Draft NDHM policy: Experts warn of ‘structural problems’, lack of clarity on patient control over data

The policy puts the onus on the individual to understand whether they should consent to giving their data, but there is no clarity on whether it will be in a format that is easy to understand.

The government’s existing draft to manage patient health data under the National Digital Health Mission (NDHM) has problems that may make it difficult for patients volunteering for digital health IDs to have full control or visibility over how their data is used, according to experts.

While NDHM aims to implement one of the world’s largest centralised digital identity projects, the current draft policy has “structural” problems, according to Raman Jit Singh Chima, Asia policy director and senior international counsel at Access Now, a non-profit that defends and extends digital rights of people around the world.

“It is a policy document issued under no statutory framework and on a topic that partly impacts India’s federal structure, because health is a state subject. Not only can it not bind the state, it also isn’t binding on the National Health Authority (NHA) that is enforcing it — the policy can be changed,” said Chima. “Under this policy, it is unclear whether you will be notified each time your data is being used, and it is unclear who will enforce that,” he said.

https://images.indianexpress.com/2020/08/1x1.png

“If I’m a law enforcement agency wanting to access your entire pharma records, who sold you what and for what purpose, I could go ahead and do that. There is no remedy mechanism and enforcement structure to prevent that from happening,” he added.

Problems also arise where the ability of an individual to ensure their data is erased is concerned. “With respect to erasure, the policy provides only certain circumstances where the personal data can be erased,” said Shweta Mohandas, policy officer at Centre for Internet and Society (CIS), who has been studying the draft closely. This is true even if the patient withdraws their consent, according to Murali Neelakantan, lawyer and former global general counsel for Cipla and Glenmark Pharmaceuticals.

“The policy allows the patient to only request that their data be erased if they’re withdrawing their consent, but this request can also be denied. This doesn’t give the patient the right or control over their own data, because there is no right to be forgotten in this policy,” he told The Indian Express.

“(It) also doesn’t specify which database will contain the patient’s information,” Neelakantan added.

The policy puts the onus on the individual to understand whether they should consent to giving their data, but there is no clarity on whether it will be in a format that is easy to understand, according to CIS programme officer Shweta Reddy, who has also been studying the draft.

The definition of a consent manager is also not clear enough in the current policy to understand whether the role will be played by a private firm, NGO or government body, according to her. Certain clauses of the policy suggest that the consent manager will also be able to collect and process personal and sensitive personal data for particular purposes that are not specified.

“We don’t know if, apart from just taking consent, whether they will have access to personal and sensitive personal data. If a consent manager is supposed to help an individual exercise their rights against a data fiduciary, who is going to help them exercise their right against the consent manager,” asked Reddy. Final comments on the draft policy are expected by September 21.