Data Fiduciaries under NDHM

(This is a continuation of the previous Article)

The Health Data Protection policy announced by NHD scheme has adopted the Obligations of data fiduciaries and rights of data principles from the Personal Data Protection Bill 2019.

Accordingly the obligations include

1.Accountability,

2.Transparency,  (Including Data Trust Score, Grievance Redressal, Periodical update of changes in the  processing)

3. Privacy by Design . (The system is envisaged to have a decentralized storage of data which could mean multiple data bases at State/UT level introducing the security requirements commensurate with the associated risks. )

4. Choice and Consent driven sharing

5. Purpose limitation

6.Collection, Use and Storage limitation

7. Empowerment of the rights guaranteed

8. Maintenance of Data Quality

9. Reasonable Security Practices and Procedures

As could be expected, the Ministry of Health which is in love with ISO standards has stated that “The data fiduciaries will implement the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” as well as any other standard as may be applicable to them”

Naavi.org has extensively discussed the desirability of the regulations not to suggest a particular proprietary standard to be implemented.

To reiterate, this means that every Data Fiduciary is being forced by the regulation to buy an ISO 27001 certificate which has a payment tag.

It is impossible to avoid a perception that this is being suggested for reasons other than the necessity and it is suggested that the Ministry drops this provision.

It must be also pointed out that ISO 27001 does not support the DTS system and is not comprehensive enough for the compliance of the Techno Legal requirement.

The policy suggests a NDHM-CISO and NDHM-DPO to be appointed by the organizations.

Obligations of Data Processors are similar to PDPB 2019 as entities bound by contractual agreements.

The Data Fiduciary needs to conduct a Data Protection Impact Assessment and maintain appropriate records. They should also conduct periodical review audits.

Sharing of Data

Sharing of de-identified and anonymized data may be permitted while sharing within the community of Health Information Users who will have obligations similar to the Data Fiduciary.

Grievance Redressal

The policy envisages that the Data Fiduciaries shall have a Grievance Rederssal mechanism and the DPO will be accountable to redress the grievances.

Data Breach Management

The National health Authority (NHA) is expected to notify the time limits related to the notification of data breaches. The NHA will report the breaches to the Cert-In for the time being.

NDHM Sandbox Environment

It is interesting to note that the Ministry is providing a sand box arrangement for software systems to be tested in a controlled environment. The Sandbox hosts APIs for Health ID service, Consent Manager gateway etc.

Penalties

Any non compliance of the regulations may attract cancellation of the registration and stoppage of contracts.

Summary

While the policy is an attempt to implement the provisions of the PDPB 2019 to the health sector, once the PDPA comes into being, it would be better if this policy is simplified to avoid overlapping with the PDPA provisions.

Further the references to the ISO audit as if it is mandatory must be removed and the security inconsistencies need to be addressed.

We keep our fingers crossed to see how the Ministry would respond.

Naavi

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM



About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.