Any discussion about universal health coverage seems incomplete without the mention of “digital health” – the use of information and communication technologies in health interventions and services.

As a consequence, the G20 Health Ministers’ meeting in New Delhi included the launch of the Global Initiative on Digital Health to help countries implement national digital health systems and applications.

While digital health’s potential to advance universal healthcare is acknowledged, it also comes with its own pitfalls, such as the collection of personal information by governments and private organisations that risks the privacy of sensitive health data. It can also exacerbate existing inequalities in access to health services. Human rights law, thus, mandates that digital initiatives respect the right to confidentiality, privacy, autonomy, equity and non-discrimination.

The aim of the global initiative will be to implement the Global Strategy on Digital Health 2020-’25, which provides a framework to advance digital health globally. Among other things, it recognises the importance of a strong legal and regulatory base to protect the privacy, confidentiality and security of health data.

However, India’s new data protection law, the Digital Personal Data Protection Act, 2023, which came into force in August, neither meets the standards set out in the global strategy document, nor the privacy judgement of the Indian Supreme Court.

In 2017, the Supreme Court had reaffirmed the right to privacy as a fundamental right under the Constitution. The verdict had emphasised that digitalisation should be embedded in a rights-based legal framework that protects the right to autonomy and privacy from abuse by state and non-state actors.

Despite the risks posed by data-gathering devices, apps and services that have become common today, the Digital Personal Data Protection Act does not treat digital health data as sensitive information.

While the Indian government is accelerating digitalisation in the health sector, it is betraying its commitments to anchoring this process in rights-based approaches. In doing so, it is leaving large sections of the population vulnerable to cyberattacks, data breaches and leaks, surveillance by state and non-state actors and the possible misuse of information. Such vulnerabilities risk harming individuals, eroding trust in the health system and undermining the objectives of universal healthcare.

A crowded public hospital in Rajasthan during a doctors' strike in March. Credit: PTI.

Health data is no longer sensitive data

The global digital strategy emphasises that health data should be classified as sensitive personal data that requires extra security. Rule 3 of India’s Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, recognises that information relating to physical, physiological and mental condition, sexual orientation and medical records and history is sensitive personal data, and provides privacy and data security safeguards.

Rule 8 requires corporations dealing with sensitive personal data to implement “reasonable security practices and procedures” that are audited at least once a year.

The rationale is that leaked health data could expose individuals to mental and physical harm, including stigmatisation, discrimination, identity theft, fraud and potential violence from those who hold prejudices towards some health conditions.

But the Digital Personal Data Protection Act has obliterated any distinction between personal and sensitive personal data. The new act, which will repeal the 2011 information technology rules, puts health data at par with other personal data. One implication of this is that public and private entities dealing with health data, unless designated as significant data fiduciaries – entities that process personal data – under Section 10 of the Digital Personal Data Protection Act, will no longer need to audit their security practices.

Further, cyberattacks can bring health institutions and services to a grinding halt, jeopardising patient care and posing a security threat. In November, a ransomware attack on the servers of the All India Institute of Medical Sciences in Delhi disrupted healthcare and patient services at the premier medical institute for almost two weeks.

Are individuals in control of their health data?

The global digital strategy recognises that in a “people-centric digital health ecosystem”, consent is central while processing or sharing health data. The privacy judgement, too, acknowledged that an individual gets to choose how, when and with whom their personal data is shared. To do so, users must be provided with all the relevant information that will enable them to decide the limits to the collecting, processing and sharing of their health data.

However, the notice provisions under Section 5 of the Digital Personal Data Protection Act do not equip people to do so meaningfully. For instance, it does not require “data fiduciaries” to inform “data principals” (the user to whom the data originally belongs) about the third-parties with which their data will be shared, the duration for which it will be stored and if their data will be transferred to other countries.

Further, Section 7 of the Digital Personal Data Protection Act provides several circumstances where consent will be presumed for “certain legitimate uses”, including during medical emergencies, epidemics, disasters, disease outbreaks or any threat to public health. These blanket exemptions are undefined and vague, giving the government and private entities wide leeway to process personal data with impunity, circumventing parliamentary or judicial scrutiny and review.

The existence of a health emergency does not in itself dispense the government’s duty to respect individual autonomy and privacy. As the Supreme Court declared in the matter of Covid-19 vaccine mandates in May last year, the government has to justify that the negation of consent was the least restrictive and of proportionate measure.

However, the principles of necessity and proportionality laid down by the privacy judgement have been removed from the Digital Personal Data Protection Act. This paves the way for unaccountability and arbitrariness in state action with respect to processing of health data.

A mall staffer checks the Aarogya Setu app on an employee's mobile phone in June 2020. Credit: AFP.

Crucial rights missing

The global digital health strategy and the government’s own policy documents on digital health categorically mention data portability as an objective of digitalisation that is in the interests of patients. Data portability gives patients and individuals control over their data, the ability to obtain and reuse their health data for their own purposes across different services and platforms and prevent exploitative practices. Yet, the Digital Personal Data Protection law does not provide patients the right to data portability.

The act also fails to give Indians the right to be informed about and seek an exemption from profiling and automated decision-making or seek explanation for such decision-making.

Profiling uses algorithms, artificial intelligence and machine learning to analyse an individual’s personality, behaviour, interests and habits to make predictions or decisions. Automated decision-making, including profiling, are without human involvement. They operate in an opaque manner, making it is difficult to understand the basis of significant decisions, for instance, the denial of insurance coverage or claims.

Finally, the Digital Personal Data Protection Act does not provide individuals the right to compensation in case of a data breach. This is an essential right that was included in previous iterations of the bill and is recognised in other countries, including the United Kingdom, Kenya, Nigeria, Brazil and European Union nations.

The right to compensation provides recourse in case of illegal and unauthorised disclosure of their personal data, nudges data fiduciaries in the public and private sectors to incorporate robust data processing and protection practices and empowers the citizens to hold them accountable for mishandling their personal data.

As a final blow to the right to autonomy, privacy, transparency and accountability, the Digital Personal Data Protection Act permits the state to exempt itself from the application of the entire act for wide and unspecified purposes of data processing. In these instances, data can be processed without notice, informed consent and without any rights to find out which data was shared with which entity for what purposes.

The Indian government is strongly advocating a digital shift, especially in the health sector. But it must not be at the cost of the privacy and security of the sensitive data of its own citizens.

Shefali Malhotra is a Research Consultant at the Centre for Health Equity, Law and Policy.

Shivangi Rai is Deputy Coordinator at the Centre for Health Equity, Law and Policy.

Also read:

‘AI can’t replace a doctor, not yet’: Cautious optimism, concern over new tech in Indian healthcare

How India is creating digital health accounts of its citizens without their knowledge