Centre for Internet and Society

Divergence between the GDPR and PDP Bill 2019

pallavi — 2020-02-21T13:05:08Z

For more details visit https://cis-india.org/internet-governance/divergence-between-the-gdpr-and-pdp-bill-2019

CIS' General Comments to the PDP Bill 2019

pallavi — 2020-02-21T10:10:54Z

For more details visit https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019

Annotated ver PDP Bill 2019

pallavi — 2020-02-21T10:08:41Z

For more details visit https://cis-india.org/accessibility/blog/annotated-ver-pdp-bill-2019

CIS Comments PDP Bill 2019

pallavi — 2020-02-21T10:02:22Z

For more details visit https://cis-india.org/accessibility/blog/cis-comments-pdp-bill-2019

Gen Comments PDP Bill 2019

pallavi — 2020-02-21T10:00:16Z

For more details visit https://cis-india.org/accessibility/blog/gen-comments-pdp-bill-2019

Platformisation of Domestic Work in India: Report (February 2020)

sumandro — 2020-02-17T07:21:17Z

For more details visit https://cis-india.org/raw/platformisation-of-domestic-work-in-india-report-february-2020

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

Comments to The PDP Bill 2019

akash — 2020-02-12T11:52:11Z

For more details visit https://cis-india.org/internet-governance/comments-to-the-pdp-bill-2019

Gen Comments to PDP Bill

akash — 2020-02-12T11:50:32Z

For more details visit https://cis-india.org/internet-governance/gen-comments-to-pdp-bill

Annotated version of Comments to The Personal Data Protection Bill 2019

akash — 2020-02-12T11:18:33Z

For more details visit https://cis-india.org/internet-governance/annotated-version-of-comments-to-the-personal-data-protection-bill-2019

November 2019 Newsletter

Admin — 2019-12-31T14:53:11Z

CIS newsletter for November 2019

Highlights for November 2019
If you think that Indian languages are as important as international languages, like English, then, you are on the same page with this article. Suswetha Kolluru and Nitesh Gill explains this in their blog posts published in multiple languages: English, Punjabi, Hindi and Telugu. Gurshabad Grover was nominated through the Bureau of Indian Standards (BIS) to be a member of the Advisory Group AG) on Open Source Software for ISO/IEC JTC 1. CIS is a partner on the project 'Gender, Health Communications and Online Activism in the Digital Age'. The project is lead by Dr. Carolina Matos, Senior Lecturer in Sociology and Media in the Department of Sociology at City University. Ambika Tandon, Policy Officer at CIS, conducted fieldwork for the project in May and June 2019 as a research assistant. Dr. Carolina Matos's presentation can be accessed here. The need for intervention in the cybersecurity imagery in media publications was realised during a brainstorming workshop that was conducted by CIS with illustrators, designers, and cybersecurity researchers. Towards this CIS compiled a handbook introducing Cybersecurity Visuals Media. CIS, along with Design Beku launched the Cybersecurity Visuals Media Handbook. This handbook has been conceived to be a concise guide for media publications to understand the specific concepts within cybersecurity and use it as a reference to create visuals that are more informative, relevant, and look beyond stereotypes. Anusha Madhusudhan authored a research paper titled "Blockchain: A primer for India". The paper aims to provide a comprehensive review of existing research and major debates surrounding Blockchain technology and its developments in select jurisdictions with a specific focus on India. Vipul Kharbanda authored a research paper titled Draft Security Standards for The Financial Technology Sector in India. This document includes draft information security standards, which seek to ensure that not only the data of users is dealt with in a secure and safe manner but also that the smaller businesses in the fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches. Pukhraj Singh, a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies authored a guest blog post titled "Before cyber norms, let’s talk about disanalogy and disintermediation". Pukhraj looks at the critical fissures – at the technical and policy levels – in global normative efforts to secure cyberspace. CIS was acknowledged in the final report of the Global Commission on Stability of Cyberspace.

CIS and the News

The following articles and research papers were authored by CIS secretariat during the month:

India’s Role in Global Cyber Policy Formulation (Arindrajit Basu; Lawfare; November 7, 2019). The article was reviewed and edited by Elonnai Hickok and Justin Sherman.
The Telecom Crisis is an NPA Problem (Shyam Ponappa; Business Standard; November 7, 2019).

CIS in the News

CIS secretariat was consulted for the following articles published during the month in various publications:

Why having more CCTV cameras does not translate to crime prevention (Manasa Rao; News Minute; September 3, 2019). Published on the CIS website on December 5, 2019.
Activists demand judicial probe into WhatsApp snooping (K.V. Kuramath; Hindu Businessline; November 1, 2019).
Cyber law experts asks why CERT-In removed advisory warning about WhatsApp vulnerability (Megha Mandavia; ET Tech.com; November 4, 2019).
WhatsApp spy attack and after (Theres Sudeep; Deccan Herald; November 6, 2019).
Should online political advertising be regulated? (P.J. George; Hindu; November 8, 2019).
India facial recognition: How effective will it be? (Al Jazeera; November 8, 2019).
Proposals to regulate social media run into multiple roadblocks ( Saumya Tewari and Abhijit Ahaskar; Livemint; November 27, 2019).

