Streamlining Usage of Health Data in Public Emergencies
Need for a data protection legislation including safeguards for health data
Health data has been crucial in formulating effective policy interventions under the COVID-19 crisis. Urban local bodies (ULBs) and private clinical establishments are crucial to collecting and providing such health data to relevant state and central departments. The Twelfth Schedule to the Constitution grants municipal bodies control over matters of public health, subject to any existing state legislation. For example, in Karnataka, ULBs are vested with the powers to promote public health and welfare under the Karnataka Municipal Corporation Act, 1976 and the Karnataka Municipalities Act, 1964. Additionally, the Karnataka Private Medical Establishments Act, 2007 requires all private medical establishments to actively participate in implementing all national and state health programmes as and when the state specifies so. However, these have not kept abreast with the digitisation of data and health records which prevent efficient real-time sharing of health patterns, and lack legal processes and norms to facilitate data sharing through ULBs. As such, privacy and confidentiality norms for health data disclosures remain absent for these local bodies.
This issue requires redress at both the Union and state levels. First, there is a need for a data protection legislation including safeguards for health data, which establishes minimum standards to apply across the country. To this end, the forthcoming Personal Data Protection (PDP) Bill, 2019 and the regulations framed under it are expected to provide legal standards for health data disclosures. The Bill contains two provisions which allow processing of personal information and sensitive personal data for prompt action in certain cases, one of which is an epidemic.
State laws governing medical establishments should also be compliant with the Electronic Health Record Standards, and prescribe data disclosure norms in line with the standards prescribed under the forthcoming PDP Bill framework. Local Health Officers appointed under state municipal laws can also be tasked with ensuring accountability in maintaining data disclosure norms prescribed by the centre and the state from time to time. For this, the Karnataka Municipalities Act and the Karnataka Municipal Corporations Act need to be amended to prescribe the specific duties of ULBs in managing such data.
The disclosure norms devised must define the need and context in which non-consensual data sharing is allowed, the purposes for which this is done, the designated authorities/ health officers that may access the data, and their responsibilities in handling the data. They must also be tailored to suitably reflect the extent of data disclosures required for communicable and non-communicable diseases. These norms should further include minimum standards for anonymisation, and the limited instances where de-identification at the local levels is permitted. A defined procedure for requiring disclosures from medical establishments and further sharing of this data with state and centre-level repositories should be outlined. The state laws must further specify and publish the procedure to settle grievances vis-a-vis health data disclosures, and the authority or officer tasked with this responsibility.
- The Data Protection Authority created under the Personal Data Protection Bill should formulate Codes of Practice for the protection and sharing of health data in line with the provisions of the Bill and in collaboration with sectoral regulators. These should provide minimum standards for state and local government bodies to further integrate within state laws on managing health data.
- The Karnataka Municipal Corporation Act and Karnataka Municipalities Act should be amended to specify the roles and responsibilities of Health Data Officers in maintaining data disclosure norms prescribed by the centre and state.
- The Karnataka Private Medical Establishments Act should be amended for all private hospitals to submit health data to designated officers/ authorities only as per laid down disclosure norms and procedures.