed their data, for what purpose and when. At the bare minimum, this information should be available in their MyHealth app account and through other forms of accessing their own data.

NDHB must bring clarity about patient’s consent. While NDHB recommends MeitY’s Electronic Consent Framework for consent management it also recommends the use of EHR standards. MeitY’s Electronic Consent Framework provides guiding principles for various digital services and the EHR standards are backed by law. However, as compared to the Electronic Consent Framework, the EHR standards degrade the right to privacy and lack many important consent procedures. For example, EHR Standards specify that once entered the medical data will be maintained permanently. This implies that the patient does not have the option to opt out. EHR Standards also suggests that medical providers may have the option to deny the service if a patient declines to disclose information.^[12]

There must be a strict separation between the two types of consent necessary for such a framework to function - (i) consent for activities related to providing medical services such as performing medical procedures, payments, and so on; and (ii) consent for collection, storage, use and sharing of data. These two consents must not overlap. Any overlap between the two forms of consent would result in a situation where the patient has a choice between sharing their data and foregoing medical services. A choice between living and sharing one’s data is not a voluntary choice, it is a hostage situation. While the Blueprint recognizes the importance of consent when it states that “The PHR is created only on consent from the user”, it must be made abundantly clear that refusal to provide such consent cannot be a ground to deny medical services. Any use of medical data without consent should be clearly, strictly and narrowly defined in law without the use of any vague terms, so that the data may not be misused. These use-cases should not be left to be developed through reactionary measures in the future. They should be laid down up-front.

A large amount of work has already gone into defining the rights of users. This is likely to be solidified in the near future with a data protection law. In the absence of a data protection law, this Blueprint is legally unsound, subject to major changes once the law is passed, and open to challenge before courts of law. The Blueprint must not proceed in its current state. A fresh consultation should be initiated on this issue after the passing of a data protection law.

I. Use of Aadhaar for Identification and Authentication:

Use of Aadhaar under NDHB is impermissible and will amount to privacy violations.

NDHB recommends the use of Personal Health Identifier (PHI) for uniquely identifying persons, authenticating them and threading their medical records across multiple systems and stakeholders. The uniqueness in PHI is sought to be achieved through combination of Aadhaar based identification / authentication for schemes notified under Section 7 of the Aadhaar Act and through other specified types of identifiers or use of Aadhaar in “respect of the rest”. Some of these “rest” of the services have been mentioned in the document. These include the use of Aadhaar for online electronic signature service, the eSign.^[13] NDHB states that the use of eSign which will be integrated with service delivery applications via an API to enable the user to digitally sign a document. Through this the Aadhaar holder can sign documents after Biometric/One Time Password authentication.

The Supreme Court in Aadhaar Judgment^[14] held that the use of Aadhaar, if not backed by law is impermissible.^[15] The Aadhaar Act permits the use of Aadhaar for government programmes under Section 7 and the subsequent amendment^[16] to the Act permits the use of Aadhaar for telecommunication and banking. Applying the court’s principles to NDHB, the use of Aadhaar in “respect of rest” does not have legal sanction. This is because while use of Aadhaar for subsidies that derive from the Consolidated Fund of India is sanctioned under Section 7 of the Aadhaar Act, the use for identification in “respect of rest” does not have a backing of law.

Furthermore, as NDHB seeks to link/consolidate records held by public and private health systems^[17] at State and National level under the Federated National Health Information Architecture, it will not be possible to maintain a strict distinction between the uses of Aadhaar by entities under Section 7 and the “rest”. This blurs the line between the two systems and in effect expands the scope of Section 7 in an impermissible manner.