Access to Knowledge

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape.

Wikipedia

Under a grant from Wikimedia Foundation we are doing a project for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Blog Entries

Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in English
Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in Punjabi
Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in Hindi
Project Tiger 2.0 (Suswetha Kolluru and Nitesh Gill; November 22, 2019). in Telugu

Internet Governance

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programmes that shape the evolution and use of the Internet. As part of internet governance work we work on policy issues relating to freedom of expression primarily focusing on the Information Technology Act and issues of liability of intermediaries for unlawful speech and simultaneously ensuring that the right to privacy is safeguarded as well.

Freedom of Speech & Expression

Under a grant from the MacArthur Foundation, CIS is doing research on the restrictions placed on freedom of expression online by the Indian government and contribute studies, reports and policy briefs to feed into the ongoing debates at the national as well as international level. As part of the project we bring you the following outputs:

Blog Entry

Reliance Jio is using SNI inspection to block websites (Gurshabad Grover and Kushagra Singh, and edited by Elonnai Hickok; November 7, 2019).

Participation in Events

Roundtable Discussion on Intermediary Liability (Organized by SFLC and the Dialogue; New Delhi; October 17, 2019). Tanaya Rajwade participated in a roundtable discussion on intermediary liability.

Gender

Blog Entry

Project on Gender, Health Communications and Online Activism with City University (Ambika Tandon; November 28, 2019).

Cyber Security

Research Paper

Introducing the Cybersecurity Visuals Media Handbook (Handbook concept, content and design by: Padmini Ray Murray and Paulanthony George; Blog post authored by: Saumyaa Naidu and Arindrajit Basu; With inputs from: Karan Saini; Edited by: Shweta Mohandas; November 15, 2019).

Blog Entry

Before cyber norms, let’s talk about disanalogy and disintermediation (Pukhraj Singh; November 15, 2019).

Information Technology / Financial Technology

Research Papers

Draft Security Standards for The Financial Technology Sector in India (Vipul Kharbanda with inputs from Prem Sylvester; November 15, 2019).
Blockchain: A primer for India (Anusha Madhusudhan; with inputs from Karan Saini and Mira Swaminathan; edited by Elonnai Hickok, Siddharth Sonkar and Aayush Rathi; November 18, 2019).

Blog Entry

Event Report: Consultation on Draft Information Technology (Fintech Security Standards) Rules (Anindya Kanan; reviewed and edited by Vipul Kharbanda, Elonnai Hickok and Arindrajit Basu; November 12, 2019).

Privacy

Under a grant from Privacy International and IDRC we are doing a project on surveillance. CIS is researching the history of privacy in India and how it shapes the contemporary debates around technology mediated identity projects like Aadhar. As part of our ongoing research, we bring you the following outputs:

Participation in Event

IETF106 (Organized by IETF; Singapore; November 16 - 22, 2019). Gurshabad Grover participated in the meeting.

Researchers@Work

The researchers@work programme at CIS produces and supports pioneering and sustained trans-disciplinary research on key thematics at the intersections of internet and society; organise and incubate networks of and fora for researchers and practitioners studying and making internet in India; and contribute to development of critical digital pedagogy, research methodology, and creative practice.

Event Organized

Domestic Work in the ‘Gig Economy’ (Organized by CIS and Domestic Workers’ Rights Union; November 16, 2019; Student Christian Movement of India, Mission Road, Bangalore).

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum.

Monthly Blog

The Telecom Crisis is an NPA Problem (Shyam Ponappa; Business Standard and Organizing India Blogspot; November 7, 2019).

About CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

Follow CIS on:

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

Support CIS:

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

Collaborate with CIS:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/november-2019-newsletter

Is India's Digital Health System Foolproof?

aayush — 2019-12-30T17:58:00Z

This contribution by Aayush Rathi builds on "Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?" (by Aayush Rathi and Ambika Tandon, EPW Engage, Vol. 54, Issue No. 6, 09 Feb, 2019) and seeks to understand the role that state-run reproductive health portals such as the Mother and Child Tracking System (MCTS) and the Reproductive and Child Health will play going forward. The article critically outlines the overall digitised health information ecosystem being envisioned by the Indian state.

This article was first published in EPW Engage, Vol. 54, Issue No. 47, on November 30, 2019

Introduced in 2013 and subsequently updated in 2016, the Ministry of Health and Family Welfare (MHFW) published a document laying out the standards for electronic health records (EHRs). While there exist varying interpretations of what constitutes as EHRs, some of its characteristics include electronic medical records (EMRs) of individual patients, arrangement of these records in a time series, and inter-operable linkages of the EMRs across various healthcare settings (Häyrinen et al 2008; OECD 2013).

To work effectively, EHRs are required to be highly interoperable so that they can facilitate exchange among health information systems (HIS) across participating hospitals. For this, the Integrated Health Information Platform (IHIP) is being developed so as to assimilate data from various registries across India and provide real-time information on health surveillance (Krishnamurthy 2018).

