ITfC seeks safeguards for use of aggregated data


“Anonymization of retained data should not be allowed to be used for indiscriminate and/or otherwise inappropriate data sharing…particularly with regard to the involvement of commercial actors,” said IT For Change ( ITfC), a Bengaluru-based think tank. response to the National Health Authority’s Health Data Retention Policy (HDRP) consultation document. Such a policy brings more data retention and changes for healthcare entities that may not have kept records earlier, the ITfC said.

The HDRP offers terms on how to handle citizen health data for entities enrolled in the government’s ABDM and, potentially, those that depend on it as well. The ABDM is the government’s project that aims to digitize citizens’ health records as well as develop analysis systems based on anonymized and aggregated health data for research, epidemiology and medical purposes. other purposes, among other components.

Misuse of this data could result in discrimination against, for example, a rare disease patient community or an ethnic group with unique genetic or other disease-related data. health who are sensitive. But, the ITfC found, the strict implementation of HDRP could make it a compliance burden for smaller healthcare entities.

How would ABDM be implemented?

NHA: How should the implementation of the policy be done in case the policy is made applicable to the ecosystem beyond the ABDM?

One of the key issues with the HDRP was whether the policy should apply to all health sector entities in India, including those that withdraw from ABDM (option 1) or only those entities that opt for the ABDM.

Restrict the application of HDRP: The ITfC suggested that the policy be rolled out gradually.

Advertising. Scroll to continue reading.
  • Initially, only facilities participating in the ABDM should be subject to the policy.
  • “Applying the policy to ABDM-registered ‘healthcare facilities’ first can, in a variety of ways, spur ‘healthcare facilities’ across the country to undertake appropriate digitization,” the think tank said.
  • Capacity building and awareness programs through the Indian Council for Medical Research and the National Medical Commission could push small healthcare institutions to digitalize.

The policy should also make clear which healthcare entities are and are not subject to it, as the policy could also become an excuse for entities to undertake non-consensual data processing or storage, the ITfC said. If it becomes necessary for other entities to be included over time, the ITfC suggested that they could be included after holding consultations. These entities should also be subject to other existing laws and regulations covering “traditional” healthcare entities, he added.

NHA: How can small clinics or centers, public and private, quickly and cost-effectively build capacity to take on the responsibility of data retention for long periods of time?

The NHA should help small clinics obtain resources: The ASN should supplement the budgets of public health establishments initially to help with the purchase of data storage facilities. Additionally, they should also build the negotiation skills of smaller facilities, related to security and data access issues, as well as create a list of service providers.

The Internet Freedom Foundation had also similarly suggested that the NHA provide financial support to smaller or public health facilities.

How should retention periods be specified in the policy?

NHA: What should be the ideal duration for these different types of health data? Should an overall retention period be adopted for all health records in India or should different schedules be set according to classification? What is the best retention approach?

The classification of data should keep in mind their purpose and nature: The ITfC advocated for more granularity in data classification, saying that the principle of minimization should be kept in mind and that data granularity captures key attributes, findings and trends related to that data. This would ensure that data that is less important to retain is not over-retained and that which is more important is not under-retained, he said.

“For example, data that can be used for research purposes (such as cancer diagnostic images) should have a longer retention period with adequate safeguards against misuse.” —ITfC

The policy should be very clear about what data is included in it, although the ITfC said other types of data could be added following consultations.

Concerns about sharing non-personal data

Disposition to opt out of sharing non-personal data: Citizens should have the ability to opt out of sharing their data in an anonymized or aggregated form for research and other purposes, through an opt-out provision in particular, the ITfC suggested. In response to the HDRP’s provision to block health data where it cannot be deleted due to legal requirements, the ITfC cited examples from the UK and Canada:

“For example, UK National Health Service (NHS) launched a national ‘opt-out’ program in 2018 which created a single, system-wide opt-out point for patients who do not wish to have their data shared outside the NHS for research planning purposes , and provided a mechanism for people to register their choice.”

“For example, in Ontario, Canada, the “post office box provision” allows a healthcare facility to put patient data in a sealed envelope for the retention period when the patient wishes the data to be deleted, which then cannot be disclosed without consent, or if the law requires otherwise.

Advertising. Scroll to continue reading.

In contrast, the Federation of Indian Chambers of Commerce and Industry (FICCI) has fought for the sharing of anonymized data for reference and analysis purposes in epidemiology, clinical data analysis, machine learning, etc. This could be done by deleting all PHI (personal health identifiers) and then storing them permanently on cloud-based servers, FICCI said.

Prohibition of discriminatory uses of this non-personal data: The ITfC suggested that rules, codes and regulations be put in place to protect against data harm and benefit sharing from the use of (non-personal) data, as the healthcare sector is tightly regulated. Sharing non-personal health-related data can be harmful and ITfC further found that:

  • Non-personal and anonymized data is not regulated by any law
  • The second draft report of the Committee of Experts on the non-personal data governance framework recommended legal provisions both for the prevention of collective harms by imposing a “duty of care” obligation on collectors of non-personal data and by allowing any member of the community/group concerned to bring to justice any complaint of collective harm.
  • The report also provides a legal basis and means for benefit sharing related to the use of non-personal data related to a group or community.

Questions ITfC does not answer

    1. Given that the ABDM has an opt-out clause, in such a scenario, what might be the possible implications from a health data retention perspective?
    2. Should there be a provision to extend the duration or retention of health data under the proposed policy? What considerations should be taken into account in defining the guidelines, allowing for such an extension?
    3. Who will have ultimate authority to oversee and enforce health data retention? Which entity in the ecosystem should deploy this policy at the macro level?
    4. How to ensure business continuity in the event of a collapse of the establishment, the platform or the service providers?
    5. Will the governance model according to the health data management policy be sufficient for the retention policy?
    6. How will policy regulations be enforced and what should be the structure among relevant entities responsible for health data retention?
    7. Is there another model or policy approach that could be considered?

This message is published under a CC-BY-SA 4.0 license. Feel free to repost on your site, with attribution and a link. Adaptation and rewriting, although permitted, must be faithful to the original.

What will be the future of digital health in India?

Do you want to follow the digitalization of health in India but you don’t have the time? Relying on content scattered across the web makes it harder than necessary.

Subscribe to MediaNama and get accurate and timely updates on tech policy developments in India and around the world.

Read also :

Do you have something to add ? Subscribe to MediaNama here and post your comment.

Advertising. Scroll to continue reading.

Comments are closed.