(This is a continuation of the previous Article)
The Health Data Protection policy announced by NHD scheme has adopted the Obligations of data fiduciaries and rights of data principles from the Personal Data Protection Bill 2019.
Accordingly the obligations include
1.Accountability,
2.Transparency, (Including Data Trust Score, Grievance Redressal, Periodical update of changes in the processing)
3. Privacy by Design . (The system is envisaged to have a decentralized storage of data which could mean multiple data bases at State/UT level introducing the security requirements commensurate with the associated risks. )
4. Choice and Consent driven sharing
5. Purpose limitation
6.Collection, Use and Storage limitation
7. Empowerment of the rights guaranteed
8. Maintenance of Data Quality
9. Reasonable Security Practices and Procedures
As could be expected, the Ministry of Health which is in love with ISO standards has stated that “The data fiduciaries will implement the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” as well as any other standard as may be applicable to them”
Naavi.org has extensively discussed the desirability of the regulations not to suggest a particular proprietary standard to be implemented.
To reiterate, this means that every Data Fiduciary is being forced by the regulation to buy an ISO 27001 certificate which has a payment tag.
It is impossible to avoid a perception that this is being suggested for reasons other than the necessity and it is suggested that the Ministry drops this provision.
It must be also pointed out that ISO 27001 does not support the DTS system and is not comprehensive enough for the compliance of the Techno Legal requirement.
The policy suggests a NDHM-CISO and NDHM-DPO to be appointed by the organizations.
Obligations of Data Processors are similar to PDPB 2019 as entities bound by contractual agreements.
The Data Fiduciary needs to conduct a Data Protection Impact Assessment and maintain appropriate records. They should also conduct periodical review audits.
Sharing of Data
Sharing of de-identified and anonymized data may be permitted while sharing within the community of Health Information Users who will have obligations similar to the Data Fiduciary.
Grievance Redressal
The policy envisages that the Data Fiduciaries shall have a Grievance Rederssal mechanism and the DPO will be accountable to redress the grievances.
Data Breach Management
The National health Authority (NHA) is expected to notify the time limits related to the notification of data breaches. The NHA will report the breaches to the Cert-In for the time being.
NDHM Sandbox Environment
It is interesting to note that the Ministry is providing a sand box arrangement for software systems to be tested in a controlled environment. The Sandbox hosts APIs for Health ID service, Consent Manager gateway etc.
Penalties
Any non compliance of the regulations may attract cancellation of the registration and stoppage of contracts.
Summary
While the policy is an attempt to implement the provisions of the PDPB 2019 to the health sector, once the PDPA comes into being, it would be better if this policy is simplified to avoid overlapping with the PDPA provisions.
Further the references to the ISO audit as if it is mandatory must be removed and the security inconsistencies need to be addressed.
We keep our fingers crossed to see how the Ministry would respond.
Naavi
All Articles in the series:
1.National Digital health mission shows the way… Be Ready before PDPA becomes effective
2.NDHM is a trend setter… Get started early on the Privacy Protection journey
3.Consent Management under NDHM
4. NDHM-Health Management policy Objective need not be linked to ISO standard
5.Managing IDs in NHD ecosystem
6. Data Fiduciaries under NDHM
