Weighing in on a health data retention plan

News:  Recently, the National Health Authority (NHA) has initiated a consultation process on the retention of health data by healthcare providers in India. NHA administers the Ayushman Bharat Digital Mission (ABDM).

Why a privacy-centric policy is needed for health data retention plan?

One, health care access is not in good shape in India. Thus, many patients may not think about data factors while choosing healthcare providers in practice.

Two, the SC of India has declared that privacy is a fundamental right and any interference into the right must pass a four-part test: legality; legitimate aim; proportionality, and appropriate safeguards. The mandatory retention of health data is a form of interference with the right to privacy.

Three, NHA is not a sector-wide regulator. Hence, it has no legal basis for formulating guidelines for healthcare providers in general.

Four, the consultation paper has suggested a classification system to retain data. But it exposes individuals to harms arising from over-collection and retention of unnecessary data. Also, a one-size-fits-all approach can also lead to the under-retention of data that is required for research or public policy needs.

Hence, data should be classified based on its use. Health data that is not required for an identified purpose should be anonymized or deleted.

Five, there is a need to balance the benefits and risks involved with health data retention. Health data provides greater convenience, choice, promotes research and innovation. But globally, health data are considered sensitive and improper disclosure can cause significant harm.

Six, according to Indian law, if an individual’s rights are to be curtailed due to anticipated benefits, then those benefits must be clearly defined and identifiable.

What are the challenges associated with health data retention?

First, there are issues with the informed consent of the individual. In India, patients rely on the expertise and advice of doctors. Hence, the idea of informed consent is difficult to apply.

Also, if consent is made necessary for accessing state-provided services, then many people will agree because they do not have any other way to access that care.

Second, the standards for anonymization and methods of anonymization are still developing. Also, anonymization is not the least intrusive solution to safeguarding patients’ rights in all scenarios.

What is the way forward?

First, efforts must be made to minimize the extent of data collected, and it should be stored only for the required amount of time so that the likelihood of any breach can be prohibited.

Second, a use-based classification process will bring the ABDM ecosystem in compliance with the data protection bill which has proposed limitations for collecting, processing, sharing, or retaining data.

Three, the test for retaining data should be clear, and a rigorous process should be followed under the suitable authority.

Four, data should be anonymized if collected for research purposes, unless a specific case is made for keeping personally identifiable information. If neither of these safeguards is applicable, then the data should be deleted.

Source: This post is based on the article “Weighing in on a health data retention plan” published in The Hindu on 7^th Feb 2022.