In Modi Govt’s Unique Health ID Push, Consent And Privacy Are Missing

“Today, we are launching a mission that has the potential of bringing a revolutionary change in India’s health facilities,” Prime Minister Narendra Modi said during the launch of the Ayushman Bharat Digital Mission (ABDM) on 27 September.

ABDM involves the creation of unique health IDs for every citizen, crores of which have already been generated during the COVID-19 vaccination drive and without the informed consent of those who registered on the Co-WIN portal with their Aadhaar numbers.

Initially announced on 15 August, 2020, by the Prime Minister as the ‘National Digital Health Mission’, ABDM aims to develop the “backbone necessary to support the integrated digital health infrastructure of the country”.

This Mission is essentially part of the Centre’s effort to create a “state-of-the-art” digital health ecosystem by digitising health records of citizens, creating registries of healthcare professionals and facilities and bridging “the existing gap amongst different stakeholders of the healthcare ecosystem through digital highways”.

This piece shall analyse the three concerns of consent, privacy and the absence of a legal framework to examine the claims made by the Centre regarding the “citizen-centric” and “privacy by design” approach of ABDM.

ABDM stems from the National Health Policy (2017) that envisaged the digitisation of India’s healthcare ecosystem. Following this, the Union Ministry of Health & Family Welfare came up with a blueprint in July 2019 to design the ‘building blocks’ of the National Health Stack.

With ambitious principles of unique IDs, privacy by design, interoperable data and open standards as core driving principles, the blueprint declares that it seeks to build an ecosystem of integrated databases of patients, health records and hospitals.

The blueprint proposed a National Digital Health Mission (NDHM) to carry out these objectives. Running as a pilot project across six Union Territories so far, the NDHM was launched by the Prime Minister as ABDM on 27 September. “Since the implementation is envisioned to be in a mission mode, the initiative is referred to as the Ayushman Bharat Digital Mission (ABDM),” the National Health Authority states.

Some of the stated objectives of ABDM include:

• To establish state-of-the-art digital health systems, to manage the core digital health data, and the infrastructure required for its seamless exchange

• To establish registries in order to create a single source of truth in respect of clinical establishments, healthcare professionals, health workers, drugs and pharmacies

• To enforce the adoption of open standards by all national digital health stakeholders

• To create a system of personal health records easily accessible to individuals and healthcare professionals and services providers, based on an individual’s informed consent

• To ensure national portability in the provision of health services

Even before the launch, the creation of unique health IDs had started with the Co-WIN portal by, what can be best described as, digital sleight of hand. The Central government automatically generated unique health ID numbers for all individuals who chose to register on Co-WIN by using their Aadhaar number as ID. This was carried out without the free and informed consent of those individuals. According to an RTI filed by Medianama, the National Health Authority has stated that it has already generated 11 crore unique IDs. This is also reflected in vaccine certificates, where many have found a 14-digit health ID in their names.

The bypassing of informed consent from citizens for creating a new ID in their names assumes greater seriousness, given that the Mission has also published an informed consent framework as part of its Health Data Management Policy. The framework states that consent must be “freely and clearly given” — something that appears to have rather clearly been violated.

Co-WIN’s fine print states that the individual is “voluntarily” sharing her Aadhaar number for the creation of a health ID that can be used in “any healthcare interaction across India”. The consent section also goes on to state that the individual consciously chooses to use Aadhaar number for the purpose of availing benefits across the Digital Healthcare Ecosystem.

At the outset, there is little clarity on whether the 14-digit unique health ID, like the Aadhaar ID, is meant to be a confidential number. If this is so, then by virtue of the ID being published on vaccine certificates, the privacy of the ID is already jeopardised. The requirement of vaccine certificates at various public places such as airports, hotels, restaurants means that the ID is available to those who have no business storing it.

Moreover, in June 2021, the National Digital Health Mission had published the “Health Data Management Policy” (HDMP), which envisages “privacy by design”, “accountability”, “transparency” as guiding principles for entities processing citizens’ sensitive health data.

However, like the issue of informed consent of citizens, a closer look at the Policy reveals several loopholes and shortcomings in the “design” of citizens’ privacy. Internet Freedom Foundation (IFF) highlights that the HDMP allows for broad data processing opportunities as well as storing and processing of data for periods longer than what a company should be allowed.

These threaten to violate ABDM’s own privacy principles of “purpose limitation”, “collection, use and storage limitation”.

According to IFF, the data management policy fails to envisage a strong accountability mechanism to enforce privacy. “For example, in case of breach of security, only notifying the NDHM has been mandated, whereas notifying the user has not been made compulsory! Meanwhile, the carte blanche given for the processing and usage of anonymised personal data as ‘non-personal’ data ignores several attendant security hazards,” IFF states.

Unlike the 12-digit Aadhaar ID, which, belatedly so, is governed by the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the implementation of the health ID lacks any such statutory framework. An overarching concern that remains despite Prime Minister Modi listing the benefits to the common people is that without statutory backing, effective data protection would be nearly impossible to enforce, especially since the HDMP does not contain adequate penalties for non-compliance as a deterrent.

The approach to health data and a digitised health ecosystem, one that essentially stems from the Central government’s agenda of “data as a public good”, has tended to discount individual autonomy and privacy in favour of harvesting as much personal data as possible. This lies at the core of privacy and consent concerns. It has previously surfaced in the Personal Data Protection Bill and needs to be re-examined now.

(Sushovan Sircar is an independent journalist who reports on technology and cyber policy developments. His reports explore stories at the intersection of internet and society, covering issues of privacy, surveillance, cybersecurity, India’s data regime, social media and emerging technologies. He tweets @Maha_Shoonya. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)