PMJAY Becomes First Healthcare Scheme with Privacy Policy

With the Srikrishna Committee report and the impending Supreme Court judgment on Aadhaar having brought the issue of data privacy to the forefront, the ambitious ₹5 lakh health protection program has become the first health program in the country to have its own data privacy policy. The National Health Agency, the implementing authority of the Pradhan Mantri Jan Arogya Yojana (PMJAY), has also put in place 100 controls including authentication, authorization, passwords, firewalls and data encryption to protect the data of the estimated 50 crore beneficiaries. The program will be rolled out from September 25. The policy incorporates several principles of the Justice B N Srikrishna panel report on data privacy including curbs on the collection and purposes for which personal data can be used. The policy classifies sensitive personal data as information pertaining to (but not limited to) passwords, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health conditions, sexual orientation, medical records and history and biometric information.

NHA will be responsible for ensuring the compliance of this policy under its control and shall constitute a committee to be called “Data Privacy Committee” headed by a Data Privacy Officer. The Committee shall have three members and will be responsible for the reviewing the compliance with the Data Privacy Policy. Ayushman Bharat CEO Dr Indu Bhusan said: “We will be dealing with a lot of personal health data and also Aadhaar information so we need to make sure that the collection storage and use of that data is done in a foolproof way. We need to make sure that the process of consent is free, transparent and fair. I believe this is the first health program to have its own privacy policy. We have put in place 100 controls, relating to encryption of data authentication, authorization, deletion of information that is not to be used deleted, firewalls at various levels. ISO 27001 standards include all these controls.”

The policy lays down that NHA and its ecosystem partners shall establish a process to proactively embed privacy as the default state of all products, technologies and services. “Privacy by Design’ principle shall ensure that privacy is considered at the initial planning/design stages and throughout the complete development process of new processes/services/technologies that involve processing of personal data of beneficiaries. Considerations shall be given for technical and organizational measures to enhance privacy (e.g. Pseudonymization, anonymization, data minimization etc.). In addition, appropriate technical and organizational measures shall be considered to ensure that personal data collected or processed is minimal, relevant and limited to what is necessary in relation to the purposes for which it is collected and processed.”

Beneficiaries will have the right to request access to copies of their personal data, information on the processing activities carried out with their personal data, request restriction of access or even withdraw consent. Digital health data is not to be accessed, used or disclosed to any person for a commercial purpose and in no circumstances should be accessed, used or disclosed to insurers, employers, human resource consultants and pharma companies etc., the policy lays down. All NHA partners will be required to maintain secrecy of the data. – Indian Express

Share this:

Related Post

Stay Updated on Medical Equipment and Devices industry.
Receive our Daily Newsletter.