Disease Surveillance in India: Data Protection and Privacy Concerns Commentary
BlenderTimer / Pixabay
Disease Surveillance in India: Data Protection and Privacy Concerns
Edited by: Gabrielle Wast | U. Pittsburgh School of Law, US
JURIST Guest Columnist Nikhil Pratap, a practicing lawyer in New Delhi, India and advocate at the Indian Supreme Court, discusses India's use of the Integrated Disease Surveillance Project to combat the COVID-19 pandemic and advocates for independent disease surveillance legislation...

One of the focal points of the government health response to COVID-19 in India has been the extensive use of mobile phone applications such as the Aarogya Setu for contact tracing and quarantine. The applications have already been subject to widespread criticism for insufficient protection of user data. Notwithstanding the role of mobile phone applications, the longstanding Integrated Disease Surveillance Project (IDSP) continues to be the primary method to gather epidemiological intelligence and carry out contact tracing in India. Its importance is evident from the fact that very recently, the Director of the NCDC has stated that IDSP is the “primary weapon” in the war against COVID-19 and the Ministry of Health and Family Welfare (MoHWF) has announced that about 9.45 lakh people are currently being monitored under the IDSP. Similarly, the Government of India and China-led Asian Infrastructure Investment Bank (AIIB) have signed a $500 million “COVID-19 Emergency Response and Health Systems Preparedness Project”, a large portion of which will be used to strengthen the IDSP.

Given the size, scale, and the central role of IDSP in the government response against COVID-19 and its collection of large swathes of sensitive personal data, legitimate data protection concerns may arise. These concerns are relevant, especially in light of the Personal Data Protection Bill (PDB Bill) which is under discussion before a Joint Parliamentary Committee of the Parliament of India and may soon be enacted.

This article addresses some of the said concerns regarding the IDSP and the collection and processing of personal data thereunder. It also seeks to analyze issues that may arise while operationalizing the of the PDP Bill and the resultant need for an independent disease surveillance legislative framework. To further understand the privacy issues regarding the IDSP, it is important to elucidate the functions of the IDSP and the manner of its operation. 

The Eyes of Public Health – The IDSP

Disease surveillance has been called “the eyes of public health” and “the finger on the pulse of the health of a community”. The World Health Organization (WHO) defines it as “an ongoing, systematic collection, analysis and interpretation of health-related data essential to the planning, implementation, and evaluation of public health practice.” An example of a successful communicable disease surveillance program in India is the National Polio Surveillance Project established in 1996 in collaboration with the WHO under which India was officially declared polio-free in 2014. 

The IDSP was conceptualized based on the implementation experience of the WHO supported National Surveillance Project for Communicable Diseases. In 2004, it was operationalized as a decentralized surveillance program, with the National Centre for Disease Control (NCDC) as its nodal agency. The main purpose of IDSP is to detect a communicable disease, map its spread and design and monitor an appropriate response, and to control the disease in an effective and timely manner. It is implemented at the grassroots level, or through district-wide monitoring and collection, collation, compilation, and analysis of data. The healthcare responsibilities are coordinated between central and state governments, jointly. Through its sixteen years of existence, the IDSP has had a continued engagement in disease surveillance of communicable diseases such as dengue fever, malaria, Chikungunya, and tuberculosis. It has also played a significant role in the government’s successful efforts against SARS, H1N1, Avian Influenza, and NIPAH.

The IDSP employs thousands of personnel including medical and paramedical staff for carrying out its functions. They manually collect and record relevant health monitoring data. The staff then feeds this data via the internet on the communication technology (ICT) network for its compilation, collation, analysis, and dissemination, which is used to study transmission dynamics and make an accurate assessment for public health interventions. To further digitize and facilitate the collection and handling of data under the program, the MoHFW introduced an Integrated Health Information Platform (IHIP) in 2018. The IHIP, as per the MoHFW website, is a web-enabled real-time electronic information system to provide a single and common operating platform for accessing data and meta-data from all levels (villages, states, and center).