EHR Implementation: Unpacking the (Dis)incentive Structure

As the implementation of EHR standards is voluntary, anecdotal evidence indicates that their uptake in the Indian healthcare sector has been very slow. Here, the opposition of the Indian Medical Association to the Clinical Establishments (Registration and Regulation) Act, 2010, resulting in nationwide protests and subsequent legal challenges to the act, is instructive. To start with, the act prescribes the minimum standards that have to be maintained by clinical establishments which are registered or seeking registration (itself mandatory to run a clinic under the act) [1]. Further, Rule 9(ii) of the Clinical Establishments (Registration and Regulation) Rules, 2012, drafted under the act, requires clinical establishments to maintain EMRs or EHRs for every patient. However, with health being a state subject in India, the act has only been enforced in 11 states and all union territories except the National Capital Territory of Delhi (Jyoti 2018). The resistance to the act is largely due to protests by stakeholders from within the medical fraternity regarding its adverse impact on small- and medium-sized hospitals (Jyoti 2018).

Contextualising Clinicians' Inertia

Another major impediment to the adoption of EHRs by health service providers is reluctance on the part of individual physicians to transition to an EHR system. This is because compliance with EHR standards requires physicians to input clinical notes themselves.

Comparing the greater patient load faced by doctors in India vis-à-vis the United States (US), the chief medical officer of an EHR vendor in India estimates that the average Indian doctor sees about 40–60 patients a day, whereas in the US it may be around 18–20 patients (Kandhari 2017). This is suggestive of the wide disparity in the number of physicians per 1,000 citizens in both countries (World Bank nd). Given this, doctors in India tend to be more problem-oriented, time-strapped, and pay less attention to clinical notes (Kandhari 2017). Thus, clinicians will consider a system to be efficient only if the system reduces their documentation time, even if the time savings do not translate into better patient care (Allan and Englebright 2000). The inability of EHRs to help reduce documentation time deters clinicians from supporting their implementation (Poon et al 2004). Additionally, research done in the United States indicates that there is no evidence to suggest that an information system helps save time expended by clinicians on documentation (Daly et al 2002). Moreover, the use of an information system is stated to have had no impact on patient care, but doctors have acknowledged its use for research purposes (Holzemer and Henry 1992).

Prohibitive Costs of Implementation

While national-level EHRs have been adopted globally, their distribution across countries is telling. In a survey published in 2016 by the World Health Organization, wealthier countries were over-represented, with two-thirds from the upper-middle-income group and roughly half from the high-income countries having introduced EHR systems. On the other hand, only a third of lower-middle-income countries and 15% of low-income countries reported having implemented EHRs (World Health Organization 2016). A major reason for the slow uptake of EHRs in poorer countries is likely to be funding as EHR implementation requires considerable investment, with most projects averaging several million dollars (US) (Kuperman and Gibson 2003). Although various funding models for EHR implementation are being utilised globally, it is unclear what model will be adopted in India to bring in private healthcare service providers within its ambit (Healthcare Information and Management Systems Society 2007). This absence of funding direction for private actors poses to be a significant impediment in the integration of private databases with other public ones.

In general, poorer countries are also more likely to have less developed infrastructure and health Information and Communication Technology (ICT) to support EHR systems. Besides this, they not only lack the capacity and human resources required to develop and maintain such complex systems (Tierney et al 2010; McGinn et al 2011), but training periods have also been found to be long and more costly than expected (Kovener et al 1997).

Socio-economic Exclusions and Cross-cultural Barriers

There exists scant research investigating the existing use of EHRs in India, though preliminary work is being undertaken to assess EHR implementation in other developing countries (Tierney et al 2010; Fraser et al 2005). Even in the context of developed countries, where widespread adoption of EHRs has been gaining traction for some time now, very little data exists around implementation and efficacy in underserved regions and communities. This is further problematised as clinical information systems and user populations also vary in their characteristics and, for this reason, individual studies are unable to identify common trends that would predict EHR implementation success.

Underserved settings may lack the infrastructure needed to support EHRs. The risk of exclusion already exists in parts such as difficulties inherent in delivering care to remote locations, barriers related to cross-cultural communication, and the pervasive problem of providing care in the setting of severe resource constraints. Equally important is the fact that health workers who already report significant existing impediments in their delivery of routine care in these settings do not necessarily see EHRs as being useful in catering to the specific needs of their patient population (Bach et al 2004). Moreover, experience with EHRs also reveals that there are cultural barriers to capturing accurate data (Miklin et al 2019). What this could mean is that stigma associated with the diagnosis of conditions such as HIV/AIDS or induced abortions will result in their under-reporting even within EHR systems.

Stick or Twist?

Other modalities have been devised to nudge healthcare providers into adopting EHR standards voluntarily. The National Accreditation Board for Hospitals and Healthcare Providers (NABH), India, a constituent board of the Quality Council of India (a public–private initiative), has been reported to have incorporated the EHR standards within its accreditation matrix. NABH accreditation, considered an indicator of high quality patient care, is highly sought–after by hospitals in India in order to attract medical tourists as well as insurance companies: two prominent sources of income for hospitals (Kandhari 2017). Additionally, NABH accreditation is valid for a term of three years, thus requiring hospitals seeking to renew their accreditation to adopt EHR standards as well.