The Supreme Court of India, in Justice K.S. Puttaswamy & Anr. v. Union of India & Ors. [W.P. (C) No. 494 of 2012] (Aadhaar judgement) specifically mentioned that under Section 7 of the Aadhaar Act, only subsidies, benefits or services would be allowed and that too, only if the expenditure is drawn from the Consolidated Fund of India. Under the proposed system which comprises several public and private players,^[18] if a person’s Aadhaar number is seeded into their health records, that information and authentication for that person could be used for purposes other than those that are strictly confined to deriving subsidies from the Consolidated Fund of India. For example, such use could lead to commercial exploitation of personal data by private players such as insurers, pharmaceutical companies, device manufacturers and other key private players that will be linked to the system. To guard against commercial exploitation of data, The Supreme Court in the Aadhaar judgement had specifically struck down a provision that enabled private entities to access personal data.^[19] The use of Aadhaar under a public-private consolidated system could have similar repercussions. This would violate the spirit of the judgment of the Supreme Court of India.

II. Standards

A. Content & Inter-operability Standards

For audio, the Blueprint mentions MP3 and OGG. OGG is merely a container that could contain audio in any codec within it. For clarity, we recommend stating it as OGG-Vorbis.

For video, MOV is a proprietary video format. As the Blueprint focuses strongly on the use of open standards and open source, we recommend OGG-Theora.

The Blueprint suggests the format PDF A-2 for Document/Scan. In case typed documents, spreadsheets or presentation are considered useful, we recommend the following file formats for them:
Document/Typed: ODT
Document/Spreadsheet: ODS
Document/Presentation: ODP

Document/Presentation could be useful for education, while Document/Spreadsheet could be useful for showing different types of data. Document/Typed may not be desirable as the aim might be to directly input data into health lockers or other databases, however, we must keep in mind that India has not achieved 100% Internet penetration and reliability. Combined with the fact that many regions in India frequently face Internet shutdowns,^[20] we cannot rely on network availability at all times. Doing so would disrupt initiatives such as RAHAT health camps where health checkups were done and medicines were distributed for approximately 50,000 people and approximately 4,600 surgeries were conducted for people from rural areas over a period of 7 days, and its follow-up camp where health checkups were done and medicines were distributed for approximately 72,000 people and approximately 5,600 surgeries were conducted.^[21]

B. Standards for Privacy and Security

The NDHB recommends incorporation of EHR Standards for Privacy and Security. The privacy and security mentioned in the EHR Standards are not in line with the Privacy judgment^[22] nor the privacy principles and recommendations of the Justice A.P. Shah Committee Report^[23] and B. N. Srikrishna Committee Report.^[24]

The proposed framework under NDHB restricts right to privacy of individuals as follows:

i. Fails the test laid down in Privacy judgement:

Infringement of privacy by the State can only be permitted if it passes the tests laid down in the Privacy judgement.^[25] These are:
(i) The action must be sanctioned by law;
(ii) The proposed action must be necessary in a democratic society for a legitimate aim;
(iii) The extent of such interference must be proportionate to the need for such interference; and
(iv) There must be procedural guarantees against abuse of such interference.

NDHB’s grand framework which links personal health data with Aadhaar will create a database which stores large amount of sensitive personal information (SPI) linked to biometric and demographic information. At present there is no law that can provide procedural safeguards against possible abuse of privacy violations with respect to SPI under the NDHB framework. In the absence of an adequate data protection legislation, the implementation of NDHB framework raises serious privacy concerns. Consequently, the recommendations under NDHB do not pass the test laid down by the Supreme Court.

In the absence of a Personal Data Protection Act^[26], enforcement of privacy and prevention of misuse of EHRs is doubtful. The Rules under Clinical Establishments (Registration and Regulation) Act, 2010 make it mandatory for clinical establishments to implement EHRs but they do not provide procedural guarantees against abuse of the data. Section 43A of the Information Technology Act, 2000 read with the Sensitive Personal Data or Information Rules, 2011 (notified under Section 43A), imposes certain obligations for the protection of Sensitive Personal Data or Information. While this provides for certain protections to medical records, the protections offered are insufficient. Section 43A requires the person whose data was not protected sufficiently to prove that wrongful loss or wrongful gain was caused; this is not always possible as harms from data leaks may not become apparent for many years after the leaks and they can be hard to quantify. While medical records are protected under Section 43A, data associated with medical records is not protected; this includes personal information such as the name, address, phone number, details of relatives, among others. The scope of personal data that must be protected stands to be changed soon after we have a data protection law. Such a law is likely to be tabled in the Parliament soon.

