A privacy-focused process is needed to determine which data to retain and for how long
In a welcome development, the National Health Authority (NHA) – the body responsible for the administration of the Ayushman Bharat Digital Mission (ABDM) – has initiated a consultation process on retention of health data by health care providers in India (https:// bit.ly/3uK9buH). The consultation paper seeks feedback on what data is to be retained, and for how long.
A simple classification system, as suggested in the consultation paper, exposes individuals to the pitfalls arising from over-collection and retention of redundant data. At the same time, such a one-size-fits-all system can also lead to the retention of data that is actually needed for research or public policy needs. Instead, we should classify the data based on its use. In this system, health data required for an identified purpose would be anonymized or deleted.
need for such a policy
Whether the state should mandate the retention period is an open question. Currently, service providers can compete on how they handle data from individuals or health records; In theory, each of us can choose a provider whose data policies we are comfortable with. Given the landscape of health care access in India, including informal providers, many patients may not consider this factor in practice. However, the decision to take elections through the hands of the individual should not be taken lightly.
The Supreme Court of India has clarified that privacy is a fundamental right, and any interference with the right must pass a four-part test: legitimacy; legitimate purpose; proportionality, and appropriate safeguards. Mandatory retention of health data is one such form of interference with the right to privacy.
In this context, the question of legality becomes a question about the legal status and authority of the NHA. For example, the consultation paper asks whether the health data retention policy should apply only to health care providers participating in the ABDM ecosystem, or to all health care providers in general. We believe that the answer can only be the former; Since the NHA is not a region-wide regulator, it has no legal basis for creating guidelines for health care providers in general.
profit and risk balance
The purpose of data retention is described in terms of benefit to the individual and the public at large. Individuals benefit through greater convenience and choice made through the portability of health records. Broader public benefit through research and innovation driven by the availability of more and better data for analysis.
While these are significant benefits, they have to be weighed against the risks. Globally, legal systems consider health data to be particularly sensitive, and recognize that improper disclosure of this data can cause significant harm to an individual. These may include damages that would be very difficult to cover, so penalizing such violations is not sufficient; Every effort should be made to reduce the extent of the data collected, and to keep it only for the required amount of time so as to minimize the possibility of any breach in the first place.
In particular, privacy risks make us very hesitant to retain an individual’s complete health or medical records on the grounds that they may someday be useful for research. According to Indian law, if a person’s rights are to be curtailed because of anticipated benefits, such benefits cannot be prospective or speculative: they must be clearly defined and identifiable.
It’s the difference between saying that data from patients with a heart condition will help us better understand heart health — a vague explanation — and being able to identify a specific study that would include that patient’s data. This would further mean that the study requires personally identifiable information, not just an anonymous record – the latter flows from the principle of proportionality, which requires choosing the least intrusive option available. is required.
In fact, the standards of anonymity are still evolving. In the world of big data, the research community still has to come to a consensus on what constitutes sufficient anonymity, or what can be considered best practices or methods for achieving it. We still cannot rule out the possibility that anonymised data is still being linked to specific individuals. In other words, anonymity may not even be the least intrusive solution to protect patients’ rights in all scenarios.
possible security measures
Ultimately, the test for retention of data must be that a clear and specific case for such retention has been identified, following a rigorous procedure conducted by the appropriate authorities. A second defense would be to anonymize data that is being held for research purposes – again, unless a specific case is made for containing personally identifiable information. If neither of these is true, the data should be deleted.
An alternative basis for retaining the data may be the express and informed consent of the person in question. However, there are limits to how consent can be applied in the context of health care in India; In general, health care is an area where patients rely on the expertise and advice of doctors, complicating the idea of informed consent. Furthermore, if consent is required to access state-provided services, many people may agree simply because they have no other way to access that care.
Ultimately, health care service providers – and everyone else – will have to comply with data protection legislation, once passed by Parliament. The current Bill already requires limits on the purpose of collecting, processing, sharing or retaining data; A use-based classification process would thus also bring the actors of the ABDM ecosystem into compliance with this law.
Rishabh Bailey is a lawyer and technology policy researcher based in New Delhi. Harleen Kaur is a Regulatory Affairs and Public Policy lawyer practicing in a law firm based in Delhi. Brinda Lashkari is Policy Associate at e-Government Foundation, Bangalore. Amey Ashok Naik is Head of Policy and Advocacy at e-Government Foundation, Bengaluru
,