The National Digital Health Mission (NDHM) has issued the Health Data management policy which has been introduced over the previous series of articles. As per the document on the NDHM website, the Health Data Management Policy (HDMP) is the first step in realizing the NDHM’s guiding principle of “Security By Design” for the “protection of the data principal’s personal digital heath data privacy”. This acts as the minimum standard for data protection that should be followed across the board in order to ensure compliance of relevant and applicable laws, rules and regulations.
Participation of an individual or a medical practitioner or a health facility in the scheme is voluntary and the participants when they opt in would be issued a “Health ID” or “Digi-Doctor ID” or a Health Facility ID”. These IDs will be unique as long as the participants are within the system and if they opt out, they will be deactivated and in the case of the individuals may be deleted and erased on request.
In order that the policy is complied with, it would be necessary for organizations to be compliant with the provisions of the policy along with the applicable laws. Presently, the applicable law is Information Technology Act 2000 as amended in 2008 which under Section 43A addresses the requirements of securing “Health Data”. However, the PDPB 2019 represents the “Due Diligence” and is recognized in the policy itself.
In order to enable organizations to adopt to the compliance requirements, Naavi suggests the use of the “PDPSI” system which is being developed in the context of PDPA of India or PDPAI (Proposed). As we await the PDPB 2019 to become a law, we can apply the PDPSI to the NDHM policy implementation as is briefly explained here.
PDPSI stands for “Personal Data Protection Standard of India” and is meant to assist SME/MSME s to adopt PDPA (proposed) as also to develop a Certifiable standard along with an assessment system for Data Trust Score (DTS) evaluation.
After the undersigned presented the concept of PDPSI and DTS about 2 years back, the two systems have been widely discussed with the professionals associated with the FDPPI movement. (See www.fdppi.in for more information on FDPPI). As a result of these deliberations, the PDPSI has evolved along with the DTS system and these systems would be explained in a series of articles here.
The PDPSI Ecosystem
To start with, we need to recognize that the PDPSI is a complete ecosystem that supports the Organizations that require PDPAI (proposed) to be implemented in their organizations.
PDPSI is developed as a “Unified System” for compliance of multiple Data Protection regimes and is applicable not only for compliance of PDPA of India but also for GDPR or DIFC DPL, Singapore PDPA, CCPA or Brazil LGPD or any other data protection regulation.
Hence PDPSI is also ready as a compliance eco system for the NDHM-HDMP.
The PDPSI Eco system consists of Standards, Implementation Specifications and a DTS system.
The PDPSI serves the requirement of different types of users. The Standards are meant to be used by accredited auditors to Certify an organization. The Implementation Specifications are meant to be used by the implementers as a guideline for compliance. On the other hand, The DTS is meant to be used by Data Auditors who after their audit present their assessment in the form of a DTS.
PDPSI is meant to be used as a unified platform for multiple Data Protection Compliance. The DTS however has to be computed differently for different compliance requirements and therefore, DTS-In will be different from DTS-GDPR for the same organization.
We shall explore the concept of PDPSI further in the follow up articles.