India’s COVID-19 Response Calls for Urgent Data Disclosure Norms

Data sharing during the pandemic has failed to follow right to privacy safeguards

To address the COVID-19 pandemic, health information has assumed prime importance for ascertaining hotspots and at-risk demographics, targeting interventions and carrying out contact-tracing to locate the spread of the contagion. This information, collected through government apps, on-ground data collection staff, telephonic surveys, and healthcare service providers, is being shared across government agencies, and also private entities that support them in developing appropriate policy interventions.

While the disclosure of confidential health information in India to tackle pandemics is permitted, it is bound by certain conditions, an important one being maintaining the anonymity of individuals. However, over the last few months, several incidents of violations of these requirements have surfaced.

For example, in March, the Karnataka and Punjab governments published identifiable details of people under quarantine, including their address, travel history and PIN codes. A PDF version of this list was also doing the rounds on WhatsApp. Health data has also been used to identify and target communities. Disclosure of the religious identity of the Tablighi Jamaat attendees has led to widespread targeting of the sect and the wider Muslim community in several parts of the country.

Such incidents have brought to light the need for better data management and disclosure practices. A concerted review of the sharing of health data is required to reel in the government’s virtual carte blanche. This piece explains how the current norms lack in this aspect, and suggests immediate responses. 

India’s failure to follow the stipulated safeguards

The 2017 Supreme Court judgment in Justice K.S. Puttaswamy v. Union of India, which led to the recognition of the right to privacy as a fundamental right, says that during epidemics, personal data may be shared, but in an anonymised manner. Apart from mandating the anonymity of data, the judgment also notes that restrictions on the right to privacy must be lawful, proportionate and necessary. These restrictions can translate to:

Limiting the use of the information collected for commercial or law enforcement purposes.

Limiting access to this data to only specific entities.

Collecting and disclosing only necessary information.

However, data sharing in India during the COVID-19 pandemic has failed to abide by these. Even technological solutions that have come to be used for collecting health data have ignored the need for these safeguards. For instance, data collected by Aarogya Setu may be accessed by anyone in the government in the absence of any stipulations regarding authorised departments/personnel. State Governments have also engaged private entities on an ad-hoc basis to either develop apps or provide hosting services for confidential health information, without adequate disclosures regarding safeguards (if any) to restrict the commercial use of the data.

Legal norms remain aspirational

A scan of the regulatory landscape in India reveals a general absence of norms to address concerns related to the use and sharing of health information during COVID-19, and also those on other data routinely collected by the government. Here’s how:

1. The Information Technology (IT) Act, 2000, which contains overarching data protection laws, does not apply to the Government.

2. Laws specific to the healthcare sector, such as the Medical Council of India’s binding Code of Ethics, are silent on the treatment of health data once it is disclosed to the government. Furthermore, there is no specific provision in the guidelines to for the anonymisation of data.

3. The Electronic Health Record (EHR) Standards, that specify voluntary security and privacy standards for electronic health and medical records, provide for anonymisation of personal data in cases that require data disclosures such as during ‘national priorities’ which includes communicable diseases. They further stipulate maintaining audit logs and access restrictions. However, even they fail to address accountability of government entities as the applicable law under the Standards remains the IT Act framework.

4. Whenever passed, the Personal Data Protection (PDP) Bill 2019 may provide some updated norms for the overarching data protection ecosystem. It was expected to subsume the draft Digital Information Security in Healthcare Act (DISHA), which had sought to frame slightly more updated norms for health information sharing, though even those lacked clarity and sufficient safeguards. But even while the PDP Bill classifies health data as ‘sensitive personal data’, it provides the government wide powers to exempt any agency from virtually every provision of the Act.

Further, specific provisions regarding sensitive personal data will only be clarified once the proposed Data Protection Authority is appointed. This could be a long process.

Immediate data sharing needs better practices

Even as we await privacy reforms in India, it is important that the government considers necessary responses in law and in administrative practice to ensure compliance with the Puttaswamy judgment as discussed above. Some solutions are proposed below:

1. Disclosure of information should ensure ‘complete’ anonymisation of data, i.e., removing any information that directly or indirectly could lead to identification. Care should be taken to ensure that the risk of re-identification through triangulation of datasets is eliminated.

2. The government should disclose the anonymisation standards used. Anonymisation standards developed at the Centre level can also help guide practices in the States.

3. To ensure transparency, the government should disclose a list of entities that have access to the data, and outline processes within government departments to limit the use of data to only the purpose it was collected for. This can help eliminate surveillance concerns with respect to law enforcement agencies having access to confidential information.

4. To ensure purpose restricted processing of data, the government should put strict limits on the commercial use of the data by private entities they engage with. The government should also disclose the entities’ on-boarding process and their contract terms to ensure better public oversight and accountability.

Views are personal.