இந்திய நாட்டின் ஒவ்வொரு குடிமகனின் அந்தரங்க தகவல்களை சேகரிக்கும் திட்டம் குறித்த வரைவறிக்கை மீது கருத்து தெரிவிக்க ஒருவார காலம் மட்டுமே மத்திய அரசு அவகாசம் அளித்திருப்பது சர்ச்சையை ஏற்படுத்தியுள்ளது.
நாடு தழுவிய சுகாதாரப் பாதுகாப்பை வழங்குவதன் முதல் படியாக “தேசிய டிஜிட்டல் சுகாதாரத் திட்டம்” நாட்டின் 74வது சுதந்திர தின உரையில் பிரதமர் நரேந்திர மோடியால் அறிவிக்கப்பட்டது. ஒவ்வொரு தனி நபரின் உடல்நிலை குறித்த தகவல்கள் அடங்கிய டிஜிட்டல் சுகாதாரப் பதிவேடுகள், சுகாதாரப் பணியளர்கள் பற்றிய தகவல்கள் மற்றும் சுகாதார கட்டமைப்பு வசதிகள் பற்றிய தகவல்கள் போன்றவற்றை திரட்டி பாதுகாத்து வருவதன் மூலம் ஒவ்வொரு இந்தியரின் சுகாதாரத் தேவையை எளிதாகப் பூர்த்தி செய்வதற்கு இந்த திட்டம் வழிவகுக்கும் என மத்திய அரசால் தெரிவிக்கப்பட்டுள்ளது. இத்திட்டத்தின்படி நாட்டின் ஒவ்வொரு தனி நபரின் மருத்துவ மற்றும் தனிப்பட்ட தகவல்கள் சேகரிக்கப்படும். அவை ஏற்கெனவே உள்ள தனிப்பட்ட அடையாள எண்ணான ஆதார் எண்ணுடன் இணைக்கப்பட்டு ஒவ்வொரு நபருக்கும் ஒரு புதிய மருத்துவ அடையாள எண் தரப்படும். எந்த மருத்துவமனைக்குச் சென்றாலும் இந்த அடையாள எண்ணைக் கொடுத்தால் நமது மருத்துவம் மற்றும் தனிப்பட்ட தகவல்களை அந்த மருத்துவமனை அறிந்துகொள்ளமுடியும். இதனால் விரைவாகவும் மிகச் சரியாகவும் சிகிச்சை அளிக்க இந்த திட்டம் பயன்படும் என்று கூறப்படுகிறது. இந்த திட்டமானது ஏற்கெனவே நாட்டின் மத்திய பொது சுகாதார காப்பீட்டுத் திட்டமான “ஆயுஷ்மான் பாரத் பிரதான் மந்திரி ஜன் ஆரோக்ய யோஜனா”-வை செயல்படுத்திவருகிற தேசிய சுகாதார ஆணையத்தால் (NHA) செயல்படுத்தப்பட உள்ளது.
இந்நிலையில் தான் கடந்த ஆகஸ்டு 26-ம் தேதி இத்திட்டத்தின் முக்கிய அம்சமான நாட்டு மக்களின் சுகாதாரத் தகவல்களை மேலாண்மை செய்வதற்கான வரைவறிக்கை (Health Data Management Policy) பொது மக்களின் கருத்து கேட்பிற்காக வெளியிடப்பட்டுள்ளது. இவ்வறிக்கை தனிநபர் பற்றிய தகவல்கள் எவ்வாறு சேகரிக்கப்படும், சேகரிக்கப்பட்ட தகவல்கள் எவ்வாறு சேமிக்கப்பட்டு பகிரப்படும் என்பதற்கான நடைமுறையை விளக்குகிறது. மேலும் இந்த அறிக்கையானது, சேகரிக்கப்படும் முக்கியமான தனிநபர் தகவல்கள் என்பது ஒருவருடைய மருத்துவ தகவல்கள் மட்டுமல்லாமல் அதாவது உடல் மற்றும் மன நலம் பற்றிய தகவல்கள் மட்டுமல்லாமல், அவருடைய வங்கி கணக்கு, அவரிடம் உள்ள கிரெடிட் கார்டு, டெபிட் கார்டு ஆகியவற்றை உள்ளடக்கிய நிதித் தகவல்கள், பாலினம் மற்றும் பாலினத் தேர்வு பற்றிய தகவல்கள், பாலியல் வாழ்க்கை குறித்த தகவல்கள், மரபணு குறித்த தகவல்கள் மற்றும் ஒருவருடைய சாதி, மதம், அரசியல் நம்பிக்கைகள் குறித்த தகவல்களும் இடம்பெறும் என்று குறிப்பிடுகிறது.
மேலே குறிப்பிடப்பட்டுள்ள இந்த தகவல்கள் அனைத்தும் மத்திய, மாநில மற்றும் சுகாதார அமைப்புகள் என மூன்று அடுக்குகளாக சேமிக்கப்படும். மேலும் தனிநபர் குறித்த தகவல்கள் மீதான உரிமைகள் அவருக்கே உள்ளன என இந்த அறிக்கை கூறினாலும் அந்த தகவல்கள் பிற்காலத்தில் ஆராய்ச்சிகளுக்காகவும், புள்ளிவிவர பகுப்பாய்வுகளுக்காகவும், திட்டங்கள் வகுக்கவும் பயன்படுத்தப்படலாம் என்கிற சந்தேகம் எழுப்பப்படுகிறது. அத்தோடு மருத்துவம் சார்ந்த தகவல்களில் எதற்காக ஒருவரின் அரசியல் பார்வை, பாலின தேர்வு, சாதி போன்ற தனிப்பட்ட விபரங்கள் சேகரிக்கப்படுகின்றன என்கிற கேள்வியும் எழுப்பப்படுகிறது.
ஆதார் எண்ணில் இருக்கும் தனிமனித தகவல்களே பாதுகாப்பாக இல்லை என குற்றச்சாட்டுகள் வரும் போது மருத்துவ தகவல்கள் எந்தளவிற்கு பாதுகாப்பாக இருக்கும் என்றும் வினாக்கள் எழுப்பப்படுகின்றன. இதுகுறித்து தேசிய சுகாதார ஆணையத்தின் தலைமை செயல் அதிகாரி டாக்டர் இந்து பூஷன் பேசும்போது, “இந்தியர்களின் சுகாதாரம் பற்றிய தகவல்களை ஒரு ஒழுங்கிற்கு கொண்டுவருவதற்கான முதல் அடிதான் சுகாதாரத் தகவல்களை மேலாண்மை செய்வதற்கான வரைவறிக்கை. இதில் சேகரிக்கப்படும் அனைத்து தகவல்களும் மிகவும் பாதுகாப்பாக வைக்கப்படும்” என்று தெரிவித்திருக்கிறார்.