Another commercial use of EHR has been in health insurance. The Federation of Indian Chambers of Commerce and Industry (FICCI) and the Insurance Regulatory and Development Authority (IRDAI) have both voiced their support for expediting the implementation of the EHR standards (EMR Standards Committee 2013). Both, the FICCI and IRDAI have placed emphasis on adopting EHRs, seeing it as a necessary move for formalising the health insurance industry (FICCI 2015). They have also had representation on the committee that sent recommendations to the MHFW on the first version of the EHR standards in 2013 (FICCI 2015). FICCI had additionally played a coordination role in having the recommendations framed for the 2013 EHR standards.

Fluid Data Objectives

The push for EHR implementation is emblematic of a larger shift in the healthcare approach of the Indian state, that of an indirect targeting of demand-side financing by plugging data inefficiencies in health insurance.

The draft National Health Policy (NHP), published in 2015, reflected the mandate of the Ministry of Health and Family Welfare to strengthen the public health system by creating a right to healthcare legislation and reaching a public spend of 2.5% of the gross domestic product by 2018. The final version of the NHP, published in 2017, however, codified a shift in healthcare policy by focusing on strategic purchasing of secondary and tertiary care services from the private sector and a publicly funded health insurance model.

In line with the vision of the NHP 2017, in February 2018, the Union Minister for Finance and Corporate Affairs, Arun Jaitley, announced two major initiatives as a part of the government’s Ayushman Bharat programme (Ministry of Finance 2018). Administered under the aegis of the Ministry of Health and Family Welfare, these initiatives are intended to improve access to primary healthcare through the creation of 150,000 health and wellness centres as envisioned under the NHP 2017, and improve access to secondary and tertiary healthcare for over 100 million vulnerable families by providing insurance cover of up to ₹ 500,000 per family per year under the Pradhan Mantri–Rashtriya Swasthya Suraksha Mission/National Health Protection Scheme (PM–RSSM/NHPS) (Ministry of Health and Family Welfare 2018). The NHPS, modelled along the lines of the Affordable Care Act in the US, was later rebranded as the Pradhan Mantri–Jan Arogya Yojana (PM-JAY) at the time of its launch in September 2018. It is claimed to be the world’s largest government-funded healthcare programme and is intentioned to provide health insurance coverage for vulnerable sections in lieu of the Sustainable Development Goal-3 (National Health Authority nd).

To enable the implementation of the Ayushman Bharat programme, the NITI Aayog then proposed the creation of a supply-side digital infrastructure called National Health Stack (NHS) (NITI Aayog 2018). As outlined in the consultation and strategy paper, the NHS is “built for NHPS, but beyond NHPS.” The NHS seeks to leverage the digitisation push through IndiaStack, which seeks to digitalise “any large-scale health insurance program, in particular, any government-funded health care programs.” The synergy is clear, with the NHPS scheme also aiming to be “cashless and paperless at public hospitals and empanelled private hospitals" (National Health Authority nd) [2].

The NHS is also closely aligned with the NHP 2017, which draws attention to leveraging technologies such as big data analytics on data stored in universal registries. The Vision document for the NHS emphasises the fragmented nature of health data as an impediment to reducing inequities in healthcare provision. The NHS, then, also seeks to be the master repository of health data akin to the IHIP. By creating a base layer of registries containing information about various actors involved in the healthcare supply chain (providers such as hospitals, beneficiaries, doctors, insurers and Accredited Social Health Activists), it potentially allows for recording of data from both public and private sector entities, plugging a significant gap in the coverage of the HIS currently implemented in India. With the provision of open, pullable APIs, the NHS also shares the motivations of the IndiaStack to monetise health data.

A key component of the proposed NHS is the Coverage and Claims platform, which the vision document describes as “provid[ing] the building blocks required to implement any large-scale health insurance program, in particular, any government-funded healthcare programs. This platform has the transformative vision of enabling both public and private actors to implement insurance schemes in an automated, data-driven manner through open APIs " (NITI Aayog2018). A post on the iSPIRT website further explains the centrality of this Coverage and Claims platform in enabling a highly personalised medical insurance market in India: “This component will not only bring down the cost of processing a claim but ... increased access to information about an individual’s health and claims history ... will also enable the creation of personalised, sachet-sized insurance policies." These data-driven customised insurance policies are expected to generate “care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers … [and] use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers" (Productnation Network 2019). The Coverage and Claims platform, and especially the Policy (generation) Engine that it will contain, is aimed at intensive financialisation of personal healthcare expenses, and extensive experiments with designing personalised nudges to shape the demand behaviour of consumers.

The imagination of healthcare the NHS demonstrates is one where broadening health insurance coverage is equated to providing equitable healthcare and as a panacea for the public healthcare sector. The first phase of this push towards better healthcare provision is to focus on contextualising the historical socio-economic divide. The next phase is characterised by digitalisation: the introduction of ICT to bridge the socio-economic divide in healthcare provision. In this process, the resulting data divide has been invisibilised in reframing better healthcare as an insurance problem for which data needs to be generated. Each policy innovation is then characterised by further marginalisation of those that were originally identified as underserved. This is a result of increasing repercussions of the data-divide, with access to benefits increasingly being mediated by technology.

