Digital Health Data Policy: Navigating the Privacy Quagmire

Digital Health Data Policy:  Navigating the Privacy Quagmire
In implementing the ground-breaking vision of the NDHM, India should not paper over the data protection cracks

On the 74th anniversary of Indian Independence, the Prime Minister announced the launch of the National Digital Health Mission (NDHM) from the ramparts of the Red Fort. Seeking to digitise the health ecosystem in India, the NDHM was followed by a draft Health Data Management Policy. This policy aims to establish a framework for the secure processing and exchange of health data, in accordance with applicable laws and international standards relating to privacy and security.

At present, the Ministry of Health and Family Welfare has opened up the draft policy for public consultation. It would be opportune, therefore, to dwell on whether the proposed policy effectively addresses concerns regarding the privacy and security of personal, health-related information.


A dispassionate analysis of the draft policy merits an appreciation of the rationale behind the NDHM. It has been envisaged as the first step towards a ‘Digital Health Revolution’ that will optimise the maintenance and portability of health records in a heavily fragmented healthcare market. It builds on the idea that access to an individual’s complete health records can solve the issues arising from duplication of consulting services or misdiagnosis of a patient. It aspires to facilitate better patient-doctor coordination by informing the doctor about the medical history of the patient. Any individual wishing to change a doctor or hospital will be ensured seamless portability of medical records when they are digitised. There will be minimal disruption in the stream of communication from one doctor or hospital to the next one.

Health datasets, when appropriately utilised, can also guide policymaking and stimulate evidence-based research, scientific discovery, and innovation. For instance, a report prepared by the China Academy of Information and Communications Technology, in the backdrop of the COVID-19 pandemic, indicates that big data monitoring can help to assess the movement trajectory of affected persons, predict epidemic trends, promote research, and assist governments in implementing scientific and targeted policies.

Even while acknowledging the benefits that accrue from digitised health data, there is a growing awareness of the need to protect the privacy rights of individuals. As a result, the government has brought out a draft policy on the secure management of such data.


The digital health data policy rightly classifies health data as ‘personal’ and ‘sensitive’. Accordingly, it confers complete control over such data to the individuals to whom it pertains. These individuals have been identified as ‘data principals’. 

Health information providers such as hospitals, diagnostic centres or public health programmes are required to take the consent of data principals before collecting or processing their digitised health data. Similarly, insurance companies and other health information users are also required to place requests.

This policy is laudable for envisaging clear and transparent communication with data principals, in so far as the benefits and risks associated with the sharing of health data is concerned. It also recognises the importance of holding to account entities that access or process such data, by incorporating privacy and security guidelines.

The problem, however, lies in harmonising this policy with general data protection laws in the country. The policy has been issued at a time when the Personal Data Protection (PDP) Bill is still being deliberated by a Joint Parliamentary Committee in India. Even as this process is on, it has borrowed key aspects of the Bill, particularly its definitional provisions. The propriety of passing such a policy, when similar provisions are yet to pass muster in Parliament, is debatable.

Ideally, regulation of sectoral data like health should be carried out under the aegis of an independent regulator, appointed under a parent framework that governs personal data protection. More importantly, since the scope of both the PDP Bill as well as the draft policy falls within the same jurisprudential corpus, the relationship between the two should be explicitly clarified.


The draft policy also proposes the creation of a Health ID for data principals. It leaves open the option of authenticating this ID with the help of the Aadhaar number or any other identification document that is specified.

The proposed linkage with Aadhaar has been touted to be voluntary. However, it must be recalled that the Supreme Court in Puttaswamy v. Union Of India, restricted the usage of Aadhaar to availing of particular benefits, services or welfare schemes. It needs to be assessed whether the additional linking of health records to Aadhaar would contravene the spirit of the judgment. Moreover, the apex court had declared the seeking of Aadhaar identification by a private entity as unconstitutional. Given that a Health ID is likely to be used by both private and public actors in the healthcare space, it must be ensured that it does not provide a backdoor entry for Aadhaar authentication by private players.


Certain stakeholders have voiced concerns that the NDHM and its attendant data management policy are tailored to serve corporate interests. For instance, the policy allows health service providers to share anonymised health data in aggregated form, with the consent of data principals. Such digitised data would be a treasure trove for pharmaceutical companies and big tech enterprises looking to move into the healthcare sector. In such cases, vesting data principals with control over their health data is inadequate. There is a larger need to ensure that the value derived from such datasets flows back to the public and the full potential of digitised health data is realised. Only then would it be meaningful to proclaim ‘Viva La Health Revolution’.


In institutionalising privacy and security safeguards, the draft policy on Digital Health Data Management rightly focuses on the principles of consent, transparency and accountability vis-à-vis data principals. 

Since health data is a sub-set of personal data, the draft policy should unambiguously elucidate its relationship with the Personal Data Protection Bill that is being deliberated in Parliament. 

The proposed linkage of Health ID with Aadhaar should be tested against the touchstone of privacy principles, as enumerated by the Supreme Court in Puttaswamy v. Union Of India.