ஆனால் இவ்வளவு அம்சங்களை கொண்டுள்ள இந்த வரைவறிக்கையை படித்து மக்கள் தங்கள் கருத்துக்களை சொல்வதற்கு ஆகஸ்டு 26ம் தேதி முதல் செப்டம்பர் 3ம்தேதி வரை மட்டுமே கால அவகாசம் கொடுக்கப்பட்டுள்ளது. இது குறித்து தேசிய சுகாதார அமைப்புகள் வள மையத்தின் முன்னாள் இயக்குனர் திரு. சுந்தரராமன் பொதுமக்கள் கருத்துக்கு ஒருவாரமே கொடுத்துள்ளது மிக அபத்தமானது என்று குறிப்பிட்டுள்ளார். மேலும் ”நமக்கு ஏற்கனவே ஆதார் அடையாள எண் உள்ளது. புதியதாக இந்த மருத்துவ அடையாள எண் யார் கேட்டார்கள்? இந்த எண்ணின் நோக்கம் என்ன? இந்த பணியை மேற்கொள்ளும் துறை மத்திய சுகாதாரத்துறைக்கு வெளியே இருக்க வேண்டியதன் அவசியம் என்ன? இந்த டிஜிட்டல் திட்டம் முழுவதும் கார்ப்பரேட்டுகள் எனப்படும் பெரு நிறுவனங்களின் வருகைக்காக வழங்கப்படும் கட்டமைப்பு” எனவும் கூறியுள்ளார்.
இந்த டிஜிட்டல் சுகாதாரத்திட்டம் நடைமுறைப்படுத்தப்படுவதில் உள்ள நெறிமுறைகள் குறித்து ஏற்கெனவே பல கேள்விகள் எழும்பியுள்ளன. நாளுக்கு நாள் அதிகரித்து வரும் கொரோனா தொற்றுக்களும், அதனால் ஏற்படும் மரணங்களும் நாட்டின் பொது சுகாதாரக் கட்டமைப்பின் அவசியத்தை உணர்த்தியுள்ளன. இந்நிலையில் இந்தியாவின் சுகாதார பிரச்சினைகளை கருத்தில் கொண்டு நாட்டின் அனைத்து மக்களுக்கும் எளிதில் கிடைக்கக்க்கூடிய அளவில் மருத்துவ வசதிகளை உருவாக்காமல், பெரு நிறுவனங்களின் ஆர்வத்தை கவனத்தில் கொண்டு அவர்களுக்காக தகவல்கள் சேகரித்து கொடுக்கிறதா இந்த திட்டம் என சந்தேகங்களை எழுப்பியுள்ளது.
இதுகுறித்து ஆதார் வழக்குகளில் மனுதாரர் சார்பாக ஆஜரான வழக்கறிஞர் திரு. பிரசன்னா, “உலகம் முழுக்க கொரோனா பரவி வரும் இந்த நேரத்தில் மக்களைப் பாதிக்கும் திட்டங்களுக்கு எதிராக மக்கள் ஒன்றிணைந்து குரல் கொடுப்பது கடினமான காரியம். இந்தச் சூழலைப் பயன்படுத்தி இது போன்ற அறிக்கைகள் வெளியிடுவது ஜனநாயகத்திற்கு எதிரானது” என குறிப்பிட்டுள்ளார். மேலும் “மக்களின் கருத்துக்காக ஒருவாரமே கால அவகாசம் கொடுத்திருப்பது பயனுள்ள வகையில் கணிசமான ஆலோசனைகளைப் பெறுவதற்கு அல்லாமல் வெறும் கண்துடைப்புக்காக செயல்படுவது பட்டவர்த்தனமாகிறது” என்றும் குற்றம் சாட்டியுள்ளார். கொரோனா பெருந்தொற்று காலம் என்பதால் மிக அவசரமாக இந்த திட்டத்தை செயல்படுத்தவேண்டிய தேவை இருப்பதாக மத்திய அரசு தரப்பில் இருந்து தெரிவிக்கப்பட்டுள்ளது.
எல்லாவற்றுக்கும் மேலாக அவகாசம் குறைவாக இருந்தாலும் வரைவை முழுமையாக படித்துவிட்டு கருத்து தெரிவிக்கவேண்டியது மக்களின் கடமை. செப்டம்பர் 3க்குள் படித்துவிட்டு கருத்து சொல்லவேண்டிய வரைவின் இணைப்பு. https://ndhm.gov.in/health_management_policy
National Digital Health Mission: Health Data Management Policy Chapter I: Preliminary 1. Purpose The Ministry of Health and Family Welfare (“MoHFW”) is responsible for conceiving the idea of the National Digital Health Mission (“NDHM”). This visionary project of the Government of India, stemming from the National Health Policy, 2017 (“National Health Policy”) intends to digitise the entire healthcare ecosystem of India. This would be done by creating digital health records and creating and maintaining registries for healthcare professionals and health facilities in order to ensure a smooth interoperable framework for the multiple partners associated with healthcare delivery to individuals in India. The National Digital Health Blueprint, 2019 (the “Blueprint”) recommends that a federated architecture be adopted, instead of a centralised architecture for the management of health data to ensure interoperability, technological flexibility and independence across the National Digital Health Ecosystem (“NDHE”). The data collected across NDHE will be stored at three levels, i.e. at a Central level, at a State or Union Territory level and lastly, at the health facility level, adopting the principle of minimality at each level. The federated structure necessitates the development of a framework that can be utilised throughout the NDHE to safeguard the privacy of confidential health data that has been collected from individuals in India. This would be essential to build a trust quotient across the NDHE as well as to ensure that the personal and health data of all individuals in India is adequately protected. To that end, this Health Data Management Policy (the “Policy”) is the first step in realising NDHM’s guiding principle of “Security and Privacy by Design” for the protection of individuals’ data privacy. It acts as a guidance document across the NDHE and sets out the minimum standard for data privacy protection that should be followed across the board in order to ensure compliance with relevant and applicable laws, rules and regulations. This Policy is to be read along with, and not in contradiction to, any applicable law, or any instrument having the effect of any law together with the Blueprint, the information security policy, the data retention and archival policy and any other policy which may be issued for the implementation of the NDHM. This Policy is not to be interpreted or construed as giving any entity or individual rights which are greater than those that such entity or individual would be entitled to under applicable laws. 2. Applicability The provisions of this Policy shall be applicable to the entities involved in the NDHM and the partners/persons who are a part of the NDHE. This includes: (a) All entities and individuals who have been issued an ID under this Policy; (b) healthcare professionals, including but not limited to doctors or health practitioners, nurses, laboratory technicians, and other healthcare workers; (c) governing bodies of the MoHFW, the National Health Authority (“NHA”), relevant professional bodies and regulators; (d) Health Information Providers; (e) any health care provider who collects, stores and transmits health data in electronic form in connection with its transactions; (f) payers i.e., Central Government, State Governments, insurers, health plans, charitable institutions, etc.; 2 (g) pharmaceuticals – drug manufacturers, medical device manufacturers, and entities involved in the relevant supply chain; (h) research bodies – institutions, individual researchers including researchers utilising data for health data analytics, statisticians, analysts, public health institutions, etc.; (i) Health ID holders i.e., patients, family members and beneficiaries; (j) all individuals, teams, entities or ecosystem partners who collect or process personal or sensitive personal data of any individual as part of the NDHE; and (k) all methods of contact, including in person, written, via Internet, direct mail, telephone or facsimile, as the case may be. 3. Objectives The key objectives of this Policy are: (a) to provide adequate guidance and to set out a framework for the secure processing of personal and sensitive personal data of individuals who are a part of the NDHE in compliance with all applicable laws; (b) to safeguard digital personal health data, including the Personal Health Identifier, the electronic health records and electronic medical records, by implementing adequate technical and organisational measures across the NDHE ecosystem; (c) to create a system of digital personal and medical health records which is easily accessible to individuals and health service providers and is purely voluntary in nature, based on the consent of individuals, and in compliance with international standards such as ISO/TS 17975:2015 (defines the set of frameworks of consent for the collection and processing of health data by healthcare practitioners and other entities) and other relevant standards related to data interoperability and data sharing as may be notified for the implementation of NDHM from time to time; (d) to increase awareness of the importance of data privacy and instil a privacy-oriented mindset among the members of NDHM and its ecosystem partners; (e) to ensure national portability in the provision of health services; (f) to establish appropriate institutional mechanisms for auditing of the NDHE as needed and to encourage stakeholders and ecosystem partners to adopt the data protection principles set out in this Policy; and (g) to leverage the information systems existing in the Indian health sector by encouraging conformity with the defined data privacy standards and integrating such existing systems with NDHE. 4. Definitions In this Policy, unless the context otherwise requires, - (a) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified through any means reasonably likely to be used to identify such data principal; (b) “biometric data” means facial image, fingerprint scans, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person; 3 (c) “child” means a natural person/individual who has not completed eighteen years of age; (d) “consent” means the consent referred to in paragraph 9 of this Policy; (e) “consent artifact” means a machine-readable document that specifies the parameters and scope of data sharing and access that a data principal consents to in any personal data sharing transaction; (f) “consent manager” means an entity or an individual, as the case may be, that interacts with the data principal and obtains consent from him/her for any intended access to personal or sensitive personal data, where the role of the consent manager may be provided by the NHA or any other service provider; (g) “data” means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means; (h) “data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone, or in conjunction with others, determines the purpose and means of processing of personal data. For the purpose of this Policy, data fiduciaries would include Health Information Providers and Health Information Users if such entities are