Access to personal medical records is unwarranted intrusion into privacy rights: AIOCD to Govt

The draft policy was first published on August 26, 2020, and a week was given for consultation as well as for sending objections to the policy.

The policy seeks to create a unique ID for doctors, healthcare practitioners, health facilities, and patients. It also seeks to digitalize the health record of patients and to enable private stakeholders to get access to personal medical data. It adds that the participation of the patient in the digital health ecosystem shall be on a voluntary basis.

Though AIOCD supports the Government's decision that customers and patients should receive the benefits of technology and digitalization in health care services. However, through its submission, it has highlighted that it is equally important to ensure that effective healthcare and patient-doctor-pharmacist confidentiality is not jeopardized in the haste of adopting the technology.

In its view, using the personal medical records of citizens for the purpose of surveillance by the state is an unwarranted intrusion into the privacy rights of the citizens and it is also a malafide objective.

Rajiv Singhal General Secretary AIOCD said, "The Policy should also clearly lay down the lawful procedures for the authorities authorized under the policy /data fiduciaries or other health service providers for accessing the sensitive and or personal data of an individual so that an amount of 'checks and balances' is maintained and also to ensure that the privacy of an individual is safe at all times. The Policy also does not contain sufficient safeguards for the encryption of sensitive data."

AIOCD primarily has been concerned about patients' data privacy. Elaborating on the same, it opined the objectives stated in the policy cannot be implemented by making the standalone policy which may not have the force of law as;

• The draft policy states that the participation of the patient in the digital health ecosystem shall be on a voluntary basis, however, with the advancement of technology the doctors and healthcare practitioners will get accustomed and habituated to provide services digitally. The same trend is apparent in all e-commerce/technological sectors. As a result, AIOCD's letter mentions that they fear that a patient who chooses to not become a part of the digital health ecosystem will face hardship in getting access to cheap and speedy healthcare. Having said so, for the majority population availing the digital health ecosystem will become a compulsion.

• Once the proposed policy is implemented, it will involve the collection of the biometric and medical records. This would create the world largest medical database of biometrics. The digital data is susceptible to hacking and unauthorized access and the AIOCD is not sure if the Central Government will be in a position to safeguard the privacy of citizens from hacking and unauthorized access. The policy falls foul in many areas and the same needs revamp and reconsideration.

• The draft policy stipulates that the Government will be collecting medical and private information of its citizens. The AIOCD members were not able to think of any workaround or legitimate interest of the state in collecting the personal medical data of its citizens and link it with a centralized ID. Moreover, the Government will then also have access to every medical visit and diagnosis of the citizens as it will be uploaded and linked to the health ID. In our opinion, this is a breach of citizens' informational privacy and unconstitutional.

• The draft policy says that it will enable surveillance by the state authorities. In the AIOCD's opinion, using the personal medical records of citizens for the purpose of surveillance by the state is an unwarranted intrusion into the privacy rights of the citizens and it is also a malafide objective.

• The draft policy doesn't take into account that most people desire anonymity and privacy to defend themselves from being profiled. If the health ID is linked to citizens' biometrics or Aadhar then it is against the concept of anonymity and inconsistent with it.

In addition to the above, the policy also does not clarify its main purport in respect to the processing of personal and sensitive data of individuals/citizens. That the patients' medical data will be processed and profiled is an anti-thesis of privacy and confidentiality rights of the patient, as per the AIOCD.

"The draft policy does not even whisper about the protection of sensitive individual data, which will eventually become prone to commercial/monetary gains of various private as well as government/semi-government companies involved in healthcare services if the data is given to them for processing," stated the letter.

‌The letter significantly mentioned that the draft policy is silent or has no consideration for possibility towards the sensitive data being used for commercial or monetary gains. Although the policy casts absolute duty to the data fiduciaries to determine the purpose and means of processing personal data, it does not clarify whether such sensitive data could be used for commercial gains or not which jeopardizes the sensitive information of a citizen who in good faith and trust submits his/her health data.

It also highlighted that the draft policy is framed for the purpose of digitization of medical records of an individual seeks to demand too much from an individual in the guise of sensitive personal data, such as financial details, religious or political belief or affiliation, intersex status, sex life, sexual orientation etc. The definition of sensitive personal data should be narrowed down.

"If this policy is finalized in an "as it is" basis and the data fiduciaries is allowed to change the privacy policy in its own whims and fancies, the individual who had agreed to submit his/her sensitive information then the privacy policy, would be severely prejudiced. There is also a high possibility that the sensitive data of an individual would be used for commercial gains by changing the privacy policy of an individual sensitive data. Also, the policy should encompass strict liability upon the data fiduciaries in the event of the personal data being shared for monetary gains (including the de-identified data) or being erased even after the purpose for which it was collected is satisfied," Singhal expressed.

Suggestions-

• In so far as de-identified data are concerned the policy should clearly state the entities with whom the data could be shared and even if it is shared the same should strictly be for the purpose of research, policy formulation, analysis, or any other public related issue and the same should be properly regulated and should not be allowed to be used for commercial gains.
• There should be a sample template of an example in the policy in respect of the privacy notice for the purpose of providing services of data fiduciary.

• The draft policy does not mention the place of storage of data by the Data Fiduciary. The location of the data storage is important, so as to ensure that the same is not being stored in a private server. And it does not contain sufficient safeguards for the encryption of sensitive data, which also needs to be considered while finalizing it.

• The policy should also clearly lay down the lawful procedures for the authorities authorized under the policy /data fiduciaries or other health service providers for accessing the sensitive and or personal data of an individual so that an amount of 'checks and balances' is maintained and also to ensure that the privacy of an individual is safe at all times.

• The Policy should also entail a provision/ a clause, which would make the intruders including those who illegally access and provide the sensitive and personal data to other interested parties, accountable for their actions and it should have a proper punishment mechanism for not only the illegal provider of sensitive information and the receiver but also accountability towards the data that would be illegally hacked by hackers.

• The Policy should also address the issue in respect of semi-urban and rural areas wherein the doctors would be reluctant to do a tedious job of putting the data in electronic format, thereby, completely defeating the objective of the policy being healthcare delivery.

• The present draft policy is discriminative and so far as it does not address the issue of accessibility by persons with visual impairment. Therefore, there is a need for looking into these aspects as well.

• The Policy should mandate the data fiduciary to also inform the individual about the risks involved in providing the sensitive health data at the time of collection so that the consent was taken if any of the individuals is an informed one.

• The policy in so far relates to e-prescriptions, the AIOCD suggests that the Government should come up with a national portal on which the registered medical practitioner can directly upload e-prescriptions or if the e-prescription is being uploaded by the patient the policy should also entail that the said prescription would be authenticated by the prescriber/ registered medical practitioner before it is dispensed and the same should be properly recorded so that a case of multiple dispensations of drugs from the same e-prescription can be avoided.

Subsequently, AIOCD has requested NHA to consider the suggestion as suggested by the body in the draft of the National Health Policy in the interest of the public, informs President J S Shinde. Adding that it has also sought the authorities to publish the draft policy in regional languages.