It is important to point out that under NDHB, massive amount of SPI that will be consolidated by linking EHRs across public and private systems. These will require strict observation of the privacy principles. As indicated by the Srikrishna Committee Report and Justice A.P. Shah Committee Report these principles are a pat of core principles of data protection and are an integral part of checks and balances against misuse of SPI. However, NDHB and the EHR standards lack these and must duly incorporate procedures to implement the principles for meaningful data protection.

ii. Control over data:

a) Right to access, correction and deletion
The A.P. Shah Committee report says that:

"Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. [...]"

These rights are highly diluted under the present Blueprint. The Blueprint requires immutability of records, for which it states that “Records once created cannot be deleted or modified without following due process.”

Though EHR Standards state that patients should have a control over their recorded medical data, this control over their sensitive personal data is partial and conditional. For example EHR allows patients to inspect and view their medical records not by way of “right” but by way of “sufficient privileges”. This poses challenges to the exercise of the right to privacy which has been upheld as a fundamental right by the Supreme Court of India.^[27]

Further, patients cannot amend their own records unless these are related to correction of error in the recorded patient/ medical details. This is contrary to the concept of privacy laid down in the Privacy judgement that allows individuals to make autonomous choices in life by giving individuals control over their data.^[28] This is also not in line with the recognition of right to correction that was incorporated in the Personal Data Protection Bill, 2016 (the Bill) based on the recommendations of Justice B.N. Srikrishna Committee Report. For example, under the Bill, besides correction of data, the “data principal” has the right to complete incomplete personal data, update out of date data and correct misleading data. The NDHB and EHR Standards do not indicate many checks and balances included in the Bill and which are necessary for the fulfilment of this right. Under the Bill, a data fiduciary must provide a justification in writing if it does not agree with the necessity to correct the data.

Lastly, if consent is required to create an information record, then the revocation of that consent must allow for deletion of that record. Rule 5(7) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 require the provision of an option to withdraw consent. It states that “[...] The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. [...]”

b) No opt out mechanism:
The system under NDHB does not provide an option for the patient to opt out of the system. Once entered, the medical records cannot be deleted, not even after the death of a person.

The Rules notified in 2012 under the Clinical Establishments (Registration and Regulation) Act, 2010 make it mandatory for every clinical establishment to maintain and provide Electronic Medical Records or EHRs of every patient. The EHR Standards direct that medical records of a person have to be compulsorily preserved and not destroyed during the life time of the person. Even after the death of a person where there are no pending court cases, the records will not be destroyed but their status will be changed from active status to inactive status. Healthcare service providers are strongly encouraged to ensure that the records are never destroyed or removed permanently.

These conditions weaken meaningful control of individuals over their own data. The Supreme Court in the Privacy judgement^[29] held that as a part of right to privacy an individual enjoys control over personal information. It stated that that control over information is a cornerstone over which the fundamentals of information privacy stand. Denying the option to opt out deprives an individual of control over their own data and is inconsistent with the right to informational self-determination.

c) Opportunity of hearing against the disclosure:
Though EHR Standards allow the patients to withhold specific information from disclosure to other organizations or individuals and demand details of disclosures performed on the patient’s medical records, the EHR standards (a) do not specify that the patient will be informed at the time disclosure is made; and (b) do not provide the patient an opportunity to be heard and object to disclosures made by healthcare provider for any reason whatsoever. It is also important to note that NDHB does not provide clarity about the extent of information each key actor in the healthcare system will be able to view.^[30] These concerns point to violation of privacy and precedent set by the court in the Aadhaar judgement^[31] where the court held that individual whose information is sought to be released is to be given an opportunity of hearing and the right to challenge disclosure of his/her information. These also ignore the principles of disclosure of information, purpose limitation and transparency as stated in the Justice A.P. Shah Committee Report, Srikrishna Committee Report and the Personal Data Protection Bill.

d) Time duration for access to records:
The control over own data is restricted by the long time duration provided for accessing health records. The EHR Standard gives 30 days to health care providers for providing a copy of the medical records of patients. Such broad and ambiguous timelines restrict ease of access of patients to their own data. Unlike most data, medical data may be needed urgently by patients. Long delays can result in harm.