determining the purpose and means of processing of personal data; (i) “data principal” means the natural person/individual to whom the personal data relates; (j) “data processor” means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary; (k) “Data Retention and Archival Policy” means the Data Retention and Archival Policy which shall be formulated by the NHA; (l) “de-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to a data principal but does not, on its own, directly identify the data principal; (m) “electronic health records” or “EHR” are one or more repositories, physically or virtually integrated, of data in digital form, relevant to the wellness, health and healthcare of an individual, capable of being stored and communicated securely and of being accessible by multiple authorized users (such as health practitioners or health facilities), represented according to a standardized or commonly agreed logical information model. Essentially, an EHR is a collection of various medical records that get generated during any clinical encounter or events; (n) “electronic medical records” or “EMR” refers to a repository of records that is stored and used by the HIP generating such records to support patient diagnosis and treatment. EMR may be considered as a special case of EHR, limited in scope to the medical domain or is focused on the medical transaction; (o) “harm” means, -- (i) bodily or mental injury; 4 (ii) loss, distortion or theft of identity; (iii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal; (p) “health facility” refers to health facilities across the country such as hospitals, clinics, diagnostic centres, health and wellness centres, mobile vans, ambulances, pharmacies etc.; (q) “Health Facility ID” refers to the unique ID allocated to each health facility in accordance with Chapter IV of this Policy; (r) “Health ID” refers to the Identification Number or Identifier allocated to a data principal in accordance with Chapter IV of this Policy; (s) “Health Information Provider” or “HIPs” means hospitals, diagnostic centres, public health programs or other such entities registered with the National Health Infrastructure Registry, which act as information providers (by generating, storing and distributing health records) in the digital health ecosystem. The NHA may, from time to time, specify certain terms and conditions in relation to HIPs; (t) “Health Information Users” or “HIUs” are entities that are permitted to request access to the personal data of a data principal with the appropriate consent of the data principal. The NHA may, from time to time, specify certain terms and conditions in relation to HIUs; (u) “health locker” means a service of information exchange of electronic health records or electronic medical records, which can be accessed by the data fiduciary or data processor upon receiving the consent of the data principal and where such service can also be used by a data principal in order to create Personal Health Records; (v) “Health Practitioner ID” refers to the unique ID allocated to each health practitioner in accordance with Chapter IV of this Policy; (w) “Information Security Policy” means the Information Security Policy which shall be formulated by the NHA; (x) “NHIR” refers to the National Health Infrastructure Registry; (y) “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information. For the purpose of this Policy, personal data would include Health ID and Personal Health Identifier; 5 (z) “Personal Health Identifier” or “PHI” is the data that could potentially identify a specific data principal and can be used to distinguish such data principals from another. PHIs could also be used for re-identifying previously de-identified data. It could include a data principal’s demographic and location information, family and relationship information and contact details; (aa) “Personal Health Records” or “PHR” is a health record that is initiated and maintained by an individual. An ideal PHR would provide a complete and accurate summary of the health and medical history of an individual by gathering data from many sources and making this accessible online. Generally, such records are maintained in a secure and confidential environment such as in a health locker, allowing only the individual, or people authorized by the individual, to access the medical data; (bb) “processing” in relation to personal data, means an operation or set of operations performed upon personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, anonymisation, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction; (cc) “pseudonymisation” means a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms; (dd) “repository” means a system where data is stored, maintained and preserved in a digital form and is optimised for various uses and functions, as may be required; (ee) "sensitive personal data" means such personal data, which may reveal or be related to, but shall not be limited to, (i) financial information such as bank account or credit card or debit card or other payment instrument details; (ii) physical, physiological and mental health data; (iii) sex life; (iv) sexual orientation; (v) medical records and history; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; and (xi) religious or political belief or affiliation. For the purpose of this Policy, sensitive personal data would include information relating to various health conditions and treatments of the data principal, such as EMR, EHR and PHR; and (ff) “significant harm” means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm. 6 Chapter II: Applicable Law and Governance Structure 5. Applicable laws and regulations Data fiduciaries must adhere to and comply with all applicable laws, and rules and regulations made thereunder, and any other standards pertaining to data protection, processing of personal or sensitive personal data, informational privacy, and information technology that may currently be in force in India. 6. Governance structure The governance structure for the NDHE shall be as specified by the NHA, which shall lead the implementation of the NDHM. In addition, the governance structure shall consist of such committees, authorities and officers at the national, state and health facility levels as will be necessary to implement the NDHM. It shall also consist of a data protection officer (“NDHM-DPO”) who shall be a government officer and who shall, in addition to the functions identified under this Policy, communicate with regulators and external stakeholders on matters concerning data privacy and serve as an escalation point for decision-making on data governance and other matters concerning data. It is envisaged that the MoHFW and the Ministry of Electronics and Information Technology (“MeitY”) shall also provide overall guidance to the NHA on relevant aspects of the NDHM. Further specific details in relation to governance structure may be stipulated from time to time. Chapter III: Consent Framework 7. Collection of personal or sensitive personal data by data fiduciaries Data fiduciaries can collect personal or sensitive personal data in accordance with this Policy. 8. General principles governing consent framework The consent framework under this Policy should incorporate the following principles in relation to processing of personal or sensitive personal data of data fiduciaries: (a) Data principals should be given complete control and decision-making power over the manner in which personal or sensitive personal data associated with them is collected and processed further. (b) Specifically, in case of electronic consent, data fiduciaries should make use of appropriate technological means to prevent security breaches and to guarantee integrity of access permissions given by data principals. Such technological means must be in conformance with the national and international standards, as may be applicable. (c) So far as sharing or disclosure of any personal or sensitive personal data is concerned, the technical design of the consent management framework should also ensure interoperability across all players of the NDHE. The framework should be agnostic to applications, programming languages, and platforms. 9. Consent in relation to collection and processing of personal or sensitive personal data 7 9.1 Data fiduciaries can collect or process personal or sensitive personal data only with the consent of the data principal. It is the responsibility of the data fiduciary to ensure that the consent given by the data principal is valid. 9.2 The consent of the data principal will be considered valid only if it is: (a) free, having regard to whether it complies with the standards set out under Section 14 of the Indian Contract Act, 1872; (b) informed, having regard to whether the data principal has been provided with the necessary information by way of notice, as set out in paragraph 10 of this Policy, the scope of consent in respect of the purpose of processing; (c) specific, where the data principal can give consent for the processing of personal data for a particular purpose; (d) clearly given; and (e) capable of being withdrawn at any time, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given. 