India’s Digital Health Mission: A Step in the Aadhar Direction?

Data privacy forms a fundamental part of any policy. It creates a trustworthy relationship between the citizens and the government. Modern-day schemes provide the user with an option to provide his consent to provide the data, thereby safeguarding his right to privacy.

The right to privacy is one of the most significant rights available to a citizen. It forms the basis of his existence within society. It helps him avoid unnecessary State intrusion within his private affairs. Further, it enables him to share information to the extent which he feels is desirable to share. The citizen controls any information shared with the government. He may also opt out of a policy if he apprehends State interference.

Distributing unique health ID cards under the Digital Health Mission at the national level enables the Central government to create a digital database of citizen health records. However, to succeed in its endeavour to do so, the State must be cautious not to invade its citizen’s privacy as it jeopardizes its credibility. The author aims to precisely analyze the data privacy issue and the different aspects of privacy through this article.

Explaining the ambit of Informational Privacy through the lens of the National Digital Health Mission

Biometrics forms the core of an emerging trend of policies establishing personal identity. Recently, the Prime Minister announced that the National Digital Health Mission also includes distributing unique health ID cards. It purports to lay out disease details, diagnosis reports and medication reports.

For assuaging data privacy concerns, the National Digital Health Blueprint, 2019^[1]creates a five-layered digital architectural infrastructure for strengthening privacy. Further, it states that data safety and privacy are the most crucial elements for the scheme to be a success.

The EHR Standards for India in its Security for Electronic Health Information^[2] specify that the security requirements and technology employed for safeguarding citizen data are business decisions left upon the enterprise. 

The Security Technical Standards^[3] permits authorized users to access health information. Further, it grants them unfettered access to such records. However, it is permissible only in a life-saving situation.

Distributing a unique health ID facilitates the creation of a citizen’s digital ID within a unique ecosystem. It draws a parallel to the government’s aggressive push for its citizens to mandatorily use Aadhaar card in its preceding term. There were legitimate concerns about Aadhaar breaching citizen privacy when several reports informing about UIDAI’s contact number being automatically saved in the citizen’s mobile devices surfaced.  

Subsequently, the way forward was voluntary compliance. Thus, the government’s imposition for mandatory compliance was uncalled.  

Privacy enables a person to be left alone. Such a right is inviolable in itself. It essentially forms the core of personal liberty and dignity guaranteed to an individual within the ambit of his Fundamental Rights. It is available only to persons. However, societal relationships govern its essence. 

Privacy includes both negative and positive aspects. On the one hand, obligates the State to take measures for safeguarding an individual’s privacy. On the other hand, it guarantees protection from unwanted State intrusion.

In the context of the National Digital Health Mission, it includes an individual’s right to grant consent for collecting and using his data. Thus, the State cannot forcibly obtain his approval for the collection and management of his health data. Further, it rectifies the anomaly faced by the Aarogya Setu application, which required individuals to grant continuous Bluetooth and location access, thereby invading privacy.

Enabling his consent to data collection under the unique health ID card scheme safeguards his right to privacy. He may decline giving consent under the Digital Health Mission if he apprehends data misuse by the State. It fulfils his subjective desire to be left alone. Further, it disables constant State intrusion in his affairs. 

Information gets rapidly disseminated in the modern technological age. Therefore, it becomes imperative to protect it from wrongful circulation. The right to privacy includes the right of informational privacy within its ambit as such information may be wrongfully dissemination. In such a case, an information provider may be unaware of its wrongful circulation.

Thus a user may provide information only if he is reasonably satisfied that it fulfils State interests. Further, he must have the assurance that it is not misused. Further, the State must fulfil its duty to protect and safeguard a citizen’s personal and medical information.

Thus, when a person hands over his documents to any public institution, his right to privacy remains untouched since he reasonably expects that it is being used for the desired purposes. Thus, attaching a reasonable expectation is crucial as it safeguards an individual from power being arbitrarily exercised by the State machinery.  