C. Recommended further work on Standards

Health data should be given the highest level of protection. The Right to Privacy is recognized as a fundamental right by the Supreme Court of India. Any derogation of this right without the explicit backing of a law would not stand up to judicial scrutiny. Though the importance of privacy has been recognized repeatedly throughout the Blueprint, we find it worrying that this elaborate framework has been proposed in the absence of a data protection law in the country.

The Blueprint recognizes that further work is required on some standards, but in the absence of the following standards, the document paints an incomplete picture. These standards should be a part of the Blueprint and should be open to consultation:

• Policy for making the PHR System citizen-controlled.
• Policy for emergency access to records.
• Policy for use of records for research (anonymization & de-identification) and analytics.
• Policy for record retention and archival.

While these policies should be a part of the blueprint, they should derive from a data protection law. Bringing them without such a law in place opens them up for mandatory changes in future to align them and make them compliant with the law, and opens up the possibility of litigation. This Blueprint should be re-released for consultation along with these policies after we have a data protection law in the country. A rush to implement a National Digital Health Ecosystem without the law in place can have disastrous consequences.

III. Notice, Choice and Consent

NDHB is unclear about the standards that will be followed for implementing consent. It prescribes MeitY’s Electronic Consent Framework (technology Specifications 1.1) for consent management. This consent framework recommends detailed guiding principles for the sharing of user data across different services with the consent of the person whose data it is. However, it is unclear to what extent the standards mentioned in the consent framework will actually be incorporated. NDHB also recommends incorporating EHR Standards which have implications for consent management. While EHR standards have been made mandatory under the law, the MeitY’s Electronic Consent Framework (technology Specifications 1.1) are mere guiding principles. However, EHR Standards do not include many important consent requirements which have been mentioned under the consent framework. The EHR standards go on to state that the “authorization document” can provide that if the user does not provide an authorization (permission) for the use or disclosure of identifiable health information, she/he may not be able to receive the intended treatment.

These lacunae and ambiguities do not fulfil the requirement under Srikrishna Committee Report and Personal Data Protection Bill which specify the necessity of consent. Under these a valid consent should be free, specific, clear, informed and capable of being withdrawn easily. In the case of SPI, the consent must be explicit.

Further, even though the Srikrishna Committee Report and Personal Data Protection Bill provide exemption from consensual obligations for some activities including “ research” the objectives of NDHB go well beyond research. The NDHB report appears to make it compulsory for each citizen of India to be registered if they want to obtain medical services. If that is not the case, then it needs to be clarified that a citizen can refuse to be enrolled for a PHI and that no one must be refused to be provided a service for lack of a PHI. Not clarifying this upfront can have disastrous consequences. For example, in 2017, the UP Government deliberated to make Aadhaar mandatory to avail state ambulance services.^[32] Such barriers to availing essential services in the medical sector can result in irreparable injury, possibly even deaths. This is in line with the recommendations of Srikrishna Committee Report which specifies that a data principal can choose not to consent if a particular type of personal data is not necessary for the performance of contract, enjoyment of a legal right or the provision of goods or services. In such a case the enjoyment or provision cannot be made conditional to the giving of consent by data principal.

IV. Other Privacy Principles

Collection Limitation
The Blueprint does not adequately address the issue of collection limitation. The principle of collection limitation requires that only that information should be collected which is necessary for achieving the purposes for which consent had been taken. Extraneous data must not be collected.

Purpose Limitation
The principle of purpose limitation requires that the storage, use and disclosure of data must be limited to only those purposes for which consent had been taken. Rule 5(5) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 embodies this principle.

