Implications of Data Collection during the Pandemic on Data Principals In India

Documented pandemics have occurred at periodic intervals, often causing widespread devastation to the human community. In the wake of the alarming numbers and visuals of the ongoing COVID-19 pandemic, it becomes important for citizens to stay aware on multiple fronts, including the knowledge of how mass surveillance and access to their personal data by the government can affect their legal rights and privacy.

A preparedness planning exercise certainly requires enhanced surveillance measures to monitor the evolution of the disease. This post aims to analyse the various measures that countries adopt to collect personal data and how they are legitimizing restrictions on freedoms during such an emergency, with special emphasis on the existing and upcoming data laws in India.

Technology, Public health Vs. Personal Privacy – The Emerging Trends

COVID-19 has clearly indicated how several countries, including India have leaned on technology, especially Artificial Intelligence, to monitor and track the data of quarantined and potentially exposed individuals. BlueDot, Infervision, Google’s Verily and the Alibaba AI systems are significant examples of how AI assists in predictions, data collection, surveillance analysis of the official numbers and most importantly, contact tracing.

In China, for example, under the guidance of the e-government office of the State Council General, AI has accelerated the development of a new unified national Health Code for epidemic prevention and control based on the national integrated government service platform “System”. To apply for a code, residents must register with their name, national identification number, and phone number; and answer basic questions, including travel history and health status – all this self-reported information is verified using public data. The system generates green, yellow, or red codes based on these answers. Individuals with a green code can move around the city freely, yellow codes require a seven-day quarantine, and red-coded persons must observe a fourteen-day quarantine.

In EU, the European Data Protection Board has released a statement [1], which was adopted on 19th March 2020, where it was confirmed that safeguarding public health will enjoy the national and/or public security exemption (Articles 6 and 9) of the General Data Protection Regulation (GDPR). The public security exemption refers to the global emergency posed by the pandemic and recognizes that this emergency is a legal condition which may legitimize restrictions of freedoms, provided these restrictions are proportionate and limited to the emergency period.

The Centre for Disease Control and Prevention (CDC) at the United States has a Field Epidemiology Manual[2] which lists out actions that can potentially stop the spread of disease. These include obtaining clinical specimens, including data, from persons affected by an outbreak; obtaining data from healthcare facilities; protecting the privacy of personal information; and implementing and enforcing control measures (such as vaccination, chemoprophylaxis, quarantine), through appropriate actions which could extend to seizure or destruction of private property.

In India, there have been reports of government officials obtaining citizen and reservation data from airlines and the railways to track suspected infections. Some states were using indelible ink to stamp people arriving at airports. The hand stamps include the data that a person must remain under home quarantine and some people have reportedly signed self-declaration forms stating that they would not travel as they could be potential carriers. Thousands of squads have been formed to track people following reports of people skipping quarantine. Use of GPS, travel data, address tracking, facial recognition techniques, etc. are some of the most common mechanisms currently being used in India for data collection and mass surveillance.

Indian law relating to COVID-19 response through Data Processing and Mass Surveillance

The landmark Justice Puttaswamy judgment[3] called the right to privacy a fundamental right, which should be subject to ‘reasonable restrictions’ and demanded a comprehensive data protection policy. The population of India generates a phenomenal volume of health-related information, but, unfortunately, such information remains unprotected as draft laws in this sphere are yet to be enacted and the present laws on data protection in general, and health data privacy in particular, are woefully inadequate.

This raises a critical question- What legal authority do Indian governments have to access health-related personal data and impose restrictions?

Generally, the state is often provided with significant authoritarian powers in circumstances that entail ‘legitimate or public interest’, in order to ensure general well-being and protection of its citizens.

  • The Epidemic Diseases Act 1897, which was enacted to tackle the bubonic plague in Bombay, has been used routinely to contain various diseases in India. It explicitly bestows power on the Central Government to take special measures if the state is threatened with an outbreak of any dangerous epidemic disease, and where the ordinary provisions of the law, for the time being in force, are insufficient for the purpose[4].