Through its ICT and IHIP platforms, the IDSP thus collects and carries out complex data analysis and modeling of large amounts of personal data of citizens. Given the width and scale of the IDSP, it is imperative that the personal data of the individuals who are subject to monitoring under the program is protected through comprehensive protection measures and mechanisms.

 Data Protection Law and Principles

The Supreme Court of India in the case of Justice K.S.Puttaswamy (Retd) vs Union Of India has already recognized and adopted the right to privacy of all individuals, as a Fundamental Right protected under Part III of the Indian Constitution. It is now settled by the Court that personal data protection is an essential component of the fundamental right to privacy. The Court has in fact interpreted “informational privacy” to include the principles of “data protection”, such as reasonable processing of data, purpose limitation, collection limitation, lawful processing, storage limitation, data quality, and accountability.

The necessity of strong personal data protection in epidemiological surveillance has also been highlighted in the International Health Regulations (IHR). In 2005, the WHO adopted the IHR “to prevent, protect against, control and provide a public health response to the international spread of disease in ways that are commensurate with and restricted to public health risks”. The provisions of the IHR binds all 194 WHO member countries, including India. One of the core capacity requirements of a signatory under Article 5 of the IHR is that it shall build, strengthen, and maintain the capacities required for disease surveillance and response, much like the IDSP.

Article 45 of the Regulations sets out data protection principles for all personal data exchanged between member countries or with the WHO. It states that identifiable personal data shall be kept confidential and processed anonymously by the signatories unless it is essential for assessing and managing public health risks. It also furnishes standards such as lawful, fair processing, purpose limitation, data minimization, accuracy, storage limitation, as well as rights of the data subject, or the person whose data is collected. Albeit not binding on domestic disease surveillance programs, Article 45 of the IHR provides a good reference point for the data protection principles that must be adopted by the IDSP.

Existing Data Protection Regimes in Disease Surveillance

Despite data protection standards having been firmly enshrined in both national and international legal jurisprudence, there is no legislation regulating the data collection, processing, dissemination, or management under the IDSP program. The Electronic Health Record (EHR) Standards, which were notified by the MoHFW in 2013 and revised in 2016, specify voluntary technical standards for the creation and maintenance of Electronic Health Records. These standards apply to all forms of health data collected and processed by healthcare providers. The EHR Standards adopt principles of privacy and data protection for sensitive personal information such as data ownership, security, the audit of logs, access restrictions, and the rights to the data subject. However, these EHR Standards are not mandatory.

In 2017, the MoHFW had released a draft of the Digital Information Security in Healthcare Act (DISHA) in the public domain for comments. The Act intended to set up a National Digital Health Authority which would adopt and promote e-health standards and enforce data privacy, security, confidentiality, reliability measures, and also regulate storage & exchange of Electronic Health Records. The Act aimed at providing legal teeth to the EHR standards and also sought to give legislative recognition to data protection principles, which have now been recognized in the 2019 Personal Data Protection Bill. The draft was however subsequently withdrawn as the MoHFW was informed that the Ministry of Electronics and Information Technology (MeitY) was in process of enacting a Personal Data Protection Act, applicable in all domains including health.

Operationalization Issues in Data Protection Bill

The pertinent issue for consideration here is the manner in which the PDP law must be operationalized so that the IDSP does not fall foul of the law. The PDP Bill, like all previously discussed regulations and standards, also sets out data protection principles. However, as per the provisions of the Bill, any processing of personal data of a person can only be carried out after the consent of the data subject is obtained. The 2019 Bill provides for an exemption from the consent of the data subject for the performance of certain State functions. One such State function is “to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health.” An important rider is that the exemption from consent can only be granted when this State function is authorized by law.  

Due to the larger health interest it serves, data under IDSP (much like any other disease surveillance program) is often processed without the consent of individuals. Therefore, as per the provisions of the PDP Bill as enumerated above – all data processing under the IDSP must be sanctioned by law so that it does not fall foul of the PDP Bill. This means that the IDSP must be sanctioned by a statute or law once the PDP Bill comes into effect.