Concluding Remarks

The idea that any person in India can go to any health service provider/ practitioner, any diagnostic center or any pharmacy and yet be able to access and have fully integrated and always available health records in an electronic format is not only empowering but also the vision for efficient 21st century healthcare delivery.
— Ministry of Health and Family Welfare, Electronic Health Record Standards For India (2013)

The objective of health data collection has evolved over the course of the institution of the HIS in 2011, to the development of the NHPS and National Health Policy in 2017. What began as a solution to measure and address gaps in access and quality in healthcare provisioning through data analysis has morphed into data centralisation and insurance coverage. Shifting goalposts can also be found in the objectives behind introducing digital systems to collect data.

In recent iterations of the healthcare imaginary, such as the IHIP and the NHS, data ownership by the beneficiaries is stressed upon. In the absence of a rights-based framework dictating the use of data, the role of ownership should be interrogated, especially in the context of a prevalent data divide (Tisne 2019). The legitimisation of data capture can be seen in the emergence of opt-in models of consent, data fiduciaries managing consent on the data subject’s behalf, etc. (Zuboff 2019).

This framing forecloses a discussion about the quality and kind of data being used. The push towards datafication needs to be questioned for its re-indexing of categorical meaning away from the complexities of narrative, context and history (Cheney-Lippold 2018). Instead, the proposed solution is one that stores datafied elements within a closed set (reproductive health= [abortion, aids, contraceptive,...vaccination, womb]). While this set may be editable, so new interpretations can be codified, it inherently remains stable, assuming a static relationship between words and meaning. Health is then treated as having an empirically definable meaning, thus losing the dynamism of what the health and wellness discourse could entail.

It has been historically demonstrated in the Indian context that multiple tools and databases for health data management are a barrier to an efficient HIS. However, generating centralised or federated databases without addressing concerns in data flows, quality, uses in existing data structures, and the digital divide across health workers and beneficiaries alike will lead to the amplification of existing exclusions in data and, consequently, service provisioning.

Acknowledgements

The author would like to express his gratitude to Sumandro Chattapadhyay and Ambika Tandon for their inputs and editorial work on this contribution. This work was supported by the Big Data for Development Network established by International Development Research Centre (Canada).

Notes

[1] Section 2 (a) of the Clinical Establishments (Registration and Regulation) Act, 2010: A hospital, maternity home, nursing home, dispensary, clinic, sanatorium or institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not.

[2] The National Health Stack, then, is the latest manifestation of the Indian government’s push for a “Digital India.” A key component of Digital India has been e-governance, financial inclusion, and digitisation of transaction services. The nudge towards cashless modes of transaction and delivery, also accelerated by India’s demonetisation drive in November 2016, has led to rapid uptake of digital payment services in particular, and that of the IndiaStack initiative in general. Developed by iSPIRT, IndiaStack (https://indiastack.org/) aspires to transform service delivery by public and private actors alike through its “presence-less, paperless, and cashless” mandate.

References

Allan, J and Jane Englebright (2000): “Patient-Centered Documentation,” JONA: The Journal of Nursing Administration, Vol 30, No 2, pp 90–95.

Bach, Peter, Hoangmai Pham, Deborah Schrag, Ramsey Tate and J Lee Hargraves (2004): “Primary Care Physicians Who Treat Blacks and Whites,” New England Journal of Medicine, Vol 351, pp 575–84.

Cheney-Lippold, John (2018): We Are Data: Algorithms and the Making of Our Digital Selves, New Delhi: Sage.

Daly, Jeanette, Buckwalter Kathleen and Meridean Maas (2002): “Written and Computerized Care Plans,” Journal of Gerontological Nursing, Vol 28, No 9, pp 14–23.

EMR Standards Committee (2013): “Recommendations on Electronic Medical Records Standards in India,” Ministry of Health and Family Welfare, Government of India, New Delhi, https://mohfw.gov.in/sites/default/files/24539108839988920051EHR%20Standards-v5%20Apr%202013.pdf.

Federation of Indian Chambers of Commerce and Industry (2015): "A Guiding Framework for OPD and Preventive Health Insurance in India: Supply and Demand Side Analysis," http://ficci.in/spdocument/20678/P&P-helath-insurance.pdf.

Fraser, Hamish, Paul Biondich, Deshendran Moodley, Sharon Choi, Burke Mamlin and Peter Szolovits (2005): “Implementing Electronic Medical Record Systems in Developing Countries,” Journal of Innovation in Health Informatics, Vol 13 No 2, pp 83–95.

Häyrinen, Kristiina, Kaija Saranto and Pirkko Nykänen (2008): “Definition, Structure, Content, Use and Impacts of Electronic Health Records: A Review of the Research Literature,” International Journal of Medical Informatics, Vol 77, No 5, pp 291–304.

Healthcare Information and Management Systems Society (2007): “Electronic Health Records: A Global Perspective,” http://www.providersedge.com/ehdocs/ehr_articles/Electronic_Health_Records-A_Global_Perspective-Exec_Summary.pdf.

Holzemer, William and S B Henry (1992): “Computer-supported Versus Manually-generated Nursing Care Plans: A Comparison of Patient Problems, Nursing Interventions, and AIDS Patient Outcomes,” Computers in Nursing, Vol 10 No 1, pp 19–24.

