What India’s digital health plan means for privacy
Digitisation of medical records and a Health ID for every Indian citizen raise privacy and surveillance concerns
Coronavirus is changing the world in unprecedented ways. Subscribe here for a briefing twice a week on how this global crisis is affecting cities, technology, approaches to climate change, and the lives of vulnerable people.
By Rina Chandran
Sept 22 (Thomson Reuters Foundation) – India’s government is using the coronavirus pandemic to push its plan to digitise the health records and data of its 1.3 billion people, despite concerns about privacy and increased surveillance, technology and human rights experts say.
India’s number of confirmed coronavirus cases have topped 5.4 million according to government data, with the virus spreading at one of the fastest paces in the world.
In a speech last month to mark Independence Day, Prime Minister Narendra Modi announced the launch of the National Digital Health Mission (NDHM), under which unique Health IDs will be created to hold digital health records of individuals.
“Whether it is making a doctor’s appointment, depositing money or running around for documents in the hospital, the Mission will help remove all such challenges,” Modi said.
Praveen Gedam of the National Health Authority (NHA) said in emailed comments that the pandemic had highlighted the need to “move swiftly to improve medical infrastructure”.
But without a data protection law or an independent data protection authority, there are few safeguards and no recourse if rights are violated, said Raman Jit Singh Chima, Asia policy director at Access Now, a digital rights non-profit.
“It will possibly be the largest centralised health ID and data storage system in the world, and it is being done in the absence of a data protection law and data protection authority,” he told the Thomson Reuters Foundation.
“Health is a state subject, but the central government is rushing this policy in the middle of a public health emergency, and forcing states to play ball. It’s very problematic.”
There has been a move in recent years to digitise medical records and data as part of the Digital India campaign to deliver services electronically. A federal medical insurance scheme aimed at 500 million people launched in 2018.
A draft Health Data Management Policy unveiled last month has guidelines for regulating the collection and storage of the data that can only be accessed with the individual’s consent.
The aim of the NDHM is to create and maintain registries that are portable and accessible across India to everyone associated with healthcare delivery, according to the draft.
The new Health ID, which the health minister said will be “entirely voluntary” with an opt-out option, will hold information such as tests, prescriptions, treatments and medical records.
Gedam of the NHA, which oversees the NDHM, said that “the policy has been years in the making and undergone multiple rounds of consultation. Hence it is incorrect to assume that this has been a rushed undertaking”.
MATTER OF CONCERN
It has been more than a decade since India created Aadhaar, the world’s largest biometric identity system, with more than 1.2 billion IDs issued.
The 12-digit ID, which is linked to an individual’s fingerprints, face and iris scan, was introduced to streamline welfare payments and reduce wastage in public spending. Yet it soon became mandatory for a host of public and private services.
The Supreme Court ruled in 2014 that Aadhaar could not be a requirement for welfare programmes. In 2018, the top court flagged privacy concerns and reined in a government push to make it compulsory for everything from mobile services to pensions.
The government has repeatedly denied charges of data misuse or surveillance, even as large numbers of people remain excluded and many are denied essential services, a report by consulting firm Dalberg said last year.
The new Health ID has the potential to be made mandatory and deny services to those who opt out, while also posing the risk of data abuse, human rights campaigners say.
The draft policy is only available online and in English, thus preventing access to a large majority of people, said Satendra Singh, a physician and disability rights campaigner who petitioned to extend the deadline for feedback to Sept. 21.
The policy also allows the sharing of anonymised data with third parties – “a matter of grave concern”, particularly for sexual minorities and those with disabilities, he said.
“The privacy implications of such data sharing requires in-depth examination because anonymised data can be identified if combined with other data sets such as voter records,” he said.
“This could be more problematic as we do not have a data protection law yet,” he added.
Privacy of data will receive “the highest degree of attention”, said Gedam.
“The draft Policy draws from provisions of the Personal Data Protection Bill and will be kept compliant with any future legislations and rulings,” he added, referring to the draft bill that was tabled in Parliament last year.
India’s public and private hospitals, clinics and labs have varying levels of digitisation, and patients usually cannot digitally transfer their health records from one to another.
Private healthcare providers have long argued that lack of digitisation and interoperability leads to delays, inconvenience and higher costs.
Like several other nations, India quickly embraced technology to track and trace the spread of the coronavirus.
The Aarogya Setu, or “Health Bridge” mobile app uses GPS location data to augment information gathered via Bluetooth and build a centralised database – an approach avoided by most countries because of privacy concerns.
While use of the app is voluntary, it has been made mandatory for food-delivery workers, government and some private sector employees, for public transit and airports.
More than 100,000 Health IDs have already been created in six federal territories, and made mandatory for doctors in government hospitals in at least one city, according to local media reports.
The experience with Aadhaar and Aarogya Setu – and the Health ID pilot – does not inspire confidence, said Amulya Nidhi, co-convenor of the People’s Health Movement (Jan Swasthya Abhiyan) non-profit.
“At a time when we are struggling for hospital beds and oxygen, the government is focusing on digitisation,” he said.
“People’s vulnerability while seeking health services may be misused to get consent. Informed consent is a real issue when people are poor, illiterate or desperate,” he said.
It is also an issue for vulnerable populations such as those living with HIV; if they are worried that their data may be exposed, they may shun medical care completely, said Chima.
“The government says it wants to do analytics and trend forecasting to improve the healthcare system – that is a form of health surveillance,” he said.
“Your health data – once it’s out there, it’s out there. You can’t do anything about it.”
Back to work? Not without a check-in app, immunity passport
Coronavirus controls increase surveillance ‘danger’
‘Black holes’: India’s coronavirus apps raise privacy fears
(Reporting by Rina Chandran @rinachandran; Editing by Zoe Tabary. Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers the lives of people around the world who struggle to live freely or fairly. Visit http://news.trust.org)
Our Standards: The Thomson Reuters Trust Principles.