India's Digital Health mission is the need of the hour. But privacy concerns can't be ignored!
National Digital Health Mission (NDHM), which was announced on August 15, 2020, proposes to create 'Womb to Tomb' digital health profiling of Indians. To put it simply, health records of a person such as illnesses, medical prescriptions, reports, and clinical tests will be digitized and stored under one digital health identification.
NDHM aims to develop the backbone necessary to support the integrated digital health infrastructure of the country. It is expected to bridge the existing gap among various stakeholders of the healthcare ecosystem through digital highways.
No doubt it is a first step towards strengthening India's health system and making it more robust to attain constitutional goals of Indians. But, as per current legal framework- the Government is prohibited from collecting health data of individuals. Such information can only be accessed with the direction of a court of law. Here comes the catch.
For NDHM to be implemented- data collection, storage and processing guidelines, legislation has become an essential precondition. When the law is still unclear regarding data privacy— meaning that the digitization, storage, and processing of sensitive health data of Indians by the NDHM would lead to more questions than answers. Will the provisions of NDHM conflict with the elements of Right to Privacy?
Right to Privacy is sacrosanct
Personal data is now being monetized and weaponized! All this can be attributed to lack of pertinent statues and poor implementation of the existing ones.
Even after the landmark judgment in Justice K. S. Puttaswamy, where the Supreme Court of India recognized the Right to Privacy as a Fundamental Right stemming from Article 21 of the Constitution of India which talks about the Right to Life and Liberty, not much has changed.
Although it seems that we have not progressed much and most likely have fallen into a rut. The Supreme Court in this 2017 judgment also gave express directions to the Government of India to enact a comprehensive privacy law.
The Government of India very promptly appointed a Committee of Experts on a Data Protection Framework for India which was chaired by Justice B. N Srikrishna, which submitted its report during July 2018. The draft Personal Data Protection Bill was placed in Parliament during December 2019 which the Union Cabinet quickly cleared and referred it to a Joint Parliamentary Committee. Since then, there has not been much movement on the subject.
Immense possibilities and instances continue till date of rampant collection, misuse of personal and sensitive information for marketing, surveillance, and other unauthorized purposes without the consent or even the knowledge of the individual.
But..what amounts to personal data?
As per the Personal Data Protection draft bill, all information related with an individual which is regarding their personal choices, movements, reproductive choices, sexual orientation, choice of partners, food habits, financial data from which an individual may be identified or is identifiable, either directly or indirectly is personal data.
Personal data gets further classified as non-sensitive and sensitive data. Sensitive data is related to intimate matters where there is a higher expectation of privacy such as sexual orientation, passwords, biometric data, genetic data, political beliefs, caste, religion, or financial status. It is a startling fact that as of today India does not have a legislation which expressly protects such personal sensitive data and there is absence of guidelines for processing and storage of such sensitive data.
Consent and fair usage of data in the health care sector
When the majority of Indian health care is in private hands how will the stakeholders deal with aspects such as consent of the patient. Consent must be explicit, informed, and meaningful. For vulnerable groups such as children, uneducated and senior citizens, the consent process must be much more robust.
The patients must be provided with autonomy, self-determination, transparency about their data for them to have full control over their data and attach accountability to the data storage authority. This means the patient must have the right to access, confirm and correct their personal data, the right to object to the data processing if desired, must also have a right to be forgotten. These principles are included in the draft Personal Data Protection Bill, and it remains to be seen whether such principles will be part of the final piece of legislation.
It is true that the Indian health sector is plagued with poor service delivery and shortage of trained health workforce. In rural areas the situation is much grimmer. The first instance of care is sought through informal private health clinics. In such a scenario the NDHM's aim appears to be steep.
Fiduciary relationship and obligations
Implementation of NDHM will mean that the individuals will depend upon the health care operators to protect their personal sensitive data while the health care operators shall have to balance it with their own interests remaining within the legal provisions. Therefore, due to such dependence the health care service provider processing the sensitive data shall have to be under the obligation to deal fairly with such data and use it for authorized purpose only. The health care sector operators including the Government is envisaged to be treated as Fiduciaries as per the proposed legislation.
The Fiduciaries will be mandatorily required to process the data fairly, reasonably. Taking of blanket and implicit consent from the individuals will have to be done away with.
Global Scenario and challenges
NDHM is a welcome initiative, provided it is rolled out with proper supporting legislation, governing guidelines regarding the data collection, processing, and privacy.
Unless this is done, NDHM will find it difficult to face stiff hurdles like judicial scrutiny of its key policies, public and political opposition. Putting the requisite safeguard mechanisms in place may also lead to the NDHM project and in turn health care becoming more expensive in India. Such digitalization has led to health care becoming expensive in western countries. We have also seen that digitalization of health care sector in developed countries has assisted in tackling pandemics, endemics and implementing national disease control campaigns in a better way. Data is also a fundamental requirement to support research & development.
A lot of preparatory work and strategic planning is due before India embarks upon transforming the health care sector. Without a proper Data Privacy Law, the NDHM will end up becoming a non-starter. Leapfrogging by the National Government over the Data Privacy Law bill is a bad idea not just for the ambitious NDHM, but also risks jeopardizing the optimism surrounding the expected Data Privacy Law.
Finally, it is claimed that implementation of NDHM is expected to significantly improve the efficiency, effectiveness, and transparency of health service delivery overall, which is welcome. The NDHM will also do well if ground level health infrastructure is also focused upon, mainly in rural India.
