Proposed health data policy puts question mark on privacy concerns

India doesn’t have a law protecting personal data. There are no specific penalties for failing to keep such data secure. A proposed law on Personal Digital Privacy Protection has been pending since 2018, and drafts in the public domain raise concerns about widespread surveillance. The recently released draft “Health Data Management Policy” of the National Digital Health Mission is supposed to specifically guard medical data. This is built on the foundations of legislation that doesn’t exist. It also seems to be more concerned about monetisation of such data, than with the protection of privacy. The proposed health policy refers to citizens as “data principals”; hospitals and doctors are “health information providers”; government agencies are “health information users”. The policy envisages an integrated data storage system. Records held by different service providers will be in common formats and linked through a unique health ID (Aadhar or something new). The justification: An integrated system with common standards would allow easy access to medical history and make it possible for individuals to be treated anywhere. “Data fiduciaries” will be allowed to collect and store “sensitive personal data”. This could include financial information; physical, physiological and mental health data; sex life and sexual orientation; genetic data; caste or tribe data; and “religious or political belief or affiliation”. It’s impossible to understand why much of this is necessary. The draft also suggests that even the local pharmacy could be considered a fiduciary. This means higher probabilities of data leakage since it’s very unrealistic to assume every fiduciary will be secure. Importantly, this data will be shared with the government, and “agencies designated by government”. Anonymised or de-identified data will be made available in aggregated form for facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions, etc.