  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the SPDI Rules), 2011 recognize health information as constituting ‘sensitive personal data’[5] and, thus, regulate its collection, use and disclosure. However, SPDI Rules apply only to a very limited section – “body corporate”. Body Corporate, for the purpose of the SPDI Rules, is defined in Explanation (i) of Section 43A (Compensation for failure to protect data) to mean “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. This definition will encompass the for-profit private sector and instrumentality of state engaged in commercial activities (such as BSNL). But, non-profit organizations (whose activities cannot be called “commercial” or “professional” and sovereign state actions (such as Aadhar/ID cards, public health initiatives) will remain outside the scope of the SPDI Rules. This becomes problematic when considering data privacy of health information.

  • The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 set the professional standards for medical practice whereby physicians are obliged to protect the confidentiality of patients during all stages of interaction. These Regulations govern all aspects of information provided by the patient to the doctor, including information relating to their personal and domestic lives. It also imposes an obligation on the physician to enlighten the public concerning quarantine regulations and measures for prevention of epidemic and communicable diseases. The only exception to this mandate of confidentiality is if the law requires the revelation of certain information, or if there is a serious and identifiable risk of a notifiable disease to a specific person and/or community[6]. In case of such communicable/notifiable diseases, the concerned public health authorities should be informed immediately.

  • It is evident that the world today has pinned its hopes for salvation from COVID-19 on clinical trials for development of vaccines. Data protection and privacy rights for clinical trials are governed by the Ethical Guidelines for Biomedical Research on Human Subjects [7], under which confidentiality is an important principle. The researcher is obligated to safeguard the data of participants involved in clinical trials. The guidelines mandate that best practices should be adhered to for the collection of data; that researchers should be sensitive to the participants’ needs; and that due informed consent shall be obtained in the prescribed manner[8].

  • Surveillance powers are vested in the Central Government primarily under the Information Technology Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which was framed under Section 69 of the Information Technology Act, 2000. Under this Rule, the government authorized ten agencies, including the Intelligence Bureau, the Central Bureau of Investigation, the National Investigation Agency, etc., to conduct surveillance[9]. However, there was backlash against this move as it led people to feel that the country was becoming a surveillance state.

Significant Bills on Data protection in India

(a) Digital Information in Security and Healthcare, 2018 (DISHA)

  • In 2018, the Ministry of Health and Family Welfare published the draft of the “Digital Information in Security and Healthcare, Act – DISHA” and solicited public comments. The Ministry planned to set up a nodal body called the “National Digital Health Authority”, through an Act of Parliament, as a statutory body for the promotion/ adoption of e-health standards, to enforce privacy & security measures for electronic health data, and to regulate storage & exchange of electronic health records.

  • Some of the main objectives of the Act are: (a) to provide for electronic health data privacy, confidentiality, security and standardization; (b) to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; (c) to ensure reliability, data privacy, confidentiality and security of digital health data; and (d) such other incidental or related matters.

  • Under this proposed Act, ‘Sensitive health-related information’ refers to information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual and it includes, but is not limited to, one’s physical or mental health condition and HIV status.

  • The processing of health data by smartphone apps and the like is not permissible, even if consent is in place. DISHA, moreover, goes on to place an express bar on all commercial uses of health data, whether such data is in an identifiable form or has been anonymized.[10]

  • Under DISHA, government departments, through their respective secretaries, may submit request for digital data in de-identified or anonymized form, to the National Electronic Health Authority to improve public health activities and facilitate the early identification and rapid response to public health threats and emergencies, including bio-terror events and infectious disease outbreaks[11].

(b) Personal Data Protection (PDP) Bill, 2019

  • The Personal Data Protection Bill, 2019 is one of the most anticipated, discussed and well-known draft legislation on data protection in India. Despite being nearly 2 years in the making, it is still under scrutiny by a Joint Parliamentary Committee (JPC).

  • In this Bill, ‘Health data’ is categorized as ‘Sensitive Personal Data’ under s.3(36)(2). Similar to the GDPR, this Bill provides for processing of Personal Data without consent, if such processing is necessary to respond to any medical emergency involving a threat to the life of a person or a severe threat to the health of the data principal or any other individual[12]. The Bill also authorizes the State to take any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health;

  • The Bill provides a plethora of exemptions and powers to the sovereign. , Section 35 is a broad and sweeping section that permits the Central Government to, by order, specify that all or any of the provisions of this Act (now, Bill) shall not apply to any agency of the Government with respect to processing of