BACKGROUND

The launch of the National Digital Health Mission (NDHM) was announced by Sri Narendra Modi, India's Prime Minister on the 74th Independence Day on 15 August 2020. In this regard, the National Health Authority (NHA), Ministry of Health and Family Welfare (MoHFW), Government of India, released the Draft Health Data Management Policy (Draft Policy) on 26 August 2020 as a part of the NDHM for feedback and stakeholder comments to be submitted by 21 September 2020.

The Draft Policy brings within its scope, the entities involved in the NDHM and the partners/persons who are a part of the National Digital Health Ecosystem (NDHE). These include inter alia entities and individuals who have been issued an ID under the Draft Policy, healthcare professionals, health care providers who collect, store and transmit health data in electronic form in connection with its transactions, drug manufacturers, medical device manufacturers, insurers, research bodies, and governing bodies such as the MoHFW.

KEY HIGHLGHTS OF THE DRAFT HEALTH DATA MANAGEMENT POLICY

  • Objectives: The objectives of the Draft Policy inter alia include creation of a framework for secure processing of personal and sensitive personal data of individuals who are a part of the NDHE in compliance with all applicable laws, building of a system of digital personal and medical health records which is easily accessible to individuals and health service providers which is purely voluntary in nature and based on the consent of individuals.
  • Definitions: The definitions envisaged under the Draft Policy are a mix of those as defined under the Personal Data Protection Bill 2019 (PDP Bill) with some alterations/additions to provide for certain granular aspects of health data. For example, the Draft Policy defines the term 'sensitive personal data' to include information relating to various health conditions and treatments of the data principal (an individual whose data is being collected), such as Electronic Health Record (EHR), Electronic Medical Record (EMR) and Personal Health Record (PHR) of the data principal.
  • Health ID: The Draft Policy envisages the creation of a Health ID. A data principal may request for the creation of a Health ID at no cost, which will enable them to participate in the NDHE ecosystem. Any processing of personal data that may take place for creation of such ID must be in accordance with the Draft Policy. The Health ID may be generated in a manner as may be specified by the NHA and may be authenticated by the data principal's Aadhaar number or any other identification document as specified by the NHA. The personal data of a data principal will be linked to his/her Health ID, and any data principal in possession of such a Health ID is deemed to be the owner of such personal data. In a similar manner, a health practitioner may request for the creation of a Health Practitioner ID at no cost, which will be required to enable them to participate in the NDHE.
  • Certain key compliances: The Draft Policy provides for various compliances in relation to collection and processing of personal data and sensitive personal data. Data fiduciaries (akin to a data controller) can collect or process personal data or sensitive personal data only with the consent of the data principal. Further, the purposes for processing of personal data will be limited to those as may be specified by the NHA. Data fiduciaries are also required to adhere to certain principles such as transparency, accountability, and reasonable security practices and procedures. A data fiduciary is also required to execute confidentiality and non-disclosure agreements with data processors covering data protection and privacy responsibilities. Data fiduciaries are required to implement the International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" as well as any other standard as may be applicable to them.
  • Rights of data principals: This Draft Policy, akin to the PDP Bill, provides data principals with several rights in relation to their personal data and sensitive personal data such as the right to confirmation and access, correction and erasure and data portability. The Draft Policy outlines the manner in which such rights are to be exercised by data principals against data fiduciaries.
  • Sharing of personal data and sensitive personal data: Any personal data processed by a data fiduciary may be shared with a health information user (HIU) in response to a request made by such HIU for personal data pertaining to the data principal, only where consent of the data principal is obtained. These HIUs are entities that are permitted to request access to the personal data of a data principal with the consent of the data principal. Data fiduciaries may make anonymised or de-identified data in an aggregated form available for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Any personal data or sensitive personal data of a data principal are not permitted to be published, displayed or posted publicly by any person or entity.
  • Governance structure: The Draft Policy provides that the governance structure for the NDHE shall be as specified by the NHA, which will lead the implementation of the NDHM. In addition, the governance structure will consist of such committees, authorities and officers at the national, state and health facility levels as will be necessary to implement the NDHM. It has also been envisaged that the MoHFW and the Ministry of Electronics and Information Technology will also provide overall guidance to the NHA on relevant aspects of the NDHM.

COMMENTS

While the PDP Bill is yet to be debated upon in the Parliament, the provisions of the Draft Policy seem to borrow heavily from the same. Such a step leaves room for debate as to whether this policy is trying to implement aspects of the Bill that should have ideally passed the muster of Parliamentary deliberation. As a result, there are certain inconsistencies which may create a conflict with these legislations. For instance, regulations under the PDP Bill including those in relation to the manner of enforcement of rights of data principals were meant to be dealt thereunder. Further, the inconsistencies in the definitions, owing to the fact that multiple legislations now contain same or similar definitions of certain concepts, might lead to implementation issues. Managing crucial health data of over a billion citizens in the manner envisaged, is not only a logistical challenge, but also comes with a host of potential risks of breach and misuse. The Draft Policy, while being an ambitious vision, should consider these challenges and concerns.

The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at legalalerts@khaitanco.com