Health Data Management Policy: A Reckoner

Health Data Management Policy

As discussions progress around the Health Data Management Policy, Number13 brings you everything you should know about National Digital Health Mission.

Prime Minister Narendra Modi announced the National Digital Health Mission during his independence day speech on 15 August 2020. This is a major step towards fulfilling the idea of building a Digital Health Technology Ecosystem. National Health Policy 2017 has envisioned this idea which includes setting up the National Digital Health Authority (NDHA). The goal of such a policy initiative is ‘delivery of better health outcomes in terms of access, quality, affordability, lowering of disease burden, and efficient monitoring of health entitlements to citizens.’ The recently released health data management policy is a preliminary step towards achieving this goal. Despite the widespread acceptance of this initiative, there is widespread skepticism among privacy experts and public health experts. Undoubtedly, this policy is going to transform India’s health sector. Let us understand the most important aspects of this policy which are currently available for citizen inputs.


The National Digital Health Mission has a guiding principle of ‘security and privacy by design’ to protect an individual’s data privacy. The policy document is a guidance document for the National Digital Health Ecosystem (NDHE). It sets out the minimum standard for data privacy protection required for compliance. The national digital health blueprint released in 2019 recommends a federated architecture for managing NDHE. The data collected will be stored at three levels – national level, state or union territory level, and health facility level. Given this, a framework needs to be developed to ensure uniformity at various levels. The objective of the policy is to ensure that this framework is adopted at every level to ensure data privacy. This is key to ensuring trust across NDHE.

Apart from ensuring privacy, this policy also aims at the portability of data across the country. It also aims at establishing proper auditing mechanisms to ensure compliance within NDHE. According to the policy document, this health data collection is purely voluntary and based on consent. Consent for data collection follows international standards like ISO/TS 17975:2015. Increasing public awareness of data privacy and instilling a privacy-oriented mindset is also one of the objectives of this policy.

Some definitions

The policy defines anonymization, de-identification, and pseudonymization. These three processes remove any identifiable information from personal data. Personal data is the data about a natural person that will help to identify that person. This includes a health ID as well as personal health identifier which will be part of the health records. This policy also defines what is ‘sensitive personal data’. This includes every form of data around health, finances, sex life, sexual orientation, biometric data, caste, and religion.

Another key definition is ‘data fiduciary’. It is a person, State, company, or juristic entity which will process personal data. This would include health information providers and users. A person or individual whose data is collected is called “data principal”.

What data will be created and collected

An important step in digitizing the health infrastructure is the creation of a health ID for every individual. A health ID is an entry point into the NDHE and makes that individual part of the ecosystem. The National Health Authority is responsible for the creation of this ID. Aadhar or any other identification mechanism can be used to authenticate the health ID created. The creation of a health ID is voluntary. The ownership of the data collected against the health ID lies with the individual who is also called “data principal”. IDs will be created for health practitioners and health facilities following a procedure similar to the creation of individual health ID.

Obligations of data fiduciaries

Data fiduciaries are expected to ensure privacy, transparency, and accountability by various means. It is mandatory to strictly adhere to consent related guidelines whenever data sharing happens across fiduciaries, health institutions, and various other agencies. Sharing of data is possible after anonymization and de-identification. Sharing is also possible when data is in an aggregate form for research. Data fiduciaries should also ensure that there is privacy by design. Privacy impact assessment is a mandatory step before data processing.Data fiduciary is responsible for ensuring that data processors are adhering to privacy norms.

Law and Governance Structure

Data fiduciaries should comply with all the existing applicable laws, according to the policy. The National Health Authority (NHA) will specify the governance structure. There will be committees at all the three levels – national, state as well as health provider level – which will help implement NDHM. These committees will also have a data protection officer (NDHM-DPO) who will be a Government employee. This officer will be responsible for communicating with various stakeholders and regulators on matters concerning data privacy. The NDHM-DPO shall also serve as an escalation point for decisions related to the governance of data. Ministry of Health and Family Welfare (MoHFW) and Ministry of Electronics and Information Technology (MeitY) will provide the necessary guidance to NHA on aspects of NDHM related to those ministries.

Consent Framework

Data fiduciaries can collect personal or sensitive personal data as per the policy. This policy governs the consent framework for such data collection. There are certain governing principles which this framework should incorporate. Complete control and decision making power over the collection and processing of sensitive personal data should lie with the data principal. Appropriate technological measures should be part of the framework in case of electronic consent. This should conform to national and international standards. The technical design of the consent management framework should be interoperable across various levels of NDHE. The consent framework should also seamlessly function across applications, platforms, and programming languages.

Consent given by a data principal is valid only if it is free, informed, specific, clearly given, and capable of being withdrawn. This has to be further in compliance with section 14 of the Indian Contract Act 1872. A privacy notice is a mandatory requirement for obtaining consent. If the data collection agency changes its privacy policy or purpose of data collection, obtaining fresh consent is mandatory. Data principals can give consent directly or via an agent. The consent can be either digital or physical. Parents or legal guardians are responsible for giving consent to personal data about a child. A nominee is responsible for the same in case of a seriously ill person or mentally incapacitated person.

Grievance Redressal and non-compliance

Given the huge set of guidelines, NDHM requires a regulatory framework to ensure compliance and punish violations. Health data management policy envisions a regulatory mechanism around NHA to handle such scenarios. An incident management system will handle issues of data breach and data privacy violation. NDHM-DPO is the officer responsible for ensuring compliance. The DPO is also responsible for taking necessary actions in case of non-compliance. In case of policy violations and non-compliance, the specific entity will lose its registration within the digital health ecosystem.

A mammoth task for NHA

The policy document has elaborated on the rights of data principals and the obligations of data fiduciaries. While data fiduciaries are obliged to conform to privacy guidelines, identifying violations lies with the government agencies. The scale of the needed infrastructure is massive. The capabilities required to ensure the strict following of guidelines looks like a mammoth task. While the policy document has tried to detail out requirements about privacy, the necessary institutional structure needed for implementation is still not very clear from the document. It also needs to be seen how data principals can hold the agencies responsible every time a violation of privacy happens.

One thought on “Health Data Management Policy: A Reckoner

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.