Health data sharing being set up to fail by a regulatory mashup: roles of the NDHM, PDPB, consent managers and the NHA
Health data regulation is at a pivotal point in India – there has been a steadily increasing regulatory initiative around the subject, in terms of data protection in health as well as attempts to make health data available for research and shared benefit. A number of regulations are now in varying stages of maturity, but do not necessarily add up to a coherent approach. First, the Personal Data Protection Bill, pending completion of the parliamentary process now for more than a year. Second, the Report on Non Personal Data (2020) will also have an impact on how the Indian state intends to structure regulation around health data, owing to the fact that this too is a pan-sector regulatory project. This feeds into regulatory measures creating an environment for broader sharing of health data due to its unique value proposition.
Health information refers to all data and information relating to an individual or group in any way, with some bearing on the physiological well being of that individual or group. Health information is classified as “sensitive personal information” under IT Rules (2011), and is given greater legal protection against misuse. It is also however sought to be used in new regulatory measures around data, notably under the National Digital Health Mission Data Management Policy (NDHM) and the NPD policy, owing to the value of health information. To that end the Data Empowerment and Protection Architecture (DEPA) framework has been proposed – a cross-sector data sharing project that seeks to enable a common framework for companies to share data, enabled by consent tokens that can be provided by end-users. This article discusses how the approaches of these respective policies do not fit together cleanly and lack a coherent unified vision for governance of health data, contradicting each other on key issues of consent and decision making authority over data sharing.
Consent for anonymised data
Consent is the bedrock of deploying user information by companies, service providers, and researchers. The presumption of the ecosystem is that users consent to the purposes of use of their data that they benefit from. Therefore, consent becomes the essential piece of the entire data economy, and certainly the health data ecosystem. Consent is also purpose-specific as a rule – which means that data, especially health information, can normally only be collected for a specific set of purposes.
Now, the NPD report mentions a requirement for specific consent to be collected for anonymisation of user health data. The NDHM policy however does not require user consent for collection of anonymised data, despite the fact that it also explicitly requires health data to be anonymised as part of its mandatory sharing requirements. The NDHM policy mandates sharing of anonymised health information with the central authority, the National Health Authority, on request. The positions of these policies are directly opposed to each other. One of them will need to be modified in order for them to be read harmoniously. Consent for anonymisation is the standard adopted under the more broadly applicable NPD report (admittedly pending legislative form); further, the extent of protection afforded by “anonymised” data continues to be debated, demonstrating the necessity for this requirement. It is essential that consent be required under the NDHM for anonymising information as well.
The requirement of consent for sharing anonymised data is particularly important in a sector such as health that involves the sharing of sensitive information such as medical history and records of ongoing health conditions of individuals. There are currently no procedures to prevent misuse of health information, as it is only protected under the now decade-old IT Rules of 2011.
The NDHM data policy also fails certain basic administrative requirements: namely the lack of any specific conditions under which the NHA may exercise its power to mandate data sharing – the power is broad, without checks and balances. The power to mandate sharing may thus be open to misuse, in cases where there may be no public interest case to share data, opening up the process to perverse incentives and abuse. The question of incentives is further exacerbated by the imposition of the cost of anoynmisation on the organisations providing data. The policy must take into account the interests of these data providers in order to create the ecosystem around health data that it hopes to. The NDHM data policy must set out specific conditions under which the power may be exercised, and checks and balances around the powers of the NHA. This will prevent the NHA becoming the unofficial and arbitrary gatekeeper of access to health data.
Consent Managers and their role in the NDHM Health Data Sharing framework
Consent managers are used in the frameworks of the PDPB as well as the NDHM Data Management Policy. They are defined in the PDPB, and are meant to collect records of consent data – details of the third parties with which each of its users has consented to share data, and the purpose of data use consented to in each instance. Consent managers have no role in collecting the actual datasets that are being shared between users, fiduciaries, service providers, and requestors. As per the DEPA, they are also meant to be the entities primarily responsible for protection of users’ and user groups’ data rights. However, the DEPA as well as the PDPB remain silent on what accountability and grievance redressal measures are available to users. This is a glaring omission that needs to be addressed. DEPA as a document is focused primarily on financial information – it is as yet unclear what position will be taken by NITI Aayog on the specifics on sharing health information.
The DEPA framework assumes that the service of protection of user rights will operate as a market in which consent managers compete with each other. However, there may be situations where user rights may not align with the interests of entities requesting data (called “information users”) or those sharing the data (“information providers”). In this case, consent managers may simply not become a widely available service to the public. Else, the gap in the market for the service may be taken over by parties with conflicting interests, and the practices of the consent manager would be highly incentivised to abuse its position of power over user consent – either by facilitating breach of consent, or participating in it.