The Blueprint has recognized the importance of sharing data only with consent, however, as mentioned under the sub-heading on notice, choice and consent, the measures in place for consent are not sufficient.

Disclosure of Information
The principle of disclosure requires information not to be provided to third parties unless notice has been provided and informed consent has been taken prior to the disclosure. The Blueprint does not satisfy this requirement as the possibility of denial of an essential service unless consent is provided runs contrary to freely given informed consent. Given the choice between adverse effects on one’s health, and sharing of sensitive personal data, the vast majority of people would have no choice and would be bound to give their consent.

In order to rectify this situation, the Blueprint must state in clear terms that denial of consent for sharing one’s data must not result in denial of medical services.

Security
The principle of security is present under Rules 5(8) and 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

It is unclear how the Blueprint suggests protecting the contents of disparate databases / health lockers and how it suggests combating unauthorized access to personal health records. There should be a requirement for regular security and privacy audits for all entities that choose to maintain their own database / health locker.

In the past, regional governments have shown a lackadaisical attitude towards privacy. Personal information of individuals has been put up by multiple state government entities. SFLC.in created a database of such breaches and leaks in April 2017.^[33] Andhra Pradesh, for example, has been known to leak medical purchase data^[34] and ambulance locations,^[35] among others. Careful consideration is required before taking on an endeavour that would endanger peoples’ health records.

Openness
The principle of openness requires the data controller to implement, and make publicly available, all their practices, policies and systems that are in place with regard to handling personal information. This is necessary under Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

The Blueprint does not mention the need to comply with this principle. While this is necessary under law, it must be mentioned in clear terms in the blueprint as well.

Accountability
This principle requires data controllers to be held accountable for compliance with their requirements. Accountability is notably absent from the Blueprint. Apart from the establishment of a Privacy Operations Centre, there is no mention of any accountability measures in the document for those that do not comply with the requirements laid down under the Blueprint. The repercussions for non-compliance are absent from the document.

V. Anonymization and De-identification

The Blueprint assumes that anonymization and de-identification will sufficiently protect the identity of individuals and will lead to protection of their privacy. There are certain issues with this approach. In 2008, researchers from the University of Texas in Austin proved that supposedly anonymous movie ratings could be linked back to real identities, thereby de-anonymizing them.^[36] Simply removing personally identifiable information before releasing data is insufficient, as has been shown time and time again, so researchers developed alternative methods of achieving their goals through structured data-sets.^{[37] [38] [39]} These methods, however, are still insufficient to protect the privacy of individuals.^[40]

The Blueprint does not clarify which entities would be included in ‘the authorised agency’. We strongly recommend clarifying this aspect so as to avoid the inclusion of profit-driven data-exploitation in future through authorising entities such as brokers and insurers. Medical data is highly sensitive. No technique for anonymizing or de-identifying the data is fool-proof. The use of this data should be highly regulated and its use should not be possible if an individual does not want their data to be used. As the committee is well aware, unintended leaks of medical data can have disastrous outcomes for individuals.

VI. MyHealth apps

It appears from the Blueprint that these apps can be built by anyone. Such apps would have access to sensitive personal information of individuals and should therefore be held to high standards. At the bare minimum, they should be required to adhere to regular security and privacy audits. There should be a centralized list of apps that are allowed to be used for this purpose, with a requirement for prior approvals before allowing any app to collect and store such information. They should not be allowed to store the data on their servers or to share it with any third party. Careful consideration needs to go into this, lest the desire to enable innovation instead lead to the exploitation of the masses.

VII. Structure of Disease Registries for NCD

The Blueprint reads:

“Registries can provide health care professionals and researchers with first hand information about people with certain diseases, both individually and as a group.”

