Overview of Health Data Management Policy under the National Digital Health Mission (NDHM)
With a vision to digitize the entire healthcare ecosystem in India, the Government of India had embarked on a visionary journey stemming from the introduction of National Health Policy, 2017. Recently on December 14, 2020, the Government of India released the Health Data Management Policy (hereinafter referred to as the “Policy”) as a stepping stone towards creating digital health records, digital management of such records by way of registries for healthcare professionals and health facilities. This Policy forms an integral part of the National Digital Health Mission (“NDHM”) launched by the Prime Minister of India on August 15, 2020.
The Policy is applicable to the entities involved in the NDHM and such other partners/persons/processes forming part of the National Digital Health Ecosystem (“NDHE”). While the NDHM and the Policy intend to capture some super ambitious processes, but the Policy may appear vague, ambiguous and repetitive on some occasions. The fate of this Policy may also be tied with the Personal Data Protection Bill, 2019 which is yet to be passed by the Indian Parliament.
KEY TAKEAWAYS FROM THE POLICY:
The Policy is voluntary in nature and is applicable on:
All entities and individuals who have been issued an ID under this Policy.
A wide range of health workers including but limited to doctors, practitioners of Yoga, Unani, Siddha and even homeopathy.
Health information providers.
Any health facility which, collects, stores and transmits personal data in electronic form.
Any form of pharmaceutical or drug manufacturer, involved in the supply chain.
Research bodies such as institutions utilizing data in electronic form.
All method of contact, including in person, written, via internet, email, telephone, or facsimile, as the case may be.
The Policy has coined certain new terminologies that may be useful for its interpretation and applicability. Quoting few interesting ones, such as, the term “personal health identifier”, which is the data that could potentially identify a specific data principal and can be used to distinguish such data principals from another. The Policy also goes on to differentiate between “harm” and “significant harm”, wherein, “harm” means bodily injury, loss, distortion, theft of identity, financial or property loss, loss of reputation or humiliation, loss of employment, any discriminatory treatment, blackmail or extortion, any denial or withdrawal of service, benefit or good resulting from an evaluative decision about the data principal, any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled or any observation or surveillance that is not reasonably expected by the data principal. On the other hand, the term “significant harm” means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm.
3. Consent Framework
The data fiduciary (the one who determines the purpose and means of processing of personal data) shall be responsible for obtaining a valid consent from the data principals before collecting or processing the data of the data principals. A consent will only be considered valid if it is: (1) free as per the standards outlined under the provisions of the Indian Contract Act, 1872; (2) informed (by way of notifying the data principals); (3) specific for a particular purpose; (4) clearly given; and (5) capable of being withdrawn at any time. Additional to the above conditions, in case of collection or processing of sensitive personal data of a data principal, the consent will be obtained only after informing the relevant data principal the purpose of; or operations in, processing which are likely to cause significant harm to the data principal. It is also clarified that for each change in privacy policies or procedures of the data fiduciary or for any new or previously unidentified purpose, a fresh consent must be obtained each time.
Substantial importance is also thrown on the privacy notice given by the data fiduciary. Such notices should contain the information relating to: (a) the purposes for which the personal data is to be processed; (b) the nature and categories of personal data being collected; (c) the methods or mechanisms by which the personal data is collected; (d) the identity and contact details of the data fiduciary collecting the personal data; (e) the right of the data principal to withdraw her/his consent, and the procedure for such withdrawal; (f) the individuals or entities along with their contact details, including other data fiduciaries or data processors with whom personal data may be shared; (g) the period of time for which the personal data shall be retained, or where the period of retention is not known, then the criteria for determining such period; (h) the existence of and the procedure for the exercise of rights of the data principal as referred to in the Policy; and (i) the contact details and the mechanism by which the data principals may contact the data fiduciary in relation to complaints, inquiries, and clarifications regarding the policies, practices and procedures employed in the collection, storage, transmission or any other aspect of processing of personal data.
5. Data pertaining to a child/seriously ill/mentally incapacitated principals
While collecting the data of a child, a valid proof of relationship and proof of identity of the parent shall be submitted to the data fiduciary in order to verify the consent of the parent or guardian of the child. In relation to seriously ill/mentally incapacitated principals, the consent will be given by a nominee authorized by the principal and in case there is no nominee, any other adult member of the family of the data principal can give the consent, on behalf of such data principal. It is to be noted that at the time any data principal opting to participate in the process, should name a nominee.
6. Health ID
The Policy has envisaged an Aadhaar linked-Health ID for each data principal. The ID can be created on the NDHM website. The generation of the Health ID is voluntary, and the discretion lies with the data principals to opt in for the same. The Health ID will cumulate all the details, data, consents given of and by the data principal.
7. Obligations of the Data Fiduciaries:
The policy also outlines certain obligations of the data fiduciaries while collecting or processing the data, such as the data fiduciary:
shall be accountable for the data of the data principal;
shall take all necessary steps to ensure transparency during the entire process;
shall give an option to the data principals to opt-in/opt-out of the NDHE apart from maintain a consent driven architecture;
shall not engage a data processor without a valid contract in place which shall clearly outline the confidentiality and non-disclosure obligations;
shall undertake training and awareness programs for its employees and data processors;
shall undertake a data protection impact assessment before venturing into processing involving any new technology; and
shall be obligated to maintain updated records and ensure a strict audit trail in all processing activities.
For any non-compliance under the Policy there is no monetary penalty or imprisonment. Only the person may not be permitted to participate in the NDHE. In case any healthcare or facility ID is issued, the same may be suspended or canceled as per the procedure set up by the NDHM in case of non-compliance.