Further, an exemption from the consent of the Data Subject under the abovementioned circumstances has no bearing on the other provisions of the PDP Bill, which will continue to apply notwithstanding the exemption from consent. Principle of lawful and fair processing, purpose limitation, data minimization, accuracy, storage limitation, security, accountability as well as rights of the data subject will be applicable, even in cases of epidemic or public health emergencies, irrespective of the consent of the Data Subject. Now, COVID-19 is caused by a novel coronavirus and little is known about its symptoms, transmission, and other characteristics (such as the possibility of reinfection). As such, there is no certainty about the possible uses and the purposes of the information collected during epidemic surveillance. The continuously evolving situation means that the data collected for one purpose may have to be used for further research to determine the pattern of transmission of infection, or may have to be put to re-use in case of a resurgence of the infection.

Thus, defining a “purpose limitation” for the collection of such data must be an extensive exercise, especially in situations where time is of the utmost essence. It must require a nuanced scientific understanding of the epidemic. This further solidifies the indispensability of a legal framework for the IDSP, wherein the purpose and procedure for collection of personal data are defined by a specialized body, which also takes into account principles of transparency, accountability, and data principal rights.

A Necessary Legal Framework

Currently, the protection of personal data has been underpinned by an ad-hoc administrative framework. With the growing importance of IDSP especially in the current circumstances, it is imperative to enact a comprehensive disease surveillance law, which will enable a robust and effective program without the concomitant threats to the human right of privacy.

A good example of robust disease surveillance is the European Regulation (EC) No 851/2004 establishing a European Centre for Disease Prevention and Control. It is binding law on all countries of the European Union. The law sets out necessary structures to strengthen the defence against communicable diseases and to address threats to public health in a coordinated and coherent manner. It establishes a network for the epidemiological surveillance and also a framework for scientific advice, assistance and expertise from trained medical, scientific, and epidemiological staff. Amongst other provisions to ensure effective data collection, analysis, and validation, it also ensures transparency, confidentiality, and protection of personal data of individuals, “except for information which must be made public if circumstances so require, in order to protect public health.”

With data protection law in the works, a disease surveillance law will go a long way in striking a fine balance between public health interest and privacy to ensure an effective health response in real-time emergencies. Data protection principles such as lawful and fair processing, purpose limitation, data minimization, accuracy, storage limitation, security, accountability as well as rights of the data subject must find articulation in such a law.  

Further, a comprehensive law also has the immense potential to improve transparency and interoperability of IDSP, thereby opening new frontiers for data-driven research in public health. The emerging global threat from COVID-19 has provided the government with a rare opportunity to improve its epidemic surveillance regime and also adequately protect the constitutional right to privacy, an opportunity that must not be squandered.

For more on COVID-19, see our special coverage.

 

Nikhil Pratap is a practicing lawyer in the Supreme Court, the High Court of Delhi, and other forums in New Delhi. Nikhil graduated from the West Bengal National University Juridical Sciences, Kolkata with a B.A. LL.B (Hons) and previously worked as Judicial Clerk-cum-Research Assistant to Justice A.K.Sikri at the Supreme Court of India, assisting him in the judgment challenging the AADHAR scheme. Nikhil currently assists Dr. Amar Patnaik, a member on the Joint Parliamentary Committee perusing the 2019 Personal Data Protection Bill, as a consultant.

 

Suggested citation: Nikhil Pratap, Disease Surveillance in India: Data Protection and Privacy Concerns, JURIST – Professional Commentary, June 2, 2020, https://www.jurist.org/commentary/2020/06/nikhil-pratap-disease-surveillance/

This article was prepared for publication by Gabrielle Wast. Please direct any questions or comments to her at commentary@jurist.org

Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.
THIS DAY @ LAW

First execution by guillotine in France

On April 25, 1792, highwayman Nicolas-Jacques Pelletier became the first person beheaded by the guillotine in France.

Learn more about the history of the guillotine.