While health care professionals that are involved with the treatment, recovery or care of individuals have a reasonable requirement for access to their data at an individual level, the same is not true for other health care professionals and researchers. Aggregated data provides sufficient information for researchers and health care professionals to perform their respective tasks. In order to enable proper research, methodologies can be developed to enable researchers and health care professionals to retrieve aggregated data and to filter it by certain parameters such as age, gender and location without revealing information about specific individuals or allowing data to be retrieved on an individual basis.

VIII. Comparison with other countries

A look at data breaches of electronic medical records in three countries, USA, UK and South Korea, shows that even the countries that boast of developed ICT systems and robust laws have failed to adequately protect personal data of patients. India has an advantage in the sense that it stands to learn immensely from the experiences of these countries and choose wisely.

USA enacted Health Insurance Portability and Accountability Act (HIPAA) for health information privacy in 1996. However, despite the enactment of the law, empirical studies have revealed that data breaches continue to be reported. Data published by the Department of Health and Human Services Office for Civil Rights shows an upward trend in medical data breaches since it was first published in October 2009. Although better laws and use of encryption helped reduce loss/theft of healthcare records, the predominant cause of breaches such as hacking, unauthorized disclosure remain.^[41] This shows that even though USA is ahead of the curve in terms of availability and use of ICT, sensitive personal data of people continues to be compromised. Over 70% of all breaches occurred at the end of health care providers.^[42] The incidences question the ability of health care providers to adequately protect the privacy and security of healthcare data.

Research has also shows that due to the complexity of rules and lack of clear cut guidelines about sharing and access of data patients face immense difficulty in accessing their own healthcare data.^[43]

UK’s National Health Services Digital is also plagued by data breaches, the most widespread and recent being WannaCry attack in May 2017 Most of the data breaches emanate from internal source. However due to lack of financial and trained human resources cybersecurity investments are limited. As a result of this, health care sector is not able to keep pace with changing technological ecosystem.^[44]

In South Korea incidents have pointed to a growing unethical interconnection between public institutions and commercial domains. For example The Health and Insurance Review & Assessment Service has come under fire for selling 52 sample data sets to private insurers and insurance research institutes between July 2014 to August 2017.^[45] Similarly, between 2011 and 2014, medical information of 43 million South Koreans was sold by a company specializing in developing medical fees settlement programs used by hospitals and Korean Pharmaceutical Information Center to a MNC which in turn processed the big data into sex, age, disease, and region.^{[46] [47]} This data was then sold to Korean pharmaceutical companies. The Center is being tried for illegal collection and distribution of medical information in 2013.

IX. Conclusion and Main Recommendations

This consultation is premature, as we are currently in the process of formulating a data protection law for the country. The entire process needs more thought and planning, from the collection of data, to the ways in which that data can be used, and the parties with which that data can be shared. People’s rights over their own data have to be re-thought, as economic interests cannot supersede fundamental rights.

Previous developments regarding privacy and data protection, such as the Right to Privacy judgment, Justice A.P. Shah Committee report, Justice Srikrishna Committee Report, and all the public consultations held on this topic must not be ignored.

There are use-cases for which consent is crucial, but there are also situations such as studying disease outbreaks where the use of consent is not desirable. The default approach should be to assume that medical data is extremely sensitive and must not be disclosed or used without proper informed consent. Informed consent goes beyond a mere tick mark on a check-box. Any use of medical data without consent should be clearly, strictly and narrowly defined in law without the use of any vague terms, so that the data may not be misused. These use-cases should not be left to be developed through reactionary measures in the future. They should be laid down up-front.

Patients should be notified every time their data is accessed or updated by anyone through any medium for any purpose, including in instances where their de-identified data is re-identified. The information provided to people should include who accessed their data, for what purpose and when. At the bare minimum, this information should be available in their MyHealth app account and through other forms of accessing their own data.

There should be a requirement for regular security and privacy audits for all entities that choose to maintain their own database / health locker.

This consultation should be re-initiated after the passing of a data protection law. Otherwise, the country could face huge economic losses from the implementation of a system that would soon have to be re-done.