Jha, Ashish, Catherine DesRoches, Eric Campbell, Karen Donelan, Sowmya Rao, Timothy Ferris, Alexandra Shields, Sarah Rosenbaum and David Blumenthal (2009): "Use of Electronic Health Records in U.S. Hospitals," New England Journal of Medicine, Vol 360 No 16, pp 1628–1638.

Jyoti, Archana (2018): “States Give Clinical Establishment Act Cold Shoulder," Pioneer, https://www.dailypioneer.com/2018/india/states-give-clinical-establishment-act-cold-shoulder.html.

Kandhari, Ruhi (2017): “Why a Backdoor Push Towards eHealth,” Ken, https://the-ken.com/story/why-backdoor-push-towards-ehealth/.

Kovner, Christine, Lynda Schuchman and Catherin Mallard (1997): “The Application of Pen-Based Computer Technology to Home Health Care,” CIN: Computers, Informatics and Nursing, Vol 15, No 5, pp 237–44.

Krishnamurthy, R (2018): “Integrated Health Information Platform for Integrated Disease Surveillance Program,” Training of the Trainer Workshop, World Health Organisation, New Delhi, https://idsp.nic.in/WriteReadData/IHIP/IHIP%20ToT-Overview-Presentation.pdf.

Kuperman, Gilad and Richard Gibson (2003): “Computer Physician Order Entry: Benefits, Costs, and Issues,” Annals of Internal Medicine, Vol 139 No 1, pp 31–9.

Leung, Gabriel, Philip Yu, Irene Wong, Janice Johnston and Keith Tin (2003): “Incentives and Barriers That Influence Clinical Computerization in Hong Kong: A Population-based Physician Survey,” Journal of the American Medical Informatics Association, Vol 10 No 2, pp 201–12.

McGinn Carrie Anna, Sonya Grenier, Julie Duplantie, Nicola Shaw, Claude Sicotte, Luc Mathieu, Yvan Leduc, France Légaré and Marie-Pierre Gagnon (2011): “Comparison of User Groups' Perspectives of Barriers and Facilitators to Implementing Electronic Health Records: A Systematic Review,” BMC Medicine, Vol 9 No 46.

Miklin, Daniel, Sameera Vangara, Alan Delamater and Kenneth Goodman (2019): “Understanding of and Barriers to Electronic Health Record Patient Portal Access in a Culturally Diverse Pediatric Population,” JMIR Medical Informatics, Vol 7, No 2.

Ministry of Finance (2018): “Budget 2018-19: Speech of Arun Jaitley,” New Delhi, https://www.indiabudget.gov.in/ub2018-19/bs/bs.pdf.

Ministry of Health and Family Welfare, Government of India (2008): "4 Years of Transforming India-Healthcare for All," New Delhi. https://mohfw.gov.in/ebook2018/gvtbook.html.

Ministry of Health and Family Welfare, Government of India (2013): “Electronic Health Record Standards For India,” Government of India, New Delhi, https://www.nhp.gov.in/NHPfiles/ehr_2013.pdf.

Ministry of Health and Family Welfare, Government of India (2017): Request for Proposal: Development and Implementation of Integrated Health Information Platform (IHIP), Centre for Health Informatics, National Institute of Health and Family Welfare, New Delhi, https://nhp.gov.in/NHPfiles/IHIP_RFP%20.pdf.

Ministry of Health and Family Welfare, Government of India (2018): “IDSP Segment of Integrated Health Information Platform,” New Delhi, https://idsp.nic.in/index4.php?lang=1&level=0&linkid=454&lid=3977.

National Health Authority (nd): “About Pradhan Mantri Jan Arogya Yojana (PM-JAY) | Ayushmaan Bharat,” https://www.pmjay.gov.in/about-pmjay.

NITI Aayog (2018): “National Health Stack- Strategy and Approach,” NITI Aayog, New Delhi, http://www.niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf.

Organisation for Economic Co-operation and Development (2013): “Strengthening Health Information Infrastructure for Health Care Quality Governance: Good Practices, New Opportunities and Data Privacy Protection Challenges,” OECD Health Policy Studies, Paris, OECD Publishing, https://read.oecd-ilibrary.org/social-issues-migration-health/strengthening-health-information-infrastructure-for-health-care-quality-governance_9789264193505-en.

Poon, Eric, David Blumenthal, Tonushree Jaggi, Melissa Honour, David Bates and Rainu Kaushal (2004): “Overcoming Barriers to Adopting and Implementing Computerized Physician Order Entry Systems in U.S. Hospitals,” Health Affairs, Vol 23 No 4, pp 184–90.

Productnation Network (2019): “India’s Health Leapfrog–Towards A Holistic Healthcare Ecosystem,” iSpirt, https://pn.ispirt.in/towards-a-holistic-healthcare-ecosystem/.

Rathi, Aayush and Ambika Tandon (2019): “Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?” EPW Engage, https://www.epw.in/engage/article/data-infrastructures-inequities-why-does-reproductive-health-surveillance-india-need-urgent-attention.