9.3 It is clarified that the purposes for processing of personal data as set out in paragraph 9.2 (b) above shall be limited to those as may be specified by the NHA. 9.4 In addition to the conditions mentioned in paragraph 9.2 above, the consent of a data principal in respect of collecting or processing any sensitive personal data will be obtained only after informing her/him the purpose of, or operations in, processing which are likely to cause significant harm to the data principal. 10. Privacy Notice for the collection of personal and sensitive personal data 10.1 All data fiduciaries must give a clear and conspicuous privacy notice to data principals, (a) prior to the collection of personal or sensitive personal data from the data principal; (b) at the time the data fiduciary changes its privacy policies or procedures; and (c) prior to the collection or further processing of personal or sensitive personal data of the data principal for any new or previously unidentified purpose. 10.2 It is clarified that for the purpose of paragraphs 10.1(b) and (c) above, all data fiduciaries must obtain fresh consent from the data principal in accordance with Chapter III of this Policy. 10.3 The privacy notice should contain the following information: (a) the purposes for which the personal or sensitive personal data is to be processed; (b) the nature and categories of personal or sensitive personal data being collected by data fiduciary; (c) the methods or mechanisms by which the personal or sensitive personal data is collected by the data fiduciaries; (d) the identity and contact details of the data fiduciary collecting the personal or sensitive personal data; (e) the right of the data principal to withdraw her/his consent, and the procedure for such withdrawal; (f) the individuals or entities along with their contact details, including other data fiduciaries or data processors with whom personal or sensitive personal data may be shared, if applicable; (g) the period of time for which the personal or the sensitive personal data shall be retained, or where the period of retention is not known, then the criteria for determining such period; (h) the existence of and the procedure for the exercise of rights of the data principal as referred to in paragraph 14 of this Policy; and 8 (i) the contact details and the mechanism by which the data principals may contact the data fiduciary in relation to complaints, inquiries, and clarifications regarding the policies, practices and procedures employed in the collection, storage, transmission or any other aspect of processing of personal or sensitive personal data. 10.4 The privacy notice shall be clear, concise and easily comprehensible to a reasonable person and shall be available in as many languages in which the services of the data fiduciary are intended to be provided. 11. Method of obtaining consent 11.1 The consent of the data principal, as referred to in paragraphs 8 and 9 of this Policy, for collection, or further processing of personal or sensitive personal data, may be obtained electronically or physically on paper, either directly from the data principal or through a consent manager, as the case may be. Where the consent is received physically on paper, then such consent may be converted to electronic form by the consent manager or the data fiduciary. Where the data principal has revoked her/his consent, it shall be the duty of the consent manager to notify the data fiduciary of such revocation, as applicable. 11.2 It is clarified that electronic consent is the digital equivalent of a physical letter of permission given by the data principal which, when presented, allows the consent manager or the data fiduciary to collect the personal or sensitive personal data, or further process the personal or sensitive personal data that has already been collected from the data principal for a particular purpose, as the case may be. 11.3 So far as further processing of personal or sensitive personal data pursuant to paragraphs 11.1 and 11.2 above is concerned, the data principal provides consent for data access and sharing that takes place between the Health Information Providers and Health Information Users. If such processing is done through electronic consent, then a consent artifact is generated to initiate the sharing of personal data or sensitive personal data. The consent artifact will then be shared between the data principal and the Health Information Provider or a Health Information User, through a consent manager. 11.4 Subject to the provisions of applicable law and this Policy, NHA may further set out guidelines, technical specifications, etc. in relation to consent obtained by data fiduciaries for collection and further processing of personal or sensitive personal data of data principals. 12. Processing personal or sensitive personal data pertaining to a child 12.1 Data fiduciaries should ensure that the processing of the personal or sensitive personal data of a child takes place only in such manner that is in the best interests of the child. 12.2 Data fiduciaries should obtain the consent of the parents or guardians of the child prior to processing the personal or sensitive personal data of the child. 12.3 A valid proof of relationship and proof of identity of the parent is required to be submitted to the data fiduciary in order to verify the consent of the parent or guardian for processing the personal or sensitive personal data of the child as set out in paragraph 12.2 above. 12.4 Where the data fiduciary is processing the personal or sensitive personal data of a child, then they shall not process such personal or sensitive personal data in a manner that is likely to cause harm to the child. 9 13. Processing personal or sensitive personal data of data principals who are seriously ill or mentally incapacitated 13.1 At the time a data principal opts to participate in the NDHE framework, such data principal should name an individual who has attained the age of majority to act as the nominee of the data principal. 13.2 The individual who has been nominated as per paragraph 13.1 above will be authorised to give valid consent on behalf of the data principal in the event the data principal becomes seriously ill or mentally incapacitated and is unable to give valid consent. 13.3 In the event that the data principal has not nominated an individual as under paragraph 13.1 above, then any adult member of the family of the data principal can give valid consent on behalf of the data principal. 13.4 Consent can be given by a member of the family of the data principal as set out in paragraph 13.3 above only where there is proof of relationship, along with proof of medical condition of the data principal. 14. Rights of data principals 14.1 Data principals can request the following from the data fiduciaries: (a) Confirmation and access: (i) The data principal can obtain from the data fiduciary the following information: ● a confirmation as to whether it has processed any personal data of the data principal; ● the personal data that has been processed or a summary of the same; ● summary of processing activities carried out on such personal data; and ● any information provided under the notice issued in accordance with paragraph 10 of this Policy in relation to such processing. (ii) The data fiduciary will provide the information under sub-clause (i) above in a clear and concise manner that is comprehensible to a reasonable person. (iii) The data principal shall also have the right to access in one place the identities of all the data fiduciaries with whom her/his personal data has been shared by any data fiduciary together with the categories of personal data that has been shared. (b) Correction and erasure: (i) The data principal can, having regard to the purposes for which her/his personal data is processed, rectify any inaccurate or misleading personal data, complete any incomplete personal data and update any out-of-date personal data. (ii) The data principal can request that their personal data be erased in certain circumstances: ● If the storage of the personal data violates any of the data protection principles or the purpose for which it was originally collected has been satisfied. 10 ● Data principals can also delete the uploaded personal data stored in their health lockers. ● If the storage of the personal data for a certain period of time is mandated by law, it cannot be erased. ● Personal data can be blocked and restricted, rather than erased, insofar as the law prohibits erasure as it would impair legitimate interests of the data principal, or if the data principal disputes that the personal data is correct, and it cannot be ascertained whether they are correct or incorrect. ● Where erasure is not possible without disproportionate effort due to the specific type of storage, over-writing, anonymisation or other method(s) of removal of the personal data from live systems can be used. ● Disposal of any personal data will be handled with utmost care, in accordance with applicable law, rules, regulations, standards, this Policy, the Information Security Policy, and the Data Retention and Archival Policy. Where data processors are disposing of any personal data on behalf of the data fiduciary, a certificate or other notification of the destruction may be required. (c) Restrict or object to disclosure: Subject to applicable law, the data principal can restrict or object to the disclosure of their personal data by the data fiduciary. (d) Data portability: As may be applicable, the data principal can request a copy of the following in a structured, commonly used and machine-readable format, to the extent technically feasible from the data fiduciary: (i) the personal data provided to the data fiduciary; (ii) the personal data which has been generated in the course of provision of services by the data fiduciary; or (iii) the personal data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained. The data principal can also request that the personal data specified above be transferred to another data fiduciary. 