Satya Muley
National Digital Health Mission (NDHM), which was announced on August 15, 2020, proposes to create 'Womb to Tomb' digital health profiling of Indians. To put it simply, health records of a person such as illnesses, medical prescriptions, reports, and clinical tests will be digitized and stored under one digital health identification.
NDHM aims to develop the backbone necessary to support the integrated digital health infrastructure of the country. It is expected to bridge the existing gap among various stakeholders of the healthcare ecosystem through digital highways.
No doubt it is a first step towards strengthening India's health system and making it more robust to attain constitutional goals of Indians. But, as per current legal framework- the Government is prohibited from collecting health data of individuals. Such information can only be accessed with the direction of a court of law. Here comes the catch.
For NDHM to be implemented- data collection, storage and processing guidelines, legislation has become an essential precondition. When the law is still unclear regarding data privacy— meaning that the digitization, storage, and processing of sensitive health data of Indians by the NDHM would lead to more questions than answers. Will the provisions of NDHM conflict with the elements of Right to Privacy?
Right to Privacy is sacrosanct
Personal data is now being monetized and weaponized! All this can be attributed to lack of pertinent statues and poor implementation of the existing ones.
Even after the landmark judgment in Justice K. S. Puttaswamy, where the Supreme Court of India recognized the Right to Privacy as a Fundamental Right stemming from Article 21 of the Constitution of India which talks about the Right to Life and Liberty, not much has changed.
Although it seems that we have not progressed much and most likely have fallen into a rut. The Supreme Court in this 2017 judgment also gave express directions to the Government of India to enact a comprehensive privacy law.
The Government of India very promptly appointed a Committee of Experts on a Data Protection Framework for India which was chaired by Justice B. N Srikrishna, which submitted its report during July 2018. The draft Personal Data Protection Bill was placed in Parliament during December 2019 which the Union Cabinet quickly cleared and referred it to a Joint Parliamentary Committee. Since then, there has not been much movement on the subject.
Immense possibilities and instances continue till date of rampant collection, misuse of personal and sensitive information for marketing, surveillance, and other unauthorized purposes without the consent or even the knowledge of the individual.
But..what amounts to personal data?
As per the Personal Data Protection draft bill, all information related with an individual which is regarding their personal choices, movements, reproductive choices, sexual orientation, choice of partners, food habits, financial data from which an individual may be identified or is identifiable, either directly or indirectly is personal data.
Personal data gets further classified as non-sensitive and sensitive data. Sensitive data is related to intimate matters where there is a higher expectation of privacy such as sexual orientation, passwords, biometric data, genetic data, political beliefs, caste, religion, or financial status. It is a startling fact that as of today India does not have a legislation which expressly protects such personal sensitive data and there is absence of guidelines for processing and storage of such sensitive data.
Consent and fair usage of data in the health care sector
When the majority of Indian health care is in private hands how will the stakeholders deal with aspects such as consent of the patient. Consent must be explicit, informed, and meaningful. For vulnerable groups such as children, uneducated and senior citizens, the consent process must be much more robust.
The patients must be provided with autonomy, self-determination, transparency about their data for them to have full control over their data and attach accountability to the data storage authority. This means the patient must have the right to access, confirm and correct their personal data, the right to object to the data processing if desired, must also have a right to be forgotten. These principles are included in the draft Personal Data Protection Bill, and it remains to be seen whether such principles will be part of the final piece of legislation.
It is true that the Indian health sector is plagued with poor service delivery and shortage of trained health workforce. In rural areas the situation is much grimmer. The first instance of care is sought through informal private health clinics. In such a scenario the NDHM's aim appears to be steep.
Fiduciary relationship and obligations
Implementation of NDHM will mean that the individuals will depend upon the health care operators to protect their personal sensitive data while the health care operators shall have to balance it with their own interests remaining within the legal provisions. Therefore, due to such dependence the health care service provider processing the sensitive data shall have to be under the obligation to deal fairly with such data and use it for authorized purpose only. The health care sector operators including the Government is envisaged to be treated as Fiduciaries as per the proposed legislation.
The Fiduciaries will be mandatorily required to process the data fairly, reasonably. Taking of blanket and implicit consent from the individuals will have to be done away with.
Global Scenario and challenges
NDHM is a welcome initiative, provided it is rolled out with proper supporting legislation, governing guidelines regarding the data collection, processing, and privacy.
Unless this is done, NDHM will find it difficult to face stiff hurdles like judicial scrutiny of its key policies, public and political opposition. Putting the requisite safeguard mechanisms in place may also lead to the NDHM project and in turn health care becoming more expensive in India. Such digitalization has led to health care becoming expensive in western countries. We have also seen that digitalization of health care sector in developed countries has assisted in tackling pandemics, endemics and implementing national disease control campaigns in a better way. Data is also a fundamental requirement to support research & development.
A lot of preparatory work and strategic planning is due before India embarks upon transforming the health care sector. Without a proper Data Privacy Law, the NDHM will end up becoming a non-starter. Leapfrogging by the National Government over the Data Privacy Law bill is a bad idea not just for the ambitious NDHM, but also risks jeopardizing the optimism surrounding the expected Data Privacy Law.
Finally, it is claimed that implementation of NDHM is expected to significantly improve the efficiency, effectiveness, and transparency of health service delivery overall, which is welcome. The NDHM will also do well if ground level health infrastructure is also focused upon, mainly in rural India.
Satya Muley
Satya is a leading Civil & Criminal Law lawyer from Western India.
He practices at Bombay High Court, the Supreme Court and Courts in Pune/Maharashtra & New Delhi.
For any queries or support in legal matters you can reach him at or at Contact Us
Click here to read more about us.