Centre for Internet & Society

On August 15, 2020, the prime minister launched the National Digital Health Mission (NDHM) with the objective of improving and streamlining the Indian healthcare system. In December 2020, the Central Government, notified the National Digital Health Mission: Health Data Management Policy (Health Data Policy) seeking to create a digital health ecosystem under the NDHM. A core pillar of the Health Data Policy is to create a unique health identity (UHID) for every Indian citizen.

In January 2021, the  Health Ministry officially allowed Aadhaar-based authentication when creating a UHID for identification and authentication of beneficiaries for various health IT applications promoted by the Ministry. This enabled the Co-Win portal, which is used to book COVID-19 vaccination appointments, to accept Aadhaar for authentication. As per Clause 2a of Co-Win’s privacy policy, “If you choose to use Aadhaar for vaccination, you may also choose to get a Unique Health ID (UHID) created for yourself.” The privacy policy stresses the voluntary nature of this process by stating that “This feature is purely optional.”

However, multiple media reports have mentioned that beneficiaries who have enrolled in the COVID-19 vaccination programme using their Aadhar number have had their UHIDs created without either obtaining their specific consent or being given the option to opt out. This is concerning as this done has been done based on the data entered by citizens and is linked to their Aadhaar, despite clarifications from the Government that Aadhaar is not mandatory for getting a UHID. It is also pertinent to note that the Co-Win website did not have a privacy policy until it was directed to publish one by the Delhi High Court on 2 June 2021 — almost three months after registration on Co-Win was made mandatory.

As per the NDHM, UHIDs have been rolled out on a pilot basis in the six union territories of India. They will be rolled out across the country in subsequent phases. However, as per newspaper reports, several people who had registered for the COVID-19 vaccine on the Co-Win website using their Aadhaar numbers received a UHID number on their COVID-19 vaccine certificates. This is not limited to the six union territories – UHID numbers have been generated for beneficiaries who had registered using their Aadhaar numbers across the country, without citizens having any choice in opting into the project. It appears that the UHID pilot project has been silently expanded across the country without any official announcement being made in this regard.

As per the Health Data Policy, UHIDs are to be generated on a voluntary basis after obtaining the consent of the beneficiary. However, at the time of registering on the Co-Win portal or at vaccination centers, no separate forms were shared with the beneficiaries to obtain their consent to generate UHIDs. This is contrary to the provisions of the Health Data Policy, which clearly states that the consent of the user must be obtained for the processing of personal data. Clause 9.2of the Health Data Policy states that consent of the “data principal will be considered valid only if it is (c) specific, where the data principal can give consent for the processing of personal data for a particular purpose; (d) clearly given; and (e) capable of being withdrawn.”  The beneficiaries are also not informed of their right to de-activate the UHID and reactivate it later if required, Clause 15.8 of the Health Data Policy.

Interestingly, if a person in any of the six union territories tries to self-register for a UHID, they are directed to a page seeking their consent. The consent form states,

“I understand that my Health ID can be used and shared for purposes as may be notified by NDHM from time to time including provision of healthcare services. Further, I am aware that my personal identifiable information (Name, Address, Age, Date of Birth, Gender and Photograph) may be made available to the entities working in the National Digital Health Ecosystem (NDHE) … I am aware that my personal identifiable information can be used and shared for purposes as mentioned above. I reserve the right to revoke the given consent at any point of time.”

However, this information/consent form is not shared with beneficiaries who receive UHIDs when they register on Co-Win using their Aadhaar number. As per newspaper reports, several of these people are also completely unaware of the purposes of an UHID.

Absence of a data protection law and governance structure contemplated under the Health Data Policy

The entire digital health ecosystem is currently operating in the absence of any data protection law and the governance structure proposed under the Health Data Policy.

The Supreme Court of India, in Justice K. S. Puttaswamy (Retd) Vs Union of India, held that confidentiality and privacy of medical data is a fundamental right under Article 21 of the Constitution. Any action that negates the fundamental right to privacy will need to satisfy three conditions, namely (i) existence of a law; (ii) legitimate state aim; and (iii) proportionality

The first is that the action should be permissible under a law passed by the Parliament. This was also recognised by the Supreme Court in 2018 in the Aadhaar judgement, the court, while deciding on the validity of Aadhar, noted that “A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

The Health Data Policy fails this condition as it is a policy and not a law and a policy is not a substitute for a law, For collection of personal data, it is imperative that a data protection law should be enacted at the earliest. Alternatively, or in addition, a comprehensive separate legislation should be enacted to regulate the digital health ecosystem.

It is also pertinent to note the Health Data Policy provides for the creation of a data protection officer as well as grievance redressal officer. Neither of these entities have been instituted so far. In other words, UHIDs are being issued without the governance structure prescribed by the Health Data Policy being in place.

Conclusion

The need for strong data protection legislation to protect users’ health data has been recognised across different jurisdictions and has also been emphasised by various international organisations. In 2006, the World Health Organization recommended that governments enact a robust data protection legislation before digitising the health sector.

The health identity project has been launched and UHIDs are being issued as part of the COVID-19 vaccination process in different parts of India without the initial steps such as enacting data protection legislation and creating a robust digital ecosystem either not been concluded or the process not yet been undertaken. Hasty implementation without adequate safeguards and preparation not only risks the privacy and security of medical
data, it may also undermine general trust in the system leading to low uptake.

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.