14.2 General conditions for submitting requests (a) All requests under paragraph 14.1 above will be made by the data principal in writing, through email or any other electronic means to the designated officer of the data fiduciary either directly or indirectly through a consent manager. (b) The request will be made with the necessary information as regards to the identity of the data principal and the data fiduciary will acknowledge the receipt of such request. All requests will be addressed by the data fiduciary in a timely manner and in compliance with the applicable laws, regulations and this Policy. (c) In the event that any request for correction, completion, updation or erasure of any personal data is accepted by the data fiduciary, such data fiduciary will take necessary steps to notify all relevant 11 entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure, particularly where such action may have an impact on the rights and interests of the data principal or on decisions made regarding them. (d) In the event that any request for correction, updation, completion or erasure of personal data is rejected, the data fiduciary will provide the data principal reasons in writing for such refusal. If the data principal is not satisfied with such reasons, it may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal. (e) In the event of the death of the data principal, the legal heirs or representative of such data principal may have access to the personal data owned by the data principal, only if such access was consented to by the data principal. (f) The data fiduciary will not impose any restrictions on the method and channel of raising requests by data principals under paragraph 14.1 above. (g) The data fiduciary will maintain records of all requests received under paragraph 14.1 above irrespective of their fulfilling status. Chapter IV: ID Policy 15. Allocation of Health ID 15.1 A data principal may request for the creation of a Health ID at no cost, which will be required to enable them to participate in the NDHE ecosystem. Any processing of personal data that may take place for creation of such ID must be in accordance with this Policy. 15.2 A Health ID may be generated through such means as may be specified by the NHA, and may be authenticated using a data principal’s Aadhar number or any other document of identification as may be specified by the NHA. 15.3 The personal data of a data principal shall be linked to his/her Health ID, and any data principal in possession of such a Health ID shall be deemed to be the owner of such personal data. 15.4 The consent given by a data principal shall be linked to his/her Health ID, and every such instance of consent given by a data principal shall also be accessible by the data principal through his/her Health ID. 15.5 A data principal in possession of a Health ID shall be able to provide or revoke his/her consent in order to enable or restrict any sharing of personal data linked with such ID, and shall be able to update his/her personal data in accordance with this Policy. 15.6 The NHA shall make reasonable efforts to ensure that the personal data of a data principal is linked to one Health ID to ensure continuity of records for such data principal, notwithstanding whether multiple Health ID’s have been created for such data principal in the course of receiving any service or otherwise. 15.7 In the instance that a data principal in possession of a Health ID is unable to access personal data linked with such ID due to any reason, such as having previously opted-out of the NDHE or being unable to 12 provide details of such Health ID, the data principal shall be able to recover such data by authenticating their identity through such means as may be specified by the NHA. 16. Principle of non-exclusion for Health ID 16.1 The participation of the data principal in the NDHE as set out under this Policy shall be on a voluntary basis only. 16.2 Every data principal shall have the option of opting-out of the NDHE and de-linking their personal data across data fiduciaries, cancelling their Health ID, and requiring the removal of any personal data linked with such ID in accordance with the terms of the Data Retention and Archival Policy and applicable law. 16.3 The NHA shall ensure that the means of authentication that are specified under paragraph 15.2 of this Policy do not have the effect of preventing an individual not in possession of an Aadhar number or a mobile number from generating a Health ID. 16.4 It is clarified that no individual shall be denied access to any health facility or service, or any other right in any way merely by reason of not being in possession of a Health ID or for not opting to participate in the NDHE. 17. Creation of Health ID 17.1 A data fiduciary wishing to issue a Health ID can register with the NHA and obtain an authorisation key to access the services required for generation of a Health ID. 17.2 A data principal may create his/her own Health ID themselves in accordance with the procedure set out in paragraph 17.3 below, or through the services of a data fiduciary in accordance with the procedure set out in paragraph 17.4 of this Policy. 17.3 A data principal may create his/her Health ID by: (a) accessing such web-based portal as may be specified by the NHA; (b) authenticating his/her identity through Aadhar or other means as may be specified by the NHA; (c) filling in the other details that are required on such portal; and (d) enrolling for a Health ID. 17.4 A Health ID may be created for a data principal through the services of data fiduciary authorised by the NHA for the purpose of generating such ID. Such data fiduciary: (a) shall verify whether a Health ID is linked to the Aadhar number of such data principal, if provided by the data principal; (b) if no such ID exists, then the data fiduciary shall register such data principal and create his/her Health ID using Aadhaar authentication or other means of authentication as may be specified by the NHA; and (c) may provide an e-card or a physical card printout to the data principal to enable them access to the details of their Health ID. 18. Allocation of a Health Practitioner ID 13 18.1 The processing of personal data for the creation of a Health Practitioner ID must be in accordance with the data protection principles set out in this Policy. 18.2 A health practitioner may request for the creation of a Health Practitioner ID at no cost, which will be required to enable them to participate in the NDHE as set out under this Policy. 18.3 A Health Practitioner ID may be generated through such means as may be specified by the NHA. 18.4 A Health Practitioner ID shall be in electronic form, and a health practitioner in possession of a Health Practitioner ID shall not be permitted to create a second ID. Such Health Practitioner ID shall be nontransferrable. 18.5 A Health Practitioner ID may be used to view the electronic health records of a data principal, subject to such consent being provided by the data principal and strictly in accordance with the terms of such consent, as set out above in this Policy. 18.6 A health practitioner may e-sign documents, such as e-prescriptions, diagnostic reports, discharge summaries and e-claims using their Health Practitioner ID. 18.7 A Health Practitioner ID shall be used to authenticate a health practitioner for services created by the NHA as part of the NDHE, including the purchase of liability insurance, tele-medicine and other government services. 19. Principle of non-exclusion for Health Practitioner ID 19.1. The participation of the health practitioner in the NDHE as set out under this Policy shall be as per the policy stipulated by NHA in this regard. 19.2. Every health practitioner shall have the option of opting-out of the NDHE, cancelling their Health Practitioner ID, and requiring the removal of any personal data linked with such ID in accordance with the terms of the Data Retention and Archival Policy and applicable law. 19.3. It is clarified that the right of a qualified health practitioner to practice or work in India shall not, in any way, be restricted or impeded merely by reason of not being in possession of a Health Practitioner ID or for not opting to participate in the NDHE. 20. Creation of Health Practitioner ID 20.1 A health practitioner shall be required to authenticate their professional credentials, and any updates to such credentials, through the respective council, board, department or regulatory or professional body which governs their practice in order to create a valid Health Practitioner ID. 20.2 The NHA shall specify the authorised registrars for the purpose of authentication of professional credentials as per paragraph 20.1 above. 