Consent Management under NDHM

(This is in continuation of the earlier article on NDHM)

“Informed Consent” is the backbone of most Data Protection laws including the Indian Personal Data Protection Act (proposed). The NDHM’s Health Management Policy adopts all the provisions of the PDPB 2019.

Consent is a mandatory requirement under the policy and it should meet the standards of a “Free Consent” under Section 14 of the Indian Contract Act, should involve “Informed choice” etc as envisaged in PDPB 2019 (Section 11).

The purposes to which a consent can be obtained under this policy is restricted to the requirements of the NHA (National Health Authority similar to the DPA of PDPA) which means that the consent can be used only for purposes consistent with the NDHM.

Once this policy comes into force, fresh consents have to be obtained. This means that the legacy health data for which consent may be available or not becomes a data collected under a “Defective” or “Expired Consent”.

When subsequent processing is required and the data has to be passed onto another processor (Health Information Users and Providers), a “Consent artifact” has to be generated and shared by the “Consent Manager”.

In obtaining the consent from a minor (less than 18 years of age), the policy indicates that a “Valid Proof of relationship” must be obtained along with the identity of the parent or guardian for processing of sensitive personal data.

The “Valid Proof of relationship” could be a point of difficulty and needs to be debated further.

It is expected that the NDHE framework will take note of “Nomination” like an “Authorized representative” who takes care of the consent in the event the data principal is seriously ill or mentally incapacitated.

This point is a problem in all health related laws since this provision is in conflict with the earlier provision that “Consent has to be as per Section 14 of Indian Contract Act”. As per the Indian Contract Act, a person who loses the mental capacity to take decision is no longer able to withdraw the earlier authorization given to an agent and hence the contract of agency is deemed as terminated in such a situation. HIPAA resolves this dilemma by bringing in the view of the medical practitioner whose certificate would be a vital document that determines what decision can be taken in respect of the patient.

It is better if we also adopt this provision in the policy.

The Rights of the data principal recognized by the policy is similar to the PDPB 2019 and includes right to confirmation, right to access, right to receive a notice, right to correction and limited right to erasure. and data portability.

The provisions recognize the need for retention of data as per law and use of restriction of access and disclosure instead of deletion if the situation so warrants and expects a Data Retention and Archival policy to be adopted for the purpose.

Another point of difficulty is the policy that a person may restrict consent to disclose the information to his legal heirs after his death which would not be possible in electronic form of consent. This would be ultravires the ITA 2000 since any instruction applicable after the death of a person can be considered as a statement of Will which has no recognition in electronic form.

(….Continued)

Naavi

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.