---

1. Justice A.P. Shah Committee Report. Available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.] ↩︎

2. The A.P. Shah Committee report proposed the following National Privacy Principles: (1) Notice; (2) Choice and Consent; (3) Collection Limitation; (4) Purpose Limitation; (5) Access and Correction; (6) Disclosure of Information; (7) Security; (8) Openness; and (9) Accountability. ↩︎

3. Privacy Judgment, Justice KS Puttaswamy (Retd.) & Anr. V. Union of India & Ors [WP (C) 494 of 2012]. Available at https://sci.gov.in/pdf/LU/ALL WP(C) No.494 of 2012 Right to Privacy.pdf. ↩︎

4. TRAI’s recommendations on Privacy, Security and Ownership of Data in the Telecom Sector. Available at https://www.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018.pdf. ↩︎

5. Justice B.N. Srikrishna Committee Report. Available at http://meity.gov.in/content/data-protection-committee-report. ↩︎

6. The B.N. Srikrishna Committee report recommended the following rights and principles, among others: (1) Right to confirmation, access and correction; (2) Right to data portability; (3) Right to be forgotten; (4) Notice and choice; (5) Meaningful, informed consent; (6) Data portability; (7) Data minimization; and (8) Accountability. ↩︎

7. Draft Personal Data Protection Bill, 2018. Available at http://meity.gov.in/content/personal-data-protection-bill-2018. ↩︎

8. Supra 3. ↩︎

9. Clinical Establishments (Registration and Regulation) Act, 2010 ↩︎

10. Aadhaar Judgment, Justice KS Puttaswamy (Retd.) & Anr. V. Union of India & Ors, WP (Civil) No. 494 of 2012. Available at https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf. ↩︎

11. The key actors mentioned in the document are persons (patients, family members, beneficiaries), care professionals (doctors, nurses, lab technicians, ASHA workers etc.), care providers, payers (insurers, health plans, charities), governing bodies (ministries, professional bodies, regulators), research bodies (researchers, statisticians, analysts), pharmaceuticals (drug, device manufacturers and supply chain players). ↩︎

12. Refer to “Authorization” under Glossary, Pg. 29, Electronic Health Standards. Available at https://www.mohfw.gov.in/sites/default/files/EMR-EHR_Standards_for_India_as_notified_by_MOHFW_2016.pdf. ↩︎

13. NSDL, Technology Trust & Reach. Available at https://www.egov-nsdl.co.in/e-sign.html. ↩︎

14. Supra 10. ↩︎

15. In the Aadhaar Judgment permitted the use of Aadhaar based on a law and added that the law should also pass the tests laid down in Puttaswamy case. ↩︎

16. The Aadhaar and Other Law Amendment Act, 2019. ↩︎

17. The National Digital Health Eco-system (NDHE) seeks to link/ consolidate the health records generated in various national programs of the Central and State Governments, besides the records generated by the private hospitals, labs and the service providers. ↩︎

18. Supra 10. ↩︎

19. Supra 10. Striking down Section 57 of the Aadhaar judgement the Supreme Court held that “the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.” ↩︎

20. SFLC.in’s Internet Shutdowns Tracker. Available at https://internetshutdowns.in/. ↩︎

21. Kedia, Shruti. (2019). Meet Vivek Tankha, the man on a mission to bring quality healthcare to rural Madhya Pradesh. YourStory. Available at https://yourstory.com/2019/01/vivek-tankha-healthcare-rural-mp. ↩︎

22. Supra 3. ↩︎

23. Supra 1. ↩︎

24. Supra 5. ↩︎

25. Supra 3. ↩︎

26. The Bill has yet to be tabled in Parliament. ↩︎

27. Supra 3. ↩︎

28. Supra 3. Para. 81 of Justice Nariman’s judgment states that: “Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right” ↩︎

29. Supra 3. ↩︎

30. Supra 11. ↩︎

31. Supra 10. ↩︎

32. Dabas, Harveer. (2017). UP government makes it compulsory for patients, kin to have Aadhaar card to get ambulance. Times of India. Available at https://timesofindia.indiatimes.com/city/meerut/up-govt-makes-it-compulsory-for-patients-kin-to-have-aadhaar-card-to-get-ambulance/articleshow/59224120.cms. ↩︎