Sequist, Thomas, Theresa Cullen, Howard Hays, Maile Taualii, Steven Simon, and David Bates (2007): “Implementation and Use of an Electronic Health Record Within the Indian Health Service,” Journal of the American Medical Informatics Association, Vol 14, No 2, pp 191–97.

World Bank (nd): Physicians (per 1,000 people) | Data, https://data.worldbank.org/indicator/SH.MED.PHYS.ZS.

Tierney, William et al. (2010): “Experience Implementing Electronic Health Records in Three East African Countries,” Studies in Health Technology and Informatics, Vol 160, No 1, pp 371–75.

Tisne, Martin (2018): “It’s Time for a Bill of Data Rights,” MIT Technology Review, https://www.technologyreview.com/s/612588/its-time-for-a-bill-of-data-rights/.

World Health Organization (2016): “Global Diffusion of eHealth: Making Universal Health Coverage Achievable,” https://apps.who.int/iris/bitstream/handle/10665/252529/9789241511780-eng.pdf;jsessionid=9DD5F8603C67EEF35549799B928F3541?sequence=1.

Zuboff, Soshana (2019): The Age of Surveillance Capitalism, New York: PublicAffairs.

For more details visit https://cis-india.org/raw/is-indias-digital-health-system-foolproof

Wikiorientation at Dr.GR Damodaran College of Science

bhuvana — 2020-01-18T08:11:03Z

An orientation session on Wikimedia projects was held on 6-7 December 2019 at Dr. GR Damodaran College of Science. This talk was part of the “Hour of Code” event, which is an International event celebrated across the globe to encourage students to develop their knowledge on Computer Science. This event was supported by Open Knowledge movements like Wikimedia, Mozilla, etc.which would help students to share their knowledge in the form of volunteerships and contributions. The highlights of gender gap research and women based projects such as Women in Red were covered as part of a focussed group discussion.

Hour of code event

The “Hour of Code” is an International event conducted across the globe to commemorate the birthday of Grace Hopper, a computer scientist. In India 1047 events were officially registered and were conducted region-wise. In Coimbatore, Dr.G.R. Damodaran College of Science initiated the first Hour of Code event in the city. The event was attended by 350 students, where 50% of the participants were identified as women, from various departments and 6 Open Source and Knowledge movements’ community members were invited as speakers. Among them were Wikimedia, Mozilla, Google Developers Groups, Facebook Devcircles, Women Tech Makers and School of AI where all the community representatives pitched to the student gathering on how to contribute to these groups. The students were enthusiastic to initiate Open source clubs and also nominate a Point Of Contact with the guidance of the faculty members.

Wiki Orientation

https://commons.wikimedia.org/wiki/File:Wikiorientation_at_Dr.GR_Damodaran_college_of_arts_and_science,_Coimbatore_-6.jpg

https://commons.wikimedia.org/wiki/File:Wikiorientation_at_Dr.GR_Damodaran_college_of_arts_and_science,_Coimbatore_-7.jpg

I was invited as a Chief Guest for the event to talk to students about how they may contribute to Wikimedia and its projects. I presented to the students the various forms of Wiki which would be of interest to coders and non-coders. This also included discussions on Wikidata, Wikisource, Wikipedia, Wikimedia commons and Wikimedia in Education program. As the participants from the college were mostly from Tamil Nadu, I also emphasised how contribution in Tamil in the Wiki world will be of great help. I discussed with students how contribution to an Open Knowledge movement not only enhances their intellectual stand but also benefits the whole world. Also the founder of Koval labs, Coimbatore was the co-speaker of the day who highlighted about importance of Open source and Computer Science in today's industries.

Bridging Gender Gap

After the orientation, I invited a few participants to a focussed group discussion about my research on “Bridging the Gender gap in Indian Wikipedia languages”.A majority of the participants were women, even though the event was open to all. I discussed the research work and the necessity behind this. Apart from this I introduced the students to various women- focussed wiki-based projects such as Women In Red, WikiLoves Women, Wiki Women for Women Well Being (WWWW) etc. I also asked the attendees to express t in the open discussion session on what are the major issues faced by women in technology taking examples from their own lives.

https://commons.wikimedia.org/wiki/File:Wikiorientation_at_Dr.GR_Damodaran_college_of_arts_and_science,_Coimbatore_-12.jpg

The common and major issues with pursuing a career in technology discussed were the inaccessibility to internet and infrastructure to work at home besides the other household responsibilities. Also the freedom to pursue a career in this field is less and not permissible for longer years in these women's lives.

Key observations/ learnings

https://commons.wikimedia.org/wiki/File:Wikiorientation_at_Dr.GR_Damodaran_college_of_arts_and_science,_Coimbatore_-9.jpg

The key issues of women working on technology in a structured environment (such as an educational institution in this case).
The possibilities of initiating a WikiClub at the campus.
Almost 60% was interested in non/less coding contributions/subjects.
Discussed the kinds of projects students can contribute to on Wikipedia.

Press coverage about the event can be seen at Desathin Nambikai , The Covai mail news , Prime Time Tamil , Covai news and Updatenews360.com

For more details visit https://cis-india.org/a2k/blogs/wikiorientation-at-dr-gr-damodaran-college-of-science-1

India’s record on internet shutdown gets bleaker; now blocked in 2 NE states

Admin — 2019-12-15T05:51:20Z

India reported over 100 internet shutdown in 2018, according to an annual study of Freedom House, a US-based non-profit research organization.

