Streamlining Usage of Health Data in Public Emergencies
Need for a data protection legislation including safeguards for health data
Problem
Health data has been crucial in formulating effective policy interventions under the COVID-19 crisis. Urban local bodies (ULBs) and private clinical establishments are crucial to collecting and providing such health data to relevant state and central departments. The Twelfth Schedule to the Constitution grants municipal bodies control over matters of public health, subject to any existing state legislation. For example, in Karnataka, ULBs are vested with the powers to promote public health and welfare under the Karnataka Municipal Corporation Act, 1976 and the Karnataka Municipalities Act, 1964. Additionally, the Karnataka Private Medical Establishments Act, 2007 requires all private medical establishments to actively participate in implementing all national and state health programmes as and when the state specifies so. However, these have not kept abreast with the digitisation of data and health records which prevent efficient real-time sharing of health patterns, and lack legal processes and norms to facilitate data sharing through ULBs. As such, privacy and confidentiality norms for health data disclosures remain absent for these local bodies.
Solution
This issue requires redress at both the Union and state levels. First, there is a need for a data protection legislation including safeguards for health data, which establishes minimum standards to apply across the country. To this end, the forthcoming Personal Data Protection (PDP) Bill, 2019 and the regulations framed under it are expected to provide legal standards for health data disclosures. The Bill contains two provisions which allow processing of personal information and sensitive personal data for prompt action in certain cases, one of which is an epidemic.
State laws governing medical establishments should also be compliant with the Electronic Health Record Standards, and prescribe data disclosure norms in line with the standards prescribed under the forthcoming PDP Bill framework. Local Health Officers appointed under state municipal laws can also be tasked with ensuring accountability in maintaining data disclosure norms prescribed by the centre and the state from time to time. For this, the Karnataka Municipalities Act and the Karnataka Municipal Corporations Act need to be amended to prescribe the specific duties of ULBs in managing such data.
The disclosure norms devised must define the need and context in which non-consensual data sharing is allowed, the purposes for which this is done, the designated authorities/ health officers that may access the data, and their responsibilities in handling the data. They must also be tailored to suitably reflect the extent of data disclosures required for communicable and non-communicable diseases. These norms should further include minimum standards for anonymisation, and the limited instances where de-identification at the local levels is permitted. A defined procedure for requiring disclosures from medical establishments and further sharing of this data with state and centre-level repositories should be outlined. The state laws must further specify and publish the procedure to settle grievances vis-a-vis health data disclosures, and the authority or officer tasked with this responsibility.
Implementation
- The Data Protection Authority created under the Personal Data Protection Bill should formulate Codes of Practice for the protection and sharing of health data in line with the provisions of the Bill and in collaboration with sectoral regulators. These should provide minimum standards for state and local government bodies to further integrate within state laws on managing health data.
- The Karnataka Municipal Corporation Act and Karnataka Municipalities Act should be amended to specify the roles and responsibilities of Health Data Officers in maintaining data disclosure norms prescribed by the centre and state.
- The Karnataka Private Medical Establishments Act should be amended for all private hospitals to submit health data to designated officers/ authorities only as per laid down disclosure norms and procedures.
Filed Under
Tags
About the Authors
Trishi was a Project Fellow at the Centre for Applied Law and Technology Research (ALTR) at Vidhi. At ALTR, she is developing research on data governance frameworks and policy responses to artificial intelligence in India. She graduated with a B.A., LL.B. (Hons.) degree from NALSAR University of Law, Hyderabad in 2017. Prior to joining Vidhi, she worked as a Senior Legal Associate at Koan Advisory Group, Delhi, where she advised media and technology companies and developed inter-disciplinary research on media and information technology regulation in India.
Akriti was a Research Fellow at Vidhi. She is a lawyer by training, having completed her undergraduation from Symbiosis Law School, Pune and her LLM in Globalization and Law from Maastricht University, Netherlands. She has worked at the intersection of human rights and internet governance at the Centre for Internet and Society for 2 years where she also chaired the Cross-Community Working Party on Human Rights. At the Vidhi Karnataka Team, she continues to work on aspects of law and technology ,with relevance to the state legislation and policies.
