The right to sign away your health data: The draft Health Data Management Policy

The draft policy is a step towards the commodification of health data. At a time when data can move quickly and easily without the person involved being aware, the issues of informed consent and redressal mechanisms is a deep concern.

health data

On Independence Day 2020, the Prime Minister announced a plan in his speech regarding the development of a nation-wide health ID programme to guarantee that every Indian would be counted by the National Digital Health Mission. On 26 August 2020, the Health Ministry announced a draft policy regarding healthcare data.

Originally the government offered very little time for comments, feedback and suggestions regarding the draft policy. This caused a blowback from many in the health sector saying that this was a serious matter which requires proper deliberation under normal circumstances, and during the COVID-19 pandemic, the health sector is overburdened. Feedback would hence be limited.

On reading, the policy appears to be a gateway to the telemedicine industry. While India has a Data Privacy Bill, it is not clear where medical data falls, and whether the current law can adequately handle the specific legal challenges that health data throws up. For example, in cases where a person is unconscious, or is a child, or otherwise incapacitated, they cannot provide consent. The current policy seeks to address those challenges and make the law surrounding medical data, its use and its transfer clearer.

The policy is a step towards the commodification of health data. It creates a framework allowing for informed consent regarding the use and movement of data and provides contingencies when a person cannot provide consent. The policy is weak on redressal mechanism, meaning that if someone’s privacy is abused, it would be difficult for that person to get justice. At a time when data can move quickly and easily without the person involved being aware, this is a deep concern.

Right to Privacy & Health as Property

Many groups have tried to raise this issue as one of privacy, but it strikes at a deeper level. To begin, there is a difference between what belongs to you, and what your property is. Your property can be bought, sold, and transferred. There are things that belong to you but cannot be bought, sold, or transferred. Our lives, bodies, relationships, and identities belong to us, but the rights to them cannot be bought, sold or otherwise transferred. If they could, we would be legalizing bonded labour and slavery.

The right to privacy might cover data that is so closely linked with our bodies, but the exact line around that right is murky. Our health data are extensions of our body. They make no sense without some reference to our body. This data is also only profitable to us, as it helps us maintain better health, but does not directly give us any monetary profit.

As individuals, we cannot profit off of our health data, but there are three ways our data can be profited off of. First, Health insurance companies can use our data to determine insurance rates. In a way, our visits to hospitals can be used against us to justify higher rates, as each visit gives them more information about the state of our health.

Second, data companies have learnt new ways, using new technologies to analyze health data. The linking of the Health ID to the Adhaar card or other national databases gives these firms a comprehensive database to profit off of our hospital visits.

Third, there has been a growing industry of telemedicine which tries to bypass the traditional hospitals and diagnose and prescribe treatment remotely.

“Real Consent” in Digital Age

The policy misleads regarding the protections it offers people by emphasizing informed consent. In the context of healthcare, consent has limited value. A patient seeking treatment is not in any strong position to give or withhold consent regarding matters of health data collection. If they refuse, they might put their health at risk.

Telemedicine might make matters to even more dangerous ends, as informed consent would become just a swipe on a smartphone. Telemedicine companies can promise that a comprehensive evaluation of one’s medical record would be required to give the best treatment, and this could easily be misused.

Beyond the issue of informed consent and the commodification of health, people have raised objections regarding the undemocratic nature of the practice. In a way, the State’s handling of the policy shows how informed consent can be misused if done the right way with little time to evaluate the policy.

Lack of Redressal Mechanism

Regarding the protection of a patient’s privacy, the policy offers many promises but does not properly layout the needed formal mechanisms or promises under the law that protect them. As such, the violation of property by third parties are in principle ruled out, but there are no stated remedies. While the policy spells out that certain types of data can be considered.

Most importantly, there is nothing in the policy to prevent the data from being used against someone economically. A company might request an algorithm to be applied to the data, which prevents social discrimination but does not prevent economic discrimination. This can be used by medical providers and insurance companies to adjust rates, or by potential employers.

While the law has been previously silent on the issue of health data privacy, health data in India has been notorious for being unreliable. The policy, which mandates a unique Health ID, provides the basis of a database. This health ID can be linked to any identification, but the Adhaar card is specifically mentioned in the policy as one possible link. If sufficient patients link their Health ID to their Adhaar card, it can create a national database on health data on Indians. As this law already is being passed in a hurry, it lays the groundwork for other laws that can use the data to serve any end.

With the growing connections between large data initiatives and the private health sector, there are many possibilities that this policy will open up. The policy was open for public consultation until 21 September 2020. The document can be accessed here.

Read More: Data Protection Bill: Protection of the State by the State and For the State

The author is a researcher based in Bangalore, India. Views are personal.


Independent journalism can’t be independent without your support, contribute by clicking below.

May 2024


Please enter your comment!
Please enter your name here