20.3 A health practitioner may create their Health Practitioner ID by: (a) accessing the web portal as may be specified by the NHA; (b) authenticating their identity through Aadhar or other identity proof as may be specified by NHA; 14 (c) authenticating their professional credentials through the authorised registrars as under paragraph 20.2; (d) filling in other details as may be required; and (e) enrolling for the Health Practitioner ID. 21. Allocation of Health Facility ID 21.1 A health facility in India may request for the creation of a Health Facility ID at no cost, which shall be required to enable them to participate in the NDHE as set out under this Policy. 21.2 A Health Facility ID may be generated through such means as may be specified by the NHA. 21.3 A Health Facility ID shall be in electronic form, and a health facility in possession of a Health Facility ID shall not be permitted to create a second ID. 21.4 A health facility in possession of a Health Facility ID may share the personal data of a data principal with such data principal and any health practitioners, subject to the consent of the data principal and in strict accordance with the terms of such consent, in accordance with this Policy. 21.5 The Health Facility ID may be used to e-sign all documents which are necessary to avail online services. 21.6 The possession of a Health Facility ID does not deem that the health facility is legal, or that it holds all permissions and licenses as may be required by applicable laws. 22. Principle of non-exclusion for Health Facility ID 22.1 The participation of the health facility in the NDHE as set out under this Policy shall be as per the policy stipulated by NHA in this regard. 22.2 Every health facility shall have the option of opting-out of the NDHE, cancelling their Health Facility ID, and requiring the removal of any personal data linked with such ID in accordance with the terms of the Data Retention and Archival Policy and applicable law. 22.3 The right of a health facility to provide any services in India shall not, in any way, be restricted or impeded merely by reason of not being in possession of a Health Facility ID or for not opting to participate in the NDHE. 23. Creation of Health Facility ID 23.1 A health facility may register their facility for a Health Facility ID as per the registration procedure as may be specified by the NHA. 23.2 The owner or manager of a health facility may update details of such facility through the web portal as may be specified by the NHA. 23.3 The owner or manager of a health facility referred to in paragraph 23.2 above is not deemed to be the true legal owner or manager of such health facility. 15 23.4 Any updates made under paragraph 23.2 above shall be verified by health facility auditors referred to in paragraph 24.2 below before confirmation in the NHIR. 24. National Health Infrastructure Registry 24.1 A health facility possessing a Health Facility ID shall be included as part of the NHIR. 24.2 THE NHIR shall deploy health facility auditors to verify that the services offered by the health facility are the same as claimed by such facility during the registration process, that such health facility is operational at the time of its listing and is located at the address as claimed by such health facility. 24.3 The NHIR shall authenticate that the person claiming to be the owner or manager of a health facility is capable of updating and maintaining the details of the facility online, and of e-signing digital documents on behalf of the health facility. 25. Safeguards for creation of Health ID, Health Practitioner ID or Health Facility ID 25.1 The processing of any personal data for the purpose of creating a Health ID, Health Practitioner ID or a Health Facility ID shall be in accordance with applicable law and the principles set out under this Policy. 25.2 The creation of a Health ID, Health Practitioner ID or Health Facility ID shall collect only such data as may be essential to identify and authenticate a data principal, health practitioner or health facility, as the case may be, and any personal or sensitive personal data which is not essential for this purpose shall not be processed for the purpose of creating such ID. Chapter V: Obligations of data fiduciaries in relation to processing of personal data 26. Privacy principles to be followed by data fiduciaries Subject always to the provisions of applicable laws, data fiduciaries will follow the following principles while processing any personal data under this Policy: 26.1 Accountability They will be accountable for complying with measures which give effect to the privacy principles while processing any personal data by it or on its behalf. However, the true ownership and control of the personal data will remain with data principals. 26.2 Transparency They will take all necessary steps to maintain transparency in processing any personal data and will make the following information available: (a) the categories of personal data generally collected and the manner of such collection; (b) the purposes for which the personal data is generally processed; (c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm; (d) the existence of and the procedure for exercise of rights of data principal and any related contact details for the same; (e) the grievance redressal procedure; and 16 (f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary. In addition to the information specified above, the data fiduciary will also notify the data principal, from time to time, the important operations in the processing of any personal data related to the data principal. The information provided by the data fiduciary will be in an intelligible form, using clear and plain language 26.3 Privacy by Design They shall consider data protection requirements as part of the design and implementation of their systems, services, products and business practices. The federated design of the NDHE ensures personal data of the data principals will be held at the point of care or at the closest possible location where it was created, with no centralised repository. As such, data storage shall incorporate privacy control and safeguards right from the foundational levels. They will prepare a privacy policy containing the following information: (a) clear and easily accessible statements of its practices and policies; (b) type of personal or sensitive personal data collected; (c) the purpose of collection and usage of such personal or sensitive personal data; (d) whether personal or sensitive personal data is being shared with other data fiduciaries or data processors; (e) reasonable security practices and procedures used by the data fiduciary to safeguard the personal or sensitive personal data that is being processed. The privacy policy referred to above shall be published on the website of the data fiduciary. In addition, they shall also make available a privacy by design policy on its website containing the following information: (a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal; (b) the obligations of data fiduciaries; (c) the technology used in the processing of personal data, in accordance with commercially accepted or certified standards; (d) the protection of privacy throughout processing from the point of collection to deletion of personal data; (e) the processing of personal data in a transparent manner; and (f) the fact that the interest of the data principal is accounted for at every stage of processing of personal data. 26.4 Choice and Consent Driven Sharing They will give data principals a choice to opt-in/opt out of the NDHE and take their consent in accordance with paragraph 9 of this Policy prior to accessing, sharing or processing any of their personal data. This consent will be free, informed, clear and specific in respect of the purpose identified in the privacy notice issued under paragraph 10 of this Policy. 26.5 Purpose Limitation 17 All personal data collected and processed by the data fiduciaries should be for a specific, lawful and clear purpose identified in the privacy notice issued under paragraph 10 of this Policy and consented by the data principal. 26.6 Collection, Use and Storage Limitation They will collect the personal data from the data principals as is necessary for the purposes of processing and will use the personal data for the purpose for which it was collected. The processing of all personal data will be in a fair and reasonable manner, ensuring the privacy of the data principal. No personal data shall be transferred by the data fiduciary unless such transfer is in accordance with this Policy, subject always to the provisions of applicable laws. The personal data collected will not be retained beyond the period necessary to satisfy the purpose for which it is collected and the data fiduciary will delete such personal data at the end of such processing in accordance with paragraph 14 of this Policy as well as the Data Retention and Archival Policy. Personal data may be retained for a longer period of time if explicitly consented to by the data principal or if such retention is necessary to comply with any obligation under any applicable law. The data fiduciary will undertake a periodic review to determine whether it is necessary to retain the personal data in its possession. 