The article was published in the Hindustan Times on December 11, 2019. Pranesh Prakash was quoted.

The internet shutdown on Tuesday in Arunachal Pradesh and Tripura amid spiraling protests against the Citizenship (Amendment) Bill in the Northeast is the latest in a series of such shutdowns across India, which topped the list of countries that resorted to such measures in 2018.

India reported over 100 internet shutdown in 2018, according to an annual study of Freedom House, a US-based non-profit research organization. The study on the internet and digital media freedom was conducted in over 65 countries, which cover 87% of the world’s internet users

Police and administrative authorities have cited protests and other security reasons to routinely snap the internet in India.

The Centre promulgated the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017, under the Indian Telegraph Act, 1885, in August 2017 for legal sanction to the shutdowns.

As per the rules, Union home ministry secretary or secretaries of state home departments can order temporary suspension of the internet. An internet suspension order has to be taken up for review within five days.

Prior to 2017, authorities could shut down the internet under Section 144 of the Code of Criminal Procedure (CrPC), which empowers an executive magistrate to prohibit an assembly of over four people.

Section 5 (2) of the Telegraph Act, 1855, allowed the government to prevent transmission of any telegraphic message during a public emergency or in the interest of public safety.

The Kashmir Valley has remained under an internet shutdown since August 4. The shutdown was imposed hours ahead of the nullification of the Constitution’s Article 370 that gave Jammu and Kashmir special status.

Internet and phone lines were snapped ahead of Republic Day celebrations in 2010 in one of the first reported shutdowns in the Valley. Kashmir also holds the record for the longest shutdown when the internet was snapped for 133 days after the killing of Hizbul Mujahideen militant Burhan Wani in July 2016. The current shutdown, with 122 days and counting, is the second-longest.

The 100-day blackout in Darjeeling during the Gorkha agitation in 2016 is the third-longest internet shutdown in India.

Ahead of the verdict in the Ram Janmabhoomi-Babri Masjid title suit last month, the internet was shut down in parts of Maharashtra, Rajasthan, Haryana and Uttar Pradesh. The internet was shut down for three days in Gujarat during the agitation for a quota in jobs and educational institutes for the Patidar community in 2015.

As per the Software Freedom Law Centre, which provides free legal services to protect Free and Open Source Software, the total number of shutdowns in Indian since 2012 is more than 359. As per the tracker -- internetshutdowns.in -- which records such instances from newspaper clippings -- there have been 89 internet shutdowns in 2019, 134 in 2018, and 79 in 2017.

“As a part of this project, we track incidents of Internet shutdowns across India in an attempt to draw attention to the troubling trend of disconnecting access to Internet services, for reasons ranging from curbing unrest to preventing cheating in an examination,” it states as part of its purpose.

In September this year, the Kerala High Court held that access to the internet is a fundamental right. According to Pranesh Prakash of the Centre for Internet Society, the shutdowns are largely unlawful.

“David Kaye, the UN special rapporteur on the right to freedom of opinion and expression, has condemned the shutdowns and noted that the principles of proportionality and necessity should be adhered to in case of shutdowns. Yet, there have been several instances where lives have been lost in Kashmir due to the lockdown,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-december-11-2019-indias-record-on-internet-shutdown-gets-bleaker

Cyber security tips for small businesses

Theres Sudeep — 2019-12-05T23:35:59Z

It is important to have good cyber security practices, experts recommend.

The article by Theres Sudeep was published in the Deccan Herald on December 1, 2019. Arindrajit Basu was quoted.

Many times small businesses don’t allocate any of their budgets to cybersecurity. This is due to the common misconception that it’s only larger companies and governments that need to worry about attacks by hackers and the like.

This is not the case as Arindrajit Basu of The Centre for Internet and Society explains, “The kind of risks that smaller players are vulnerable to may not be on the scale of threats that larger companies encounter, but it is equally important for them to have good cybersecurity practices,” he says.

Phishing, an attempt to obtain sensitive information by disguising oneself as a trustworthy entity, and ransomware, a type of malware that threatens to publish the victim’s data or block access to it unless a ransom is paid, are the two most common kinds of attacks on small business according to Basu.

He adds that many hackers see small businesses as an easy way into a larger network. Once the smaller nodes are breached, they can easily get to the bigger players on the network.

Bengaluru, the startup capital of the country, has many such small businesses that need to better their cybersecurity practices.

The first and foremost step recommended by Basu is to create a strategy within your business plan and revise it periodically. This must include employee training and guidelines on what to if there is a breach.

Apart from this owners and employees are advised to routinely change passwords and back up their data on a device that doesn’t connect to the internet.

Owners are also advised to monitor access to admin accounts.

Many small businesses and startups don’t have offices of their own, which means employees end up working at a cafe or the like.

When working at these venues, make sure to carry your own WiFi or use the hotspot from your phone. Open WiFi networks are vulnerable to attacks.

Basu concludes by saying that small businesses must be periodically audited by an independent cybersecurity firm.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-december-1-2019-theres-sudeep-cyber-security-tips-for-small-businesses