NDHM is a trend setter… Get Started early on the Privacy Protection Journey

(This is in continuation of the earlier article on NDHM)

The National Digital Health Mission (NDHM) is an ambitious project of the Government of India for providing a nation wide health care system and makes comprehensive use of technology. Since the project deals with the health information of individuals, it is already under an obligation to be compliant with ITA 2000. Though we may argue that Section 43A is for Body Corporates and not for Government, any organization which can sue and be sued in its own name should be considered as being under the obligation of compliance under ITA 2000 even if it is a public body. At the same time post Puttaswamy judgement, the obligation for privacy protection is already on all Government projects. Hence NDHM is a project which needs to be compliant with the expectations of Information Privacy Protection under the Puttaswamy Judgement, as encapsulated in the PDPB 2019 which is also the “Due Diligence” requirement under ITA 2000 for both Section 43A and Section 79.

The NDHM is already under various stages of implementation and hence the Ministry of Health and Family welfare (MOHFW) had acted a few years ago in building a law called DISHA (Digital Information Security for Health Act) and also formulated the EHR policy for hospitals as well as Telemedicine Policy. However since the PDPA was conceived as a comprehensive privacy legislation, it was prudent for the MOH to drop its proposal for a separate Act and restrict itself to developing a code of practice for the health care industry to meet the requirements of PDPA.

When DISHA was drafted we did not have a draft of PDPA and now we have a near final version of the Act as proposed. Hence NDHM has gone ahead and incorporated the principles of PDPA into its policies and has already started its journey towards PDPA compliance.

This is precisely the pro-active approach which Naavi has been suggesting to other companies and sectoral regulators and we must appreciate the efforts of MOHFW in showing the way for other regulators.

The Policy document is applicable  to the participants of NDH Ecosystem which revolves around all the citizens of the country and all stakeholders in the health industry. By its very nature it encompasses the entire universe of health data processors including the Central and State Governments, Hospitals, Diagnostic labs, Pharmacies, Health Insurance services, Heath Tech Services, Medical practitioners, NGOs etc. Even the Websites who provide services to the health care sector may come under the provisions of this policy.

Since “Health” is an associated aspect of every citizen, the policy is applicable for a very large section of the population especially those who are using the services of the NDH related services.

The participants of the NDHE are issued specific Digital IDs (Patients, Doctors and other participating institutions) which will be an ID to be protected.

The policy is closely aligned to the PDPB 2019 in terms of definitions, obligations and rights guaranteed.

Some of the new difinitions that have been introduced are

“Personal Health Identifier” or “PHI” is the data that could potentially identify a specific data principal and can be used to distinguish such data principals from another. PHIs could also be used for re-identifying previously de-identified data. It could include a data principal’s demographic and location information, family and relationship information and contact details;

“Health Information Provider” or “HIPs” means hospitals, diagnostic centres, public health programs or other such entities registered with the National Health Infrastructure Registry, which act as information providers (by generating, storing and distributing health records) in the digital health ecosystem

“health locker” means a service of information exchange of electronic health records or electronic medical records, which can be accessed by the data fiduciary or data processor upon receiving the consent of the data principal and where such service can also be used by a data principal in order to create Personal Health Records;

“Health Information Users” or “HIUs” are entities that are permitted to request access to the personal data of a data principal with the appropriate consent of the data principal. The NHA may, from time to time, specify certain terms and conditions in relation to HIUs;

“Health ID” refers to the Identification Number or Identifier allocated to a data principal, “Health Facility ID” refers to the unique ID allocated to each health facility and  “Health Practitioner ID” refers to the unique ID allocated to each health practitioner

Though PDPA has missed, the policy defines the three different terms Anonymization, Pseudonymization and De-identification independently.

“de-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to a data principal but does not, on its own, directly identify the data principal;.

On the other hand, “pseudonymisation” means a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms;

 “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified through any means reasonably likely to be used to identify such data principal;

The definition of “Biometric” data is also interesting as it includes the “Behavioural characteristics” of a data principal, by stating “biometric data” means facial image, fingerprint scans, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;

An interesting term called “Consent artifact” has been defined instead of the usual “Consent may be in writing or other means etc. ” Instead here  “consent artifact” means a machine-readable document that specifies the parameters and scope of data sharing and access that a data principal consents to in any personal data sharing transaction;

The guideline also adopts the term “Consent Manager” which in this context means an entity or an individual, as the case may be, that interacts with the data principal and obtains consent from him/her for any intended access to personal or sensitive personal data, where the role of the consent manager may be provided by the NHA or any other
service provider;

The “Definitions” indicate that the policy seems to have taken into consideration many aspects of PDPA and made relevant additions also which may in turn influence the final draft of the PDPA.

(To Be Continued)

Naavi

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.