33. (2017). UIDAI / Aadhaar: Breaches and Leaks. SFLC.in. Available at https://sflc.in/uidai-aadhaar-breaches-and-leaks/. ↩︎

34. Jalan, Trisha. (2018). Andhra government website lets anybody track ambulances and patients. MediaNama. Available at https://www.medianama.com/2018/06/223-ap-govt-website-breach/. ↩︎

35. Jalan, Trisha. (2018). Andhra Pradesh govt website exposed medical purchase data of hundreds. MediaNama. Available at https://www.medianama.com/2018/06/223-andhra-ambulance-tracking/. ↩︎

36. Narayanan, Arvind & Shmatikov, Vitaly. (2008). Robust De-anonymization of Large Sparse Datasets. Proc IEEE Symp Sec Priv. 111-125. 10.1109/SP.2008.33. ↩︎

37. Hay, Michael & Miklau, Gerome & Jensen, David & F. Towsley, Donald & Li, Chao. (2010). Resisting Structural Re-identification in Anonymized Social Networks. VLDB J.. 19. 797-823. 10.1007/s00778-010-0210-x. ↩︎

38. Liu, Kun & Terzi, Evimaria. (2008). Towards Identity Anonymization on Graphs. Proceedings of the ACM SIGMOD International Conference on Management of Data. 93-106. 10.1145/1376616.1376629. ↩︎

39. Li, Ninghui & Qardaji, Wahbeh & Su, Dong. (2011). On Sampling, Anonymization, and Differential Privacy: Or, k-Anonymization Meets Differential Privacy. ASIACCS 2012 - 7th ACM Symposium on Information, Computer and Communications Security. 10.1145/2414456.2414474. ↩︎

40. Ji, Shouling & Li, Weiqing & Srivatsa, Mudhakar & Beyah, Raheem. (2016). Structural Data De-Anonymization: Theory and Practice. IEEE/ACM Transactions on Networking. 24. 1-14. 10.1109/TNET.2016.2536479. ↩︎

41. Healthcare Data Breach Statistics. HIPAA Journal. Available at https://www.hipaajournal.com/healthcare-data-breach-statistics/. ↩︎

42. Caroll, Lind. (2018). Health Data Breached on the Rise. Reuters. Available at https://uk.reuters.com/article/us-health-data-security/health-data-breaches-on-the-rise-idUKKCN1M524J. ↩︎

43. Colorafi, Karen & Bailey, Bryan. (2016). It’s Time for Innovation in the Health Insurance Portability and Accountability Act (HIPAA). JMIR Medical Informatics. 4. e34. 10.2196/medinform.6372. Available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5112364/. ↩︎

44. Ghafur, Saira & Grass, Emilia & Jennings, Nick & Darzi, Ara. (2019). The challenges of cyber security in healthcare: The UK National Health Service as a case study. The Lancet Digital Health. Available at https://www.thelancet.com/journals/landig/article/PIIS2589-7500(19)30005-6/fulltext. ↩︎

45. Soo-youn, Song. (2017). HIRA under fire for ‘selling personal data’ to private insurers. Korea Biomedical Review. Available at http://www.koreabiomed.com/news/articleView.html?idxno=1745. ↩︎

46. (2015). 43 million South Koreans had their medical information leaked. DataBreaches.net. Available at https://www.databreaches.net/43-million-south-koreans-had-their-medical-information-leaked/. ↩︎

47. Lee, Hyukki & Kim, Soohyung & Wook Kim, Jong & Dohn Chung, Yon. (2017). Utility-preserving anonymization for health data publishing. BMC Medical Informatics and Decision Making. 17. 10.1186/s12911-017-0499-0. Available at https://bmcmedinformdecismak.biomedcentral.com/articles/10.1186/s12911-017-0499-0. ↩︎