Its ambit must include respecting the privacy and bodily autonomy of a woman while collecting medical information; else it violates her right to live with dignity under Article 21.^[4]  

Other Policies:

Draft Digital Information in Security in Healthcare Act^[5]: It seeks to enforce and regulate security and privacy measures for electronic health data. Further, it calls for creating e-health regulation authorities at both Central and State levels for managing health information exchanges.                                                                                                                                                                       

Open Application Programming Interfaces (API) Policy^[6]:  It ensures that relevant information, data and functionalities is shared safely across multiple e-governance platforms.                                                                                                                                    

National Cyber Security Policy^[7]: It seeks to protect citizen data during process, handling, storage and transit across multiple platforms in the event of a cyber attack.

Information Technology Act Rules, 2011^[8]: The Rules stipulate the publication of a privacy policy on the website of a body corporate collecting personal information. Further such body corporate must provide the user of consenting to provide such information. It must be used only for the desired purposes.                                                                                                                                                                                                                         

Elucidating upon the facets of the term “Privacy” through judicial precedents.The link between privacy, liberty and dignity

The Supreme Court in the KS Puttaswamy case^[9]declared that dignity under Article 21 includes the right to privacy within its purview. Despite it being an inviolable right, it is governed by an individual’s societal relationships. The judgment^[10] further stipulates that the right to privacy recognizes an individual’s autonomy over his mind and body; enabling him to live a dignified life.

Thus the check and balance should be that such a law does not affect a citizen’s privacy. Maneka Gandhi’s case^[11] strengthens the point by holding that privacy forms an unbreakable link with human liberty, which forms a crucial part of Article 21. However, the Gobind^[12] case cautions that such a right must be placed in consonance with other rights and values.

Surveillance in criminal cases

The Supreme Court in Malak Singh vs. State of Punjab & Haryana^[13] held that even though curbing crimes is a fundamental function of the police force, but if the surveillance is intrusive, it encroaches upon a citizen’s right to privacy. It further emphasised that police visits must be reduced to a bare minimum. They confined to those living criminal lifestyles.

The US Supreme Court decision in Wolf vs. Colorado^[14] strengthens Malak Singh’s^[15] observations by holding that police intrusion into a citizen’s privacy nullifies the guarantee afforded by the Fourteenth Constitutional Amendment.

Informational Privacy

In Bihar Public Service Commission vs. Saiyed Hussain Abbas Rizwi ^[16] where a public-spirited citizen sought information from the Commission on several issues, the Supreme Court held that public interest must be held as a balancing factor between the right to privacy and the right to information when information concerning public interest is sought.

Telephonic Conversations

In Amar Singh vs. Union of India^[17], where a telephone service provider did not verify the contents of a conversation and proceeded to act irresponsibly, the Court held that by intercepting a person’s telephone conversation, the Company had invaded such person’s privacy.

Justice Stewart while writing the majority opinion in Katz vs. United States^[18] held that a person occupying a telephone booth is entitled to assume that the world at large shall not know about his speech contents in the mouthpiece. Further, this judgment^[19] also stated that electronic and physical intrusion in a private space violates the Fourth Amendment to the US Constitution.

It also laid the reasonable expectation of privacy test which stipulates that the Fourth Amendment protects people, not places.

Medical Information

In NM & Ors vs. Smith & Ors^[20]it was held that a person’s health information is highly sensitive as it involves questions about his/her personal and bodily autonomy along with his/her psychological identity. Thus such information must be safeguarded under the right to privacy.

Further, the Puttaswamy^[21] judgment stipulates that the right to privacy includes the right to provide confidential medical information. Suchita Srivastava’s^[22] case also clarifies that the ambit of the term ‘liberty’ under Article 21 of the Constitution extends to a woman’s right to make an informed reproductive choice along with the use of contraceptives.

However, in Mr X vs. Hospital Z^[23], it was held that the appellant’s non-disclosure’s about his HIV infection did not result in a breach of privacy since it violated Ms Y’s right to lead a healthy life.

