Govt pushes digital health plan despite privacy worries
India’s government is using the coronavirus pandemic to push its plan to digitise the health records and data of its 1.3 billion people, despite concerns about privacy and increased surveillance, technology and human rights experts say.
India’s number of confirmed coronavirus cases has topped 5.4 million according to government data, with the virus spreading at one of the fastest paces in the world.
In a speech last month to mark Independence Day, Prime Minister Narendra Modi announced the launch of the National Digital Health Mission (NDHM), under which unique health IDs will be created to hold digital health records of individuals.
“Whether it is making a doctor’s appointment, depositing money or running around for documents in the hospital, the mission will help remove all such challenges,” Modi said.
Praveen Gedam of the National Health Authority (NHA) said in emailed comments that the pandemic had highlighted the need to “move swiftly to improve medical infrastructure”.
But without a data protection law or an independent data protection authority, there are few safeguards and no recourse if rights are violated, said Raman Jit Singh Chima, Asia policy director at Access Now, a digital rights non-profit.
“It will possibly be the largest centralised health ID and data storage system in the world, and it is being done in the absence of a data protection law and data protection authority,” he told the Thomson Reuters Foundation.
“Health is a state subject, but the central government is rushing this policy in the middle of a public health emergency, and forcing states to play ball. It’s very problematic.”
There has been a move in recent years to digitise medical records and data as part of the Digital India campaign to deliver services electronically. A federal medical insurance scheme aimed at 500 million people launched in 2018.
A draft Health Data Management Policy unveiled last month has guidelines for regulating the collection and storage of the data that can only be accessed with the individual’s consent.
The aim of the NDHM is to create and maintain registries that are portable and accessible across India to everyone associated with healthcare delivery, according to the draft.
The new health ID, which the health minister said will be “entirely voluntary” with an opt-out option, will hold information such as tests, prescriptions, treatments and medical records.
Gedam of the NHA, which oversees the NDHM, said that “the policy has been years in the making and undergone multiple rounds of consultation. Hence it is incorrect to assume that this has been a rushed undertaking”.
It has been more than a decade since India created Aadhaar, the world’s largest biometric identity system, with more than 1.2 billion IDs issued.
The 12-digit ID, which is linked to an individual’s fingerprints, face and iris scan, was introduced to streamline welfare payments and reduce wastage in public spending. Yet it soon became mandatory for a host of public and private services.
The Supreme Court ruled in 2014 that Aadhaar could not be a requirement for welfare programmes. In 2018, the top court flagged privacy concerns and reined in a government push to make it compulsory for everything from mobile services to pensions.
The government has repeatedly denied charges of data misuse or surveillance, even as large numbers of people remain excluded and many are denied essential services, a report by consulting firm Dalberg said last year.
The new health ID has the potential to be made mandatory and deny services to those who opt out, while also posing the risk of data abuse, human rights campaigners say.
The draft policy is only available online and in English, thus preventing access to a large majority of people, said Satendra Singh, a physician and disability rights campaigner who petitioned to extend the deadline for feedback to September 21.
The policy also allows the sharing of anonymised data with third parties — “a matter of grave concern”, particularly for sexual minorities and those with disabilities, he said.
Privacy of data will receive “the highest degree of attention”, said Gedam. “The draft policy draws from provisions of the Personal Data Protection Bill and will be kept compliant with any future legislations and rulings,” he added, referring to the draft bill that was tabled in Parliament last year.
India’s public and private hospitals, clinics and labs have varying levels of digitisation, and patients usually cannot digitally transfer their health records from one to another.
Like several other nations, India quickly embraced technology to track and trace the spread of the coronavirus.
The Aarogya Setu, or “Health Bridge” mobile app uses GPS location data to augment information gathered via Bluetooth and build a centralised database — an approach avoided by most countries because of privacy concerns.
The experience with Aadhaar and Aarogya Setu — and the health ID pilot — does not inspire confidence, said Amulya Nidhi, co-convener of the People’s Health Movement (Jan Swasthya Abhiyan) non-profit.
“At a time when we are struggling for hospital beds and oxygen, the government is focusing on digitisation,” he said.
“People’s vulnerability while seeking health services may be misused to get consent. Informed consent is a real issue when people are poor, illiterate or desperate,” he said.
“Your health data — once it’s out there, it’s out there. You can’t do anything about it.”