Prime Minister Narendra Modi, during his Independence Day speech on August 15, announced the imminent launch of the National Digital Health Mission with the aim of providing every Indian with a health ID that would enable healthcare providers to access an individual’s medical records digitally. Since then, the government has issued a draft Health Data Management Policy that outlines what data will be collected, how it will be treated and stored, and how it can be accessed.
The draft policy was made public on August 26, with a window for public evaluation and consultation initially open till September 3. However, following backlash from policy experts and doctors who argued that the timeframe for evaluation was too narrow, the government extended the deadline to September 10.
The government has claimed that the digital system will increase accessibility and transparency, allowing doctors to access personal health records of Indians seamlessly. It has argued that the system will eliminate the informational gaps that may arise from individuals losing their records and files, thereby facilitating doctors to make the most well-informed decisions. The government has also noted that the system will function entirely on an opt-in basis.
Lack of clarity over draft policy of great concern
However, critics have already raised several apprehensions over the scheme, especially as they relate to the safety and security of the sensitive information collected and stored. In fact, according to a survey conducted by a community social media platform, LocalCircles, that included 9,000 participants, 59 per cent of respondents stated that they would be keen to avail of the Digital Health ID but did not wish to share personal data beyond health and medical records.
Although the government is yet to explicitly explain what data will be collected, and under whose discretion, the Health Management Policy document it published, includes data that appears to go well beyond that required for doctors. The ‘sensitive personal data’ that could be gathered includes financial information such as bank account and credit card details, sexual orientation, sexual history, biometric data, genetic data, caste or tribe data, and even religious beliefs and political affiliation.
Given the actual scope of the scheme itself, critics have firstly questioned why such data needs to be collected. What’s more, a number of question marks remain over the security of this data. The reality is that, despite the government’s drive towards digitalisation, India still does not have a dedicated Data Protection Law, with a Bill still pending in Parliament. In light of this, privacy experts have stated that the latest draft data policy could create a parallel system that may endanger the personal information of Indian citizens.
Questions over whether the government is capable of securing such a valuable and sensitive trove of data have also been raised. Despite positive sounds from government officials, issues over security vulnerabilities arising from the government’s contact-tracing app, Aarogya Setu, first flagged by a French hacker going by the name of Elliot Alderson on Twitter, have not exactly filled privacy lawyers with a great deal of confidence.
Moreover, the draft policy also, reportedly, allows health service providers to share anonymised data in aggregated form for the purposes of research and future policy formation. However, whether perfect anonymisation of information is, indeed, possible remains a huge matter of debate within the cybersecurity community. A petition filed in the Delhi High Court cited a research study in the US where 87 per cent of the US population could be identified when their data was matched with other data sets that included information as simple as one’s zip code, birth date and gender.
The lack of clarity around the Health Management Policy is worrisome, and certainly warrants further explanation from the government before its pilot programmes are extended to include larger portions of the Indian population. While the Centre’s intentions may be to address a genuine problem faced the by India’s healthcare providers, the existence of potential security vulnerabilities entails a risk much too large to ignore. – Times Now News