Monday, 27 March, 2023
HomeOpinionRoe v Wade saga shows India must reform health data policy. Protection,...

Roe v Wade saga shows India must reform health data policy. Protection, privacy not same

India’s health data policies assume that enabling data sharing and interoperability will lead to desirable outcomes. But this approach comes with its own risks.

Text Size:

On 24 June, the US Supreme Court overturned its 1973 decision on Roe v. Wade, which allowed women to choose whether they wanted an abortion. In the aftermath of this ruling, several human rights advocates highlighted how inadequate safeguards harm the autonomy people exercise over the most sensitive parts of their lives. A Surveillance Technology Oversight Project report identifies ways in which police, prosecutors, and private entities can exploit lax privacy safeguards in menstrual health and fertility apps to monitor women’s bodies and enforce the abortion ban.

There are two important takeaways for Indian policymakers from a technology policy perspective. First, the safeguards to protect intimate information on health apps are inadequate. Second, they leave scope for private parties to exploit and the government to hound individuals.

The Supreme Court of India decision in Justice K.S. Puttaswamy vs Union of India affirmed that the government must guarantee the right to privacy to all citizens. Health data protection warrants an exceptional regulatory approach due to the intimate nature of information that users may share, and requires a higher degree of protection than general privacy safeguards. At the same time, India has a burgeoning e-health industry. An Inc42 report estimates that the telemedicine market will be worth $5.4 billion by 2025. The government needs to balance the potential socio-economic benefits of health services delivered via technology with the obligation to guarantee privacy to all its citizens. And this will require a nuanced approach towards health data regulation.

Also read: India is in a ‘red state blue state’ mindset. But it’s different from the American one

Flaws in India’s health data policies

Currently, there are two problems that plague regulation of health data in India. First, there is no shared understanding on what constitutes ‘health data’ in several laws and policies related to the subject. For instance, the Information Technology (IT) Rules 2011 consider only data related to physical, physiological and mental health as sensitive personal data that requires reasonable security practices for protection. However, these rules do not focus on health data.

Subsequent laws and policies have attempted to define the issue more clearly, but differences remain. Lack of uniformity is a problem because there is no clarity on how these frameworks interplay with one another. In its strategy overview document, the National Digital Health Mission (NDHM) states that “personal health data” includes information about an individual’s health conditions and treatments. In contrast, the draft Digital Information Security in Healthcare Act 2018 (DISHA) offers a  far more detailed definition of digital health data, covering information about a person’s physical and mental health, health services provided to them, donations of a body part or substances, and information derived from tests or examinations. However, the Data Protection Bill 2021 (DPB) has a narrower definition, which states that  health data includes “data related to the physical or mental health of the data principal”. Such lack of uniformity can fragment the privacy landscape on the issue, leaving users vulnerable to harm.

Second, most of these frameworks do not reflect the scope of health data collection today, or the surveillance harms that can arise from it. Many existing policies look at the subject as a resource that can be used to create a national digital health ecosystem. They primarily focus on its collection, storage and shareability to improve research and public health outcomes. Therefore, they pay disproportionate attention to data collected by hospitals, clinical establishments or insurance companies. However, health data collection today includes gathering information that is non-clinical. Fitness trackers and smart watches collect information on an individual’s heart rate, sleep and activity levels. There are also mobile applications that collect sensitive details about an individual’s menstrual cycle and their mental health. While draft laws like DISHA and DPB are oriented towards protecting the privacy of clinical health data, it is unclear whether they are sufficiently equipped to address this situation.

Such a legal and policy vacuum can potentially make private parties exploit health data, as people increasingly use products and services that leave behind a digital footprint. It can also make it difficult to address surveillance harms arising from government or law enforcement access to health data from apps or Internet-of-Things (IoT) devices. In the aftermath of Covid-19, the central government and several state governments used contact tracing apps to track the spread of infection. There were at least 19 such apps in use at the central and state levels, according to some estimates. Many of these apps posed privacy concerns. While the Aarogya Setu app allegedly collected far more health data than required for contact tracing, Tamil Nadu’s CoBuddy app used facial recognition technology to monitor citizens’ health condition and location. This could enable the creation of larger surveillance architecture that outlasts the pandemic, at the central and state levels.

Additionally, law enforcement agencies can access health information about an individual via wearable devices. For example, Fitbit’s privacy policy allows the disclosure of information in response to any government request. In jurisdictions such as the US, academics are considering ways to devise procedural safeguards that regulate law enforcement access to such sensitive information.

Also read: India and US went pro-choice around the same time. Only one strengthened its abortion laws

Regulation requires nuance

India needs a comprehensive and unambiguous definition of health data. Legal texts such as the Data Protection Bill could include illustrative examples of health data, and accord protection regardless of the context in which such data is collected. This could nuance the approach the government took in draft laws like DISHA. It has a detailed definition for digital health data but it does not cover information collected by apps, the IoT ecosystem and non-clinical settings. Addressing this issue is an important step that will strengthen people’s rights over their personal health details.

At the same time, specific regulations on health data (like DISHA) could add a legal layer by creating subsets and laying down a differentiated approach based on their sensitivity. A graded approach is necessary because some information is more sensitive than others and data subjects should have absolute autonomy over such intimate information. For instance, they could have an unconditional ‘right to erasure’ over exceptionally sensitive information concerning, say, their mental health while rights over height and weight could be subject to conditions and state exceptions. Such an approach provides regulatory clarity for services that collect and process health data and guarantees autonomy to subjects over the most intimate information.

Finally, India’s policies regarding health data assume that enabling data sharing and interoperability will lead to desirable outcomes. However, such an approach may also pose risks. Post the overturning of Roe vs Wade, US scholars have pointed out how regulations that improve the flow of medical information work against women who wish to obtain abortions. India must take a cue from this and ensure that its health data policies do not compromise privacy while advancing social welfare.

The authors work at the Koan Advisory Group, a technology policy consulting firm. Views are personal.

This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.

(Edited by Zoya Bhatti)

Subscribe to our channels on YouTube & Telegram

Support Our Journalism

India needs fair, non-hyphenated and questioning journalism, packed with on-ground reporting. ThePrint – with exceptional reporters, columnists and editors – is doing just that.

Sustaining this needs support from wonderful readers like you.

Whether you live in India or overseas, you can take a paid subscription by clicking here.

Support Our Journalism

Most Popular