The National Health Authority of India sent the following rebuttal to an article published in on August 28.

This is to counter the incorrect portrayal of facts in your story “Indians get just one week to review crucial health data policy. The Centre’s rush is undemocratic”. The real facts are as under:

1. The Health Data Management Policy lays down the framework for secure handling of data in NDHM with citizen-centric approach being the key aspect.

2. The draft Health Data Management Policy was uploaded on 20/08/2020 for seeking feedback for two weeks and not for one week as has been stated in the news report.

3. All Government policies evolve as per the need of the society and changes in technology. This policy is no exception, and it is not correct to make it appear that the policy coming out will never be changed in future.

4. However, considering the feedback received, the date of seeking feedback via public consultation before the first version of the policy is finalized has been extended by one more week i.e. till 10th September 2020.

5. On perusal of various press reports it is seen that much of the criticism arises from the “Definitions” section of Draft Health Data Management Policy as published on NDHM portal. In this regard it may be noted that definitions in any policy/laws are always kept very generic/broad so as to cater to overall scope and take care of any eventualities. Definitions per se have no meaning unless they are seen in conjunction with the operative part of policy/laws and their overall design/objective. Various terms defined in the definition section of draft policy draw from various laws and bills such as Personal Data Protection (PDP) bill. The definition of term “Sensitive personal data” in the draft policy draws from Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and Personal Data Protection (PDP) bill. By virtue of said definition, sensitive personal data includes personal data related to financial information, sexual orientation, political belief etc. However, nowhere in the operative section of the draft policy it is laid down that the said information will be called for.

Further the purpose of including said terms in the definition of “Sensitive personal data” is that the said types of information must be given highest level of privacy and security if ever encountered in the information ecosystem of NDHM. It is absolutely out of place to construe the same as intent for having said information in the NDHM system especially when there is nothing in the operative section of the policy to suggest so. The entire framework of Draft Health Data Management Policy is citizen-centric and no data can be captured, shared or used without the explicit and informed consent of the citizen.

6. The news report also asks the question of why Aadhaar is not used instead of creating a new Health ID. It may be noted that it is legally not permissible to make Aadhaar mandatory for creation of Health ID. Further, the creation of Health ID and participation in the National Digital Health Mission is purely voluntary for every individual and the Government does not intend to make it mandatory. In view of these facts, option has been given to citizens to create Health ID in both ways – either using Aadhaar or without using Aadhaar.

It is requested that edits the story to incorporate the facts above. responds

The National Health Authority emailed a press statement to the media on August 26, announcing the release of the Draft Health Data Management Policy of the National Digital Health Mission for public consultation. The statement said the policy will be available for public comments till September 3.

The draft policy did not carry any time and date stamp. The National Health Authority had not previously publicised it anywhere, including its own website and social media accounts, the website of its parent ministry, the Ministry of Health and Family Welfare, and the Press Information Bureau.

It is natural for news outlets, including, to go by the date of the press statement and conclude that the authority had provided the public just one week to review the policy and send feedback.

The fact that the National Health Authority has extended the window for public feedback by another week is an acknowledgement that it had shown undue haste in finalising a crucial policy.

In its rebuttal, the Authority claims media reports have inaccurately suggested that the government will be calling for information listed under “sensitive personal data”. A tweet by the Press Information Bureau specifically claims that has reported that “the government is asking for ‘sensitive personal data’ for the registration of Health ID”.

This is a gross misrepresentation. Nowhere has claimed so. We have accurately reported that the draft health data policy will govern the collection and storage of “sensitive personal data” of individuals, as the National Health Authority has itself said (see the highlighted text in the press statement above).

Further,’s report has not asked why Aadhaar is not being used in place of a new health ID. The report simply cited T Sundararaman, a former director of the National Health Systems Resource Centre, an advisory body to the Union health ministry, who mentioned Aadhaar while questioning the need for a new health ID.

Contrary to the Authority’s claims, Aadhaar is already mandatory in a range of health programmes, including a cash assistance programme for tuberculosis patients. In fact, the draft health data policy explicitly gives primacy to Aadhaar as the means to authenticate an individual’s identity for the purposes of creating a health ID. “A Health ID may be generated through such means as may be specified by the NHA, and may be authenticated using a data principal’s Aadhaar number or any other document of identification as may be specified by the NHA,” the draft policy states, while clarifying that lack of an Aadhaar number should not prevent an individual from acquiring a health ID.