Prisoner’s Right to Privacy

In R. Rajagopal vs. State of TN^[24] the Supreme Court endeavoured to remove the conflict between the right to freedom of the press and the right to privacy by holding only such a part of a prisoner’s story can be published that is available in the public domain.

In Selvi’s case^[25] it was held that the right to privacy intersects with the right against self-incrimination. Thus no person can be forced to testify against himself when he is in custody. Such an act intrudes his mental privacy, thereby further stigmatizing him.

Conclusion

The right to privacy includes the right to informational privacy. Governments must be careful not to interfere within the citizen’s personal domain. They must maintain citizen trust. The citizens and government machinery both benefit from the creation of electronic medical records as it ensures ease of access. Further, it avoids creating multiple records. Thus it avoids loss of documents and facilitates ease of checking a patient’s history. However, such information should not be collected by putting a citizen’s confidential data at risk. The Central and State governments must cooperate to ensure its protection.

The government must ensure that it does not mandatorily impose its agenda upon the citizens to avoid an Aadhaar style controversy. It implies that even though it seeks to attain maximum coverage for its schemes, it must ensure that the scheme remains voluntary in nature. Further, citizens must not be coerced into submitting their data under the garb of ‘public interest’.

In this regard, while the on-paper creation of a five layered infrastructure for data protection looks promising, it is hoped that the government maintains its trustworthiness among citizens during policy implementation.

About The Author

Photo Source:eef.org

1. National Digital Health Blueprint Report For Public Comments (Oct. 28, 2020, 11:51 A.M.) https://main.mohfw.gov.in/newshighlights/national-digital-health-blueprint-report-public-comments ↑

2. Data Privacy and Security, HER Standards for India (Nov. 1, 2020, 12:15 P.M.) https://www.nrces.in/standards/ehr-standards-for-india#security_of_electronic_health_information ↑

3. Security Technical Standards, HER Standards for India (Nov. 1, 2020, 12:20 P.M.) https://www.nrces.in/standards/ehr-standards-for-india#securuty_technical_standards ↑

4. Constitution of India, Art. 21 ↑

5. F.No Z-18015/23l2017-eGov, Ministry of Health & Family Welfare (Nov. 1, 2020, 12:22 P.M.) https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf ↑

6. F.No. 1(4)/2014-EG II, Ministry of Communications & Information Technology (Oct. 31, 2020, 11:54 P.M.) https://www.meity.gov.in/writereaddata/files/Open_APIs_19May2015.pdf ↑

7. National Cyber Security Policy, 2013, Ministry of Communications and Information Technology (Nov. 1, 2020, 12:05A.M.)
   https://www.meity.gov.in/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf ↑

8. Notification, Ministry of Communications and Information Technology (Nov. 1, 2020, 12:15 A.M.) https://www.prsindia.org/uploads/media/IT%20Rules/IT%20Rules%202011.pdf ↑

9. KS Puttaswamy vs. Union of India, (2017) 10 SCC 1 ↑

10. Supra note ix ↑

11. (1978) 1 SCC 248 ↑

12. [(1975) 2 SCC 148 : 1975 SCC (Cri) 468] ↑

13. 1981 AIR 760, 1981 SCR (2) 311 ↑

14. 338 U.S. 25 (1949)

    ↑

15. Supra note xiii ↑

16. (2012) 13 SCC 61 ↑

17. (2011) 7 SCC 69 ↑

18. 389 U.S. 347 (1967)↑

19. Supra note xviii ↑

20. [2007] ZACC 6; 2007 (5) SA 250 (CC); 2007 (7) BCLR 751 (CC)↑

21. Supra note ix ↑

22. (2009) 14 SCR 989 ↑

23. SC/0733/1998↑

24. 1995 AIR 264, 1994 SCC (6) 632 ↑

25. 2010 (7) SCC 263 ↑