Protection of rights cannot fall below a minimum standard for user protections. It is not clear what minimum set of features DEPA sets out in order for a service provider to qualify as a consent manager under the framework. This is especially necessary as it is tasked with significant responsibility for protecting user rights. Requirements of consent managers regarding ownership restrictions, grievance redressal process requires further elaboration. Given their crucial role in the data value chain, mandatory appointment of data protection officers may also be considered – as of nowit is not mandatory for all data fiduciaries.
The Personal Data Protection Bill, 2019
Consent managers under the PDPB have no specific set of enhanced obligations – they simply handle consent records on behalf of users to mediate between third parties sharing data of that user. This framing of the consent managers misses out on the aspect of incentives for the consent manager to carry out its duties to maximum efficacy – it is neither a body with statutory functions, nor it is clear that there are market-based incentives to do so. If consent managers are supposed to be essential parts of the data sharing chain in India, then they must either be given statutory duties to protect user rights, or heavy penalties for causing harm to users. Neither of which has been codified, under both the PDPB and the blunted version of consent managers under the NDHM.
The National Digital Health Mission Data Management Policy
The NDHM policy goes a step further than the PDPB and puts consent managers squarely at the centre of the proposed health data sharing infrastructure. They have unilateral power to request (mandate) sharing of health data from any entity. Under the NDHM, consent managers are powerful intermediaries who not only control access to data but enjoy that access themselves. In a market where third parties approach them for access to health data, they become gatekeepers for access to this data, a role not intended for them under the policy.
Neither the PDP nor the NDHM undertake the task of addressing potential corporate governance concerns over consent managers. Given their pivotal role in the proposed health data regulatory structure, it is imperative to address their ownership and governance of practices. The RBI guidelines for Account Aggregators mandates that any corporate entity operating an Account Aggregator may not engage in any other business. The rules also require disclosures on notice on transfer of shares and control, and documentation on technical protocols and corporate details such as the board of directors and audits. The lack of such checks on consent managers in health data opens them up to a host of malpractices by entities offering consent management services, such as unconsented use and disclosure of data, beaching consent, and monetising data at the expense of privacy and commercial harm against users and communities.
The NDHM policy relies on the NHA to carry out a supervisory role over the entire regulatory structure proposed by the policy. NHA is tasked with responsibilities on data sharing – it is given powers to decide who gets to access health information from users whether anonymised or not. The policy has abdicated its responsibility of setting clear rules on what reasons may constitute the basis for accessing information, and what kinds of information may be accessed. Decentralised control over health data sharing is completely absent from the NDHM data policy, and needs to be brought in before the policy is fully under effect.
The policy also needs to exhibit a deeper understanding of health data to decide whether it will focus purely on EHR data, for instance, or if it targets specific fields. This is necessary if the policy were to govern the collection of information outside EHR data, such as personal details and aspects of individual identity.
Conclusion and way forward
The NDHM and NPD are all set to create a confusing scenario out of health data management in India. How patients will be able to exercise consent or communicate preferences on how their data should be used, beyond the simple consent at the point of initial collection, is left unclear. There is also no defined grievance redressal forum or process, leaving users without any clear direction on what resources are available for recourse.
The comparison of consent managers under the frameworks of the PDPB (where it was introduced) and the NDHM, which seeks to deploy them in health, shows the lack of a coherent vision for governance of health data in India. The implementation of the NDHM policy would make the NHA an arbitrary gatekeeper of health information in India, given sole responsibility of decision making over collection and sharing, without guidelines or even principles based on which access may be granted. Clearer rules are required on the basis for accessing information, and the kinds of information to be shared.
Decision-making on questions of data access needs to be more decentralised, and account for regulatory capacity and frequency of required decision making. Decision making on sharing needs additional regulatory capacity — local and bodies need a platform to participate in how the data is being used, especially given the context of the NDHM’s requirements of mandatory data sharing with the NHA. More broadly, the Indian regulatory framework needs to study community governance in the context of data, to come up with solutions that can be more varied and suited to specific contexts of smaller geographical communities, and identity groups of gender, caste and occupation, across the country.
Other necessary actions with the approach of the policies include the need to have a requirement of consent for anonymisation of personal data under the NDHM — as all data sharing under it is mandatory, under directions of the NHA. Both the PDPB and the NDHM are silent on how users can approach Consent Managers for grievance redressal. This is necessary as a check to ensure that Consent Managers do in fact act in user interest. Finally, the entire ecosystem remains open to compromise due to the lack of rules on ownership patterns and corporate governance of consent managers in health – inviting the possibility of the abuse of user trust and exacerbation of difficulties of an already vulnerable group, patients in need of accessible care.