The Union government on January 27 directed all government and private schools and colleges in Puducherry to begin enrolling students to generate their Health Identification (ID) numbers. The move is, however, being called into question by privacy advocacy groups for being mandatory in nature, and over the lack of adequate legislation to protect the health data of individuals that is being collected.
On January 27, a circular was issued by the Puducherry Directorate of School Education directing schools to instruct parents to create Health ID for “all school-going children and their families”. The circular was based on a directive from the Puducherry Directorate of Health and Family Welfare issued on January 9.
The circular instructs parents of students to visit a website and generate the Health ID using an Aadhaar or phone number. The Health ID will be included in the school diaries and ID cards of students. The circular mandates 100% registration to be done on or before February 8 across schools and colleges in Puducherry.
#Puducherry education department is forcing parents and school students to create Digital health ID and link it with Aadhar number and mobile number.@fsmi_in @internetfreedom @digitaldutta @kiranychandra @FSFTamilnadu @SFLCin pic.twitter.com/tgWUTKtypz
— Prasanna Venkadesh (@imprashere) January 29, 2021
As part of the National Digital Health Mission (NDHM), the Union government aims to create a National Digital Health Ecosystem (NDHE) and infrastructure by generating a Health ID for each Indian citizen.
Some of the benefits of the Health ID, according to the government circular, include allowing citizens to choose between health facilities for services, telemedicine from across the country, and providing digital health records making it easy for patients to access old health records. The Health ID also aims to make it easy for citizens to get enrolled with insurance agencies and Third-Party Administrators (TPA) for insurance, etc.
The enrolment is being carried out on a pilot basis across six of the nine Union Territories across India, says Software Freedom Law Center (SFLC), that provides legal representation and other law related services to protect and advance Free and Open Source Software.
Venkatesh is one of our most active #Members, always willing to give us rich feedback on our work!
— The News Minute (@thenewsminute) February 8, 2021
Here, he tells you why you should become a @thenewsminute #Member.
Sign up now!https://t.co/OvZvpqm3Wd pic.twitter.com/dGB06MKHNP
The NDHM: Health Data Management Policy claims that the enrollment is voluntary. The policy document also claims that the use of Aadhaar for generating Health ID is optional, and that the failure or refusal to use Aadhaar would not result in denial of access to any health facility or service.
However, the circular issued to the Directorate of School Education fails to mention these points and directs using either Aadhaar or a phone number to generate the Health IDs.
The Union government has also linked the Co-Win portal for COVID-19 vaccine enrolment to the NDHM: Health Data Management Policy. TNM had earlier reported that all healthcare workers in the country who had to provide their Aadhaar to get registered for the vaccine had Health IDs automatically generated for them, without their consent.
Kamalavelan, Secretary, Free Software Hardware Movement (FSHM) Puducherry, an advocacy group working on awareness on technology, and its impact on governance and society, says that through the Health ID the Union government is intending to create a central database of information on all citizens. “So the way it is intended to help people is that every time you jump between doctors and hospitals, you will have a complete health record attached to you as an individual. But the problem is with the way it’s being implemented. This is not a fully government-run project,” he explains.
Prasanna Venkadesh of the Free Software Foundation Tamil Nadu (FSFTN), a nonprofit organization promoting computer user's freedom and rights of all free software users, points out that private engineering colleges in Puducherry have also issued circulars asking students to enrol and generate Health IDs. “Linking all the three forms of unique identification numbers – phone number, Aadhaar and Health ID – is problematic. A phone number helps identify your location, Aadhaar helps track your financial transactions and the Health ID, your health. It makes the citizen transparent to the state.”
In the NDHM: Health Data Management Policy, the Union government’s role is to lay down the rules upon which third party 'Health Information Users (HIU)' (like hospitals, bioinformatics companies, insurance companies, pharmaceuticals) will operate. The HIU are invited to build applications around the rules and provide services to the citizens.
“The policy doesn’t say if the implementing body is government or private, it just says bodies at the state or local level. What we don’t know is what kind of access the private party will get. Will it be the entirety of your health history and medical information or will it be a section of the data? For example, will it be your history related to renal failure or just your medical history for the past two years? This kind of scope-specific privacy is not defined in the policy. The policy just says it will adhere to the best data practices and the Personal Data Protection Bill, 2019, which is yet to be passed, but they have begun rolling out the Health ID,” says Kamalavelan.
The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 allow private players to retain user data for a certain period of time, points out Kamalavelan. “Thus, the data will be in the hands of private players, not the government. The data will be fragmented. You can’t litigate against anyone if it’s leaked as you will not know from where the data was leaked,” he said, adding that at rural Public Health Centers (PHCs) in the Union Territory, private agencies are already handling the data of citizens.
He also points towards RBI’s Consumer Focused Data Sharing Regulation which came into effect in 2019, and legalised data sharing by financial players. The policy enables private firms handling citizen health data to share that information with others. “The companies will know who they are sharing the data with but the person whose data is being shared will not know. When NDHM becomes a full force without a strong Personal Data Protection Act, it paves the way for private parties taking part in the NDHM digital ecosystem to share a person’s health data legally among themselves and with their partners, who could be pharma companies, health insurance providers, and hospital chains,” Kamalavelan notes.
In the short-term, the impact could be targeted advertisements pushing the public to buy products.
“Health data is sensitive and private data, anything with respect to such data will be governed by the data protection law as it's an overarching framework,” says Prasanth Sugathan, legal director with SFLC. He calls for more public consultation and passing of the Personal Data Protection Bill before the rollout of Health IDs, “There should be more consultations, informed discussions with all stakeholders before a roll roll. Look at the confusion it creates, they say it's voluntary while it's kind of mandatory. We saw this earlier with the roll out of Aadhaar, then with Arogya Sethu and now with Health ID. It’s better to get more consensus, consider security and privacy aspects, make sure you have the processes in place before a roll out. The priority should be to have a law in place which governs the basics of data collection,” he adds.
Prasanna with FSFTN is of the view that with the Personal Data Protection Bill yet to become a law, pushing and enrolling people into this digital health ecosystem is problematic.
“Schoolchildren especially are unaware of the implications of their privacy being compromised. We’re already seeing some students sharing their Health ID in chat groups, it’s a unique identification number. They take this as homework and parents just follow instructions. There is clearly no literacy on privacy… These are areas of concern. If they understood how the data will be used and then gave consent, there is no problem, it’s an informed choice but here it’s coercion,” says the lawyer.
“Our problem is not with the Health ID, but about protection from misuse. This should only be used for providing services and not to gain profit,” said Prasanna.