26.7 Empowerment of Data Principal The data fiduciary should believe in strengthening the rights of data principals in relation to their personal data. Data principals will enjoy rights as specified in paragraph 14.1 of this Policy. 26.8 Data Quality They shall take necessary steps so that the personal data which is processed is updated, complete, accurate, and not misleading, having regard to the purpose for which it is processed. All personal data should be reliable and verifiable. However, the data fiduciary will not be responsible for the authenticity of the personal data supplied to them by the data principal. Personal data once created cannot be deleted or amended without following the due process referred to in paragraph 14.2 of this Policy. All personal data must also be traceable to its creator unambiguously. 26.9 Reasonable Security Practices and Procedures They shall secure all personal data that they have processed by reasonable security practices and procedures as specified under paragraph 27.1 of this Policy. 27. Transparency and accountability measures 27.1Reasonable Security Practices and Procedures (a) The data fiduciaries will implement such security practices and standards and have a comprehensive documented information security programme and Information Security Policy that contain managerial, technical, operational and physical security control measures that are commensurate with the data/information assets being protected by them. (b) In the event of a data/information security breach, the data fiduciary shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they 18 have implemented security control measures as per their documented information security programme and information security policies. (c) The data fiduciaries will, having regard to the nature, scope and purpose of processing personal data, the risks associated with such processing, and the likelihood and severity of harm that may result from such processing, implement necessary security safeguards including the use of deidentification and encryption methods, methods to protect the integrity of the personal data collected, and methods to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data. Every data fiduciary shall undertake a review of its security safeguards in a periodic manner and take appropriate measures accordingly. (d) The data fiduciaries will implement the International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" as well as any other standard as may be applicable to them. (e) Subject always to the provisions of applicable laws, the standard(s) in relation to security practices and procedures mentioned above may be certified or audited on a regular basis through an independent auditor, duly approved by the Central Government. This audit shall be carried out by an auditor at least once a year or as and when the data fiduciary undertakes a significant upgradation of its processes, computer resources or systems. (f) In the case of any entities who are implementing/involved in the NDHM and acting as a data fiduciary in this regard, the NDHM-CISO and the NDHM-DPO will undertake a periodic review of the security safeguards and take appropriate measures to update such safeguards, if required. 27.2Data management by data processors (a) The data fiduciary may conduct appropriate due diligence covering data privacy and security prior to engaging with any data processor. (b) The data fiduciary may not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor. (c) The data fiduciary will require its data processors to execute confidentiality agreements and nondisclosure agreements covering data protection and privacy responsibilities. Such agreements will be reviewed, updated and renewed on a periodic basis. The data fiduciary may require that the confidentiality requirements under such agreements continue for a specified period of time even after the contractual period ends. (d) Subject to applicable law, the agreements referred to in clause (c) shall be in consonance with this Policy. These agreements shall ensure that data processors adhere to the same level of data protection that is adhered to by the data fiduciary. (e) The data fiduciary will require its data processors to limit their access only to the personal data necessary for the fulfilment of their employment/contractual duties based on “need-to-know” principle, as the case may be. (f) The data processor, and any employee of the data fiduciary or the data processor, will only process personal data in accordance with the instructions of the data fiduciary and treat it confidential. 19 (g) The data processor may not engage, appoint, use, or involve another data processor in the processing on its behalf, except with the authorisation of the data fiduciary and unless permitted in the contract referred to in clause (b) above. (h) The data fiduciary will ensure that training and awareness materials around data protection and privacy are developed for its employees and data processors. Role-based training for individuals or teams considering the nature of processing and their role shall be developed. Data privacy training and awareness programs shall be conducted on a periodic basis (at a minimum, on an annual basis) for all employees and data processors. Attendance records for such training shall be maintained for documentation and audit purpose. 27.3Data Protection Impact Assessment (a) The data fiduciary will carry out a data protection impact assessment before it undertakes any processing involving new technologies or any other processing which carries a risk of significant harm to data principals. (b) A data protection impact assessment shall contain, inter alia, a detailed description of the proposed processing operation, the purpose of processing, nature of personal data being processed, assessment of the potential harm and measures for managing, minimising, mitigating or removing such risk of harm. 27.4Maintenance of Records (a) The data fiduciaries will maintain accurate and up-to-date records to document the important operations in the data lifecycle including collection, transfers, and erasure of personal data and sensitive personal data. These will cover the following: (i) details of the ecosystem partners; (ii) purposes of the processing; (iii) description of the categories of data principals; (iv) description of the categories of personal and sensitive personal data; (v) categories of recipients to whom the personal data/sensitive personal data is disclosed/transferred including to data processors; and (vi) geographies of recipients. (b) In addition to the records referred to above, the data fiduciaries will also maintain accurate and up-to-date records of the periodic review of security safeguards conducted under paragraph 27.1, data protection impact assessments conducted under paragraph 27.3 and requests received under paragraph 14 above. 27.5Audit (a) The data fiduciaries should maintain a strict audit trail of all activities which have access to any personal data, at all times. This may be reviewed by an appropriate authority such as an auditor, the legal representative of the data principal, the data principal, data protection officer, court appointed/authorised person, as deemed necessary. 20 (b) The data fiduciaries should also conduct a periodic audit to verify that its data processors and employees process all personal data appropriately in compliance with the privacy notices, confidentiality agreements, this Policy and the Information Security Policy. (c) If the data fiduciary decides to update any personal data in accordance with paragraph 14.2 above, then the original personal data and an audit trail of the change shall be made available to the data principal. However, the updated personal data with a new version number shall be considered active. The advisory standard for audit trail /log in health record system is ISO 27789:2013 Health informatics - Audit Trails for Electronic Health Records. Chapter VI: Sharing of personal data and obligations of entities with whom personal data is shared 28. Sharing of personal data by data fiduciaries 28.1 Any personal data processed by a data fiduciary may be shared with an HIU in response to a request made by such HIU for personal data pertaining to the data principal, only where consent of the data principal is obtained in accordance with Chapter III of this Policy. 28.2 Where an HIU makes a request for accessing any personal data under paragraph 28.1 above, the data fiduciary shall verify the consent shared with it, including whether such consent has been revoked by the data principal, and where the consent is valid, it shall share such data with the HIU strictly in accordance with Chapter III of this Policy. 28.3 A data fiduciary shall maintain a record of all consent obtained under this Policy, pursuant to which personal data has been shared by such fiduciary under this Policy in a manner that enables the audit and review of such data sharing. 