The health ministry released the draft National Health Data Management Policy for public consultation in August and kept it open for public comments until last week. It aims to create a National Digital Health Ecosystem and set up a National Health Authority.
“It is worrying that the policy is being presented before the Personal Data Protection Bill has become legislation. This could create issues if there are differences in the policy and the version of the PDP bill that becomes an act,” said Shweta Mohandas, policy officer at the Centre for Internet and Society.
Although the policy differentiates types of health data, experts said the onus of data safety for each category should be more clearly spelled out.
The draft policy charts out Personal Health Identifiers (PHI) and Personal Health Records (PHR) as separate data categories. PHI includes health IDs and other patient identifier information, while PHR includes electronic medical records that can be used only with explicit consent.
Nasscom called on the health ministry to raise inputs with the joint parliamentary committee currently reviewing the PDP Bill 2019 and recommend amendments to align the two crucial legislations.
It also sought that ‘explicit consent’ requirements be limited, recommending that PHI be categorised as ‘personal data’ and only PHR be classified as sensitive personal data requiring explicit consent.
It said that in some cases, there should be an alternative to explicit consent. These could be extraneous cases or situations where data processing is necessary to “protect the vital interests of the data subject,” it said.
“As this policy falls within the larger ambit of protection provided by the PDP bill, we believe it is important to define ‘health data’ to avoid re-identification when combined with other personal data,” said Kazim Rizvi, founding director of The Dialogue, a New Delhi-based think tank.
He added that the proposed grievance redressal mechanism falls short of acknowledging the pre-existing mechanism under the PDP framework and bypasses it by having its own authority and alternative appellate mechanism that provides the final authority to the health ministry.
The draft aims to create an interoperable health-data sharing framework, based on individual consent, and recommends the creation of a consent manager framework.
“Given the nascency of the framework, Nasscom appreciates the voluntary nature of participation in the NDHE, and the emphasis placed upon the principle of non-exclusion,” the industry body said.
Nasscom also recommended that the draft policy not specify “granular requirements” related to contracts between data fiduciaries and data processors and rather there should be data audits to show compliance.
“NDHB has limited its reach to health data collection rather than extending and integrating it with other on-ground initiatives such as Anganwadi workers and digital payments through the Unified Payment Interface for healthcare services,” said Udai S Mehta, deputy executive director of CUTS.
He said the policy should give due consideration to existing data silos that will require more flexibility to ensure their integration within the policy.