Photo: Raphael Brasileiro/Pexels.
As India progresses through its ‘unlock’ phases, we can expect to see a proliferation of digital technologies to contain the novel coronavirus’s spread. In these efforts, conserving patient privacy would be critical.
However, many government bodies in India have somewhat deprioritised this issue; some state governments even mandate selfies and facial recognition. Other countries have performed these same functions in a way that preserves the users’ privacy, using de-identified, aggregated data and without exporting data from the users’ phones.
This begs the question: does patient privacy have to be compromised for public health?
If you live in a WhatsApp-friendly housing society, chances are you know who the COVID-19 patients near you are. Residents’ welfare associations often play fast and loose with patient data, just like quite a few public institutions. The Kerala government has been relatively more conscientious; it released its third notification regarding handling personally identifiable information recently. However, even it made a few missteps at first. For example, after the first cluster outbreak in the state, the state government published detailed individual information about patients, who were later identified and stigmatised in the media as “super spreaders”.
In similar ways and others, people suspected to have COVID-19 as well as those who have tested positive have often been stigmatised and been subject to harassment.
There are many situations where the preservation of patient identity is impossible and unadvised. For example, courts have ruled in favour of limiting the right to privacy of an HIV patient if the patient posed a risk of transmission to their spouse-to-be. However the nature of personal information that needs to be shared should be carefully considered.
Recently, the Ministry of Home Affairs revised its guidelines from mandating everyone to use the Aarogya Setu app to asking employers to ensure employees use it on a ‘best effort basis’. But what must employers do if their employees are primary contacts or even symptomatic? Can employers cancel their contract or insist on unpaid leave?
For example, large employers like the UN have issued clear guidelines about protecting the confidentiality of patients even when informing primary contacts. Similarly, the Equal Employment Opportunities Commission has defined a set of questions that employers can ask employees and how the information could affect recruitment. If a patient’s privacy is being suspended, it must happen in a controlled environment, such as a hospital with a sunset clause. For example, the US health department waives patient privacy for hospitals implementing a disaster protocol, which can operate for 72 hours only.
In India, there are no such standard operating procedures. Both states and the Centre have been operating with little legislative backing. The Aarogya Setu app’s privacy policy mentions that data will only be shared with ‘the government’ but doesn’t say which departments – nor is there a clearly defined purpose. The app assists with self-assessment, contact tracing, health messaging and with obtaining e-passes. There is little explanation for why data will be stored for a certain amount of time. For example, the data of people with COVID-19 will be stored for 60 days. Some experts have argued it should just be 21.
While the Personal Data Protection Bill (PDP) is still being tabled in parliament, interpreting the existing set of laws to determine the proper course of action is very involved. The IT Act 2000 now includes rules for sensitive personal data or information (SPDI), and punishes those who disclose information without the information provider’s consent. Physical, physiological and mental health conditions, and medical records and history are classified as SPDI.
The Supreme Court’s 2017 judgement, that privacy is a fundamental right, set out four tests – legality, necessity or legitimacy, proportionality and procedural safeguards – that the government must pass if it wants to infringe on privacy.
The problem is that multiple states have used the Disaster Management Act 2005 to frame their COVID-19 response. The Act gives states considerable flexibility to act “as it may consider necessary” (Section 6(2)(i)). Not that the PDP Bill promises to be much better, with its broad exceptions (“… in the interest of sovereignty and integrity of India, the security of the State…”). This allows personal data to be processed without consent for, among other things, responding “to any medical emergency involving a threat to life”.
In contrast, governments like those of the UK have issued repeated reminders to organisations to adhere to the General Data Protection Regulations 2016. This was echoed by the European statement that expressly called for safeguards and proportionality when restricting fundamental freedoms even during an emergency. The EU guidelines for contact-tracing apps require participation to be voluntary and the data collected to be proximal information rather than individual movement data.
From the perspective of symptomatic COVID-19 patients – without clear delineation of patients rights in the contexts of employment, residence, quarantine, access to essential services, etc., the patients have no incentive to report the truth. And with only one in six patients having registered to use the app (never mind actually activating it), is the app efficacious in achieving its primary purpose of contact-tracing?
Apart from a few exceptions (such as in Begusarai and Pune), few states have acted on the Indian Council of Medical Research advisory to protect patient information, and announced punitive action against violators. Similarly, while officials of the Ministry of Information Technology have condemned the violations, the ministry itself has not issued any advisories, nor have the home and health ministries. As states ease restrictions and workplaces reopen, we need to develop norms to protect the privacy of patients and encourage reporting violations through the very (social) media in which they take place.
States and the Centre must also process personal information with statutory backing such as ordinances. Such laws must respect the principles of data protection, such as minimalistic collection, purpose limitation, access limitation, limited secondary use, safeguards, sunset clauses and third-party audits. Transparency is desirable in and of itself – but it’s also useful to receive the trust and participation of citizens and civil society.
The author would like to thank Vikram Sinha for his helpful inputs and suggestions.
Sneha P. is a senior associate at the IDFC Institute, with an interest in economics and governance.