28.4 Where the data principal has provided his/her consent for the sharing of their personal data under this Policy, it shall not be used, disclosed or shared by the data fiduciary or any HIU in any other manner or for any other purpose, except as provided in Chapter III of this Policy. 29. Sharing of de-identified or anonymised data by data fiduciaries 29.1 Data fiduciaries may make anonymised or de-identified data in an aggregated form available for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. 29.2 The NHA shall set out a procedure through which any entity seeking access to anonymised or de-identified data under this Policy will be required to provide relevant information such as its name, purpose of use and nodal person of contact and, subject to approval being granted under this procedure, the anonymised or de-identified data under this Policy shall be made available to such entity on such terms as may be stipulated in this behalf. 29.3 Any entity which is provided access to de-identified or anonymised data shall not, knowingly or unknowingly, take any action which has the effect of re-identifying any data principal or of such data no longer remaining anonymised. 21 29.4 The de-identification or anonymisation of data by a data fiduciary shall be done in accordance with technical processes and anonymisation protocols which may be specified by the NHA in consultation with the MeitY. 29.5 The technical processes and anonymisation protocols referred to in paragraph 29.4 shall be periodically reviewed by the NHA and such review shall have regard to the nature and sensitivity of the data being processed, the risks of re-identification of data principals and the robustness of the anonymisation protocols. 30. Obligations of HIUs upon sharing of personal data 30.1 In addition to the obligations set out in Chapter V, a HIU shall ensure that any personal data under this Policy: (a) shall not be used by the HIU for any purpose other than what was specified to the data principal at the time of obtaining his/her consent under Chapter III of this Policy; (b) shall not be disclosed further without obtaining the consent of the data principal for such disclosure in the manner as specified in Chapter III of this Policy; and (c) shall be provided the same level of data protection as a data fiduciary under this Policy and only be processed in accordance with this Policy, specifically provisions under Chapter V of this Policy (d) shall not be retained beyond the period necessary for the purpose specified while obtaining consent under Chapter III of this Policy. 30.2 A HIU shall follow the principle of data minimisation and shall obtain the consent of the data principal only for such personal data that is necessary for the purposes for which such consent is being sought. 30.3 A HIU shall take all reasonable steps, including providing the data principal with a copy of the personal data received by such HIU from a data fiduciary to ensure that the data principal can exercise the rights as mentioned in paragraph 14 of this Policy. 30.4 A HIU shall, to the extent reasonable, maintain: (a) a record of all personal data that is disclosed to any other entity, including the names of such entities, the time at which such personal data was disclosed and the categories of personal data which was disclosed; and (b) a record of how such personal data is used by the HIU in a manner which enables the audit and review of any use of such personal data. 30.5 Any entity with whom an HIU has shared personal data, after obtaining the consent of the data principal as under paragraph 30.1 above, shall be subject to the same obligations as the HIU under this Policy and shall only process such personal data in strict accordance with the terms of the consent which authorises such sharing of personal data. 31. Restrictions on sharing, circulating or publishing of personal or sensitive personal data 31.1 Any personal data or sensitive personal data of the data principal shall not be published, displayed or posted publicly by any person or entity. 31.2 A database or record of any data which has been processed under this Policy shall not be made public, unless such database or record is in an anonymised/de-identified and aggregated form and is processed in accordance with the terms specified in Paragraph 29.2 of this Policy. 22 Chapter VII: Grievance Redressal and Compliance 32. Grievance redressal 32.1Data principals with inquiries and questions about the processing of their personal data may approach a designated officer of the data fiduciary (referred to as data protection officer) in writing, through email or any other electronic means, as may be specified. The details of the data protection officer shall be provided on the website of the data fiduciary along with the format and process for filing the inquiries/questions. It is clarified that where feasible, the data fiduciary may designate the data protection officer as the Grievance Officer mentioned in paragraph 32.2 below. 32.2A complaint can be made by the data principal regarding any contravention of this Policy which has caused or is likely to cause harm to such data principal. The data fiduciary shall have in place the procedure and effective mechanisms to redress the grievances of data principals efficiently and in a speedy manner. For this, the data fiduciary shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances of the data principal expeditiously but within one month from the date of receipt of grievance. 32.3In the event that a complaint is not resolved by the Grievance Officer of the data fiduciary as referred to under paragraph 32.2 above, the matter may be referred to the NDHM-DPO in writing or through an email ID provided under the grievance portal of NDHM website (_________________). The details of the NDHM-DPO shall be displayed on the website (________________) along with the contact details and the format and processes for filing the above. 32.4If a complaint is not resolved through consultation with NDHM-DPO as referred to in paragraph 32.3 above (or through any other mechanism under existing agreements, if any, between parties such as mediation or arbitration), then the data principal may, at her/his option, seek redressal by way of a complaint to MoHFW or litigation. 32.5Separately, in addition to the above, NHA shall maintain procedures for addressing and responding to all inquiries from data principals about the processing of personal data. NHA shall adequately publicise the existence of these procedures. 33. Personal Data Breach and Incident Management 33.1 The data fiduciary shall formulate and implement a personal data breach management mechanism, as may be stipulated and publicly displayed, which shall ensure that any instance of non-compliance with the provisions of this Policy, or any instance of unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data to a data principal is promptly reported to the incident response team of the NHA and other relevant entities. 33.2 NHA shall ensure that any instance referred to in paragraph 33.1 shall be notified to the relevant ecosystem entities and data principals within such time period as may be specified by the NHA 33.3 The NHA shall formulate and implement procedures to identify, track, review and investigate incidents referred to in paragraph 33.1, and shall maintain a record of such instances and actions taken pursuant to such instances. 23 33.4 The NHA shall provide notification of cyber security incidents to Cert-In as may be required under the provisions of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, in addition to any other notifications that may be required by applicable law. 33.5 Without prejudice to the foregoing, in the event of any incident of data breach, the person responsible for such breach shall be liable in accordance with the provisions of applicable law. 34. Compliance and Policy Governance 34.1 The NDHM-DPO shall ensure adherence to this Policy and shall be responsible for compliance with all applicable laws in force in India. 34.2 All individuals and entities who are covered by this Policy must comply with its requirements, and where requested demonstrate such compliance. 34.3 This Policy shall be revised at least once every year. A copy of this policy together with any significant revisions shall be made publicly available on the NDHM website (_______). 35. Non-compliance with this Policy 35.1 Where any entity/individual to which/whom this Policy is applicable is found to be in violation of any of its provisions, then an ID issued to such entity/individual under Chapter IV of this Policy, may be suspended or cancelled, and during such time of suspension or cancellation, such entity/individual shall not be permitted to participate in the NDHE. The procedures involved in such suspension/ cancellation and the details of the consequences thereof may be further set out by the NHA. 35.2 In addition, any failure to comply with this Policy may also result in action, such as, termination of service of employees or dismissal of interns/ volunteers of such entities, or termination of contracts or arrangements with any data processor/service provider entered into by such entities. 35.3 It is clarified that the above actions under this paragraph shall be without prejudice to any action that can be initiated under the provision of applicable laws.
