The Unique Health Identifier (UHID) was introduced by the Central Government to identify and verify the identities of beneficiaries on health-based Information Technology (IT) applications. Through the integration of health data across numerous applications, the UHID enables the creation of longitudinal Electronic Health Records for citizens as well as de-duplication for the Ministry of Health.
The UHID was introduced with a three-pronged purpose of ‘Unique Identification’, ‘Authentication’ and ‘Maintaining a Repository of the Health Records of a Person’. The UHID aims to enable ease of access to all the health records of a person, from admission to discharge; and to create a detailed health history by linking personal health records with the UHID. The creation of such UHID on the basis of Aadhaar authentication may include a collection of data including health data, personal data, and sensitive personal data.
It is pertinent to note that, despite the noble rationale behind the introduction of UHID, the creation of such ID on the basis of voluntary Aadhaar verification is likely to be prone to various data privacy concerns, including data breach, citizen profiling and surveillance, data exploitation, etc.
UNIQUE HEALTH IDENTIFIER RULES, 2021
The Unique Health Identifier Rules, 2021 (the UHID Rules) were notified on the Gazette of India on 01.01.2021. Rule 2 of the UHID Rules stipulates that UHID would be established on voluntary Aadhaar-based verification.
For the creation of a UHID, Rule 3 of the UHID Rules allows entities who are willing to provide voluntary Aadhaar authentication to create health ID and share health information via various Health IT applications. For the purpose of providing Aadhaar authentication services to Health IT applications for the creation of UHID, Rule 4 of the UHID Rules states that the Ministry of Health and Family Welfare shall be designated the Authentication User Agency (AUA)/ KYC User Agency (KUA).
Rule 5 and Rule 6 of the UHID Rules further emphasize on the voluntary nature of Aadhaar verification by stating that no health services can be denied on the ground that the beneficiary did not consent to Aadhaar based verification.
DATA PRIVACY CONCERNS SURROUNDING UHID
With the use of voluntary Aadhaar-based verification for the generation of UHID, it appears that sensitive personal health information is at risk of compromise. Despite the Aadhaar-based verification being accorded a “voluntary” status, the UHID Rules, when read in conjunction with the National Digital Health Mission (NDHM) Policy, appear to rely solely on Aadhaar for the provision of UHIDs. Aadhaar-based verification has already been subject to questions of digital security and privacy. The lack of data protection legislation merely exacerbates these problems.
Furthermore, any directions or guidelines issued for the secure processing of data and any safeguards for the protection of privacy surrounding UHID may not be enforced appropriately in the absence of data protection legislation, increasing the risk of abuse of sensitive health data of many individuals.
Despite the creation of UHID on the basis of Aadhaar verification expressly declared to be a “voluntary” process by the UHID Rules, a significant breach of consent was undertaken by the Government when the Co-WIN Portal automatically generated 11 crore UHIDs of users on the basis of Aadhaar numbers, without obtaining their consent. The creation of such UHIDs without obtaining informed consent is in serious contravention of the Health Data Management Policy (HDMP), which stipulates that “free and clearly given” consent is a mandatory pre-requisite for the creation of UHIDs.
The HDMP further stipulates “Privacy by Design” (PbD) as a guiding element for the processing of sensitive health data. However, the UHID is mentioned on the vaccine certificates of individuals, leaving behind no scope for PbD, as such vaccine certificates are required to be displayed and/or submitted at public places such as airports, hotels, restaurants, etc.
The types of data that could be collected for the creation of UHID are likewise a source of grave concern. It is to be noted that for the creation of UHID, the AUA/KUA may collect sensitive information concerning sexual orientation, religious beliefs, and political convictions, which could be utilized for citizen profiling and monitoring.
Consequently, the engagement of the private sector in the creation of such UHID must be thoroughly monitored and investigated in relation to the usage of sensitive health data. Financial incentives are likely to overpower the data privacy measures in play, resulting in the exploitation of sensitive health and personal data by private businesses for profitable reasons, such as variations in insurance premiums.
Needless to say, the lack of proper controls in place to defend against unauthorized data access by third parties is consequential to the absence of data privacy legislation.
The HDMP issued under the NDHM Policy has accorded a broad definition to “data fiduciaries”. Resultantly, a wide range of commercial entities, including colony wellness centers, have access to and the authorization to collect health data via the UHID, potentially expanding the extent of citizen profiling.
Another aspect of concern is the use of Aadhaar based verification by private players for the authentication of UHID, in violation of the decision of the Supreme Court in Justice K.S. Puttaswamy (Retd) v. Union of India, [AIR 2017 SC 4161]; wherein it was held that the use of Aadhaar authentication by private entities is unconstitutional. Through this decision, the use of Aadhaar authentication in a contractual relationship was barred by the Court, implying that any use of Aadhaar authentication by private organizations is in violation of the Constitution of India.
In light of the aforementioned data privacy concerns surrounding the verification of identity for the creation of UHID, the following measures can be implemented moving forward to ensure data privacy and data security:
1. Statutory Framework for UHID
The UHID Rules provide for the procedure to be followed for the creation of UHIDs on voluntary Aadhaar based verification. However, such Rules have been issued without the existence of any statutory framework to this extent. In the absence of any statutory framework forming the backbone of UHID, it becomes nearly inconceivable to ensure data protection and data privacy of personal data, sensitive personal data and health data of the individuals.
2. Determination of the necessity, objective and data privacy and data security measures of electronic medical records
It is suggested that, as the medical profession is still divided on the use of digital health records on clinical outcomes, a conclusive analysis of the usage of such digital health records in terms of efficacy and privacy issues must be conducted. Reference may also be laid on similar studies conducted by other countries.
In furtherance of such analysis, the Government must undertake stakeholder consultations in order to fine-tune this framework with an objective of enhanced medical outcomes, rather than emphasizing on data collection. An unrestricted and consultation-based system involving public health organizations, independent academics and specialists, and digital rights organizations must be prioritized.
3. Stringent scrutinization of Aadhar-based authentication
Aadhaar-based verification has been exploited for the purpose of data gathering, unintentional monitoring, exclusions, and even potential fraud. Given the aforementioned concerns, the use of Aadhaar for authentication purposes should be subjected to stringent scrutinization and monitoring by a Data Controller.
With the objective of analysing macro data for the provision of uniform health services, the Central Government introduced the NDHM which proposed the use of a unique health identifier, i.e., UHID for each citizen.
The Government’s intention behind the introduction of UHID on the basis of Aadhaar verification may relate to the agenda of “data as a public good”. However, the current UHID framework has placed the requirements of informed, voluntary consent on the backseat, with its apparent focus on collection and storage of sensitive and personal health data flouting all data privacy safeguards.
In the backdrop of the same, the pressing need of the moment is to bring into force the Personal Data Protection Bill and ensure strict compliance of the data privacy principles laid down by the Bill by all concerned authorities and entities handling Aadhaar-based verification and storage of sensitive, personal data for the creation of UHID.
For any queries or feedback, please feel free to connect with email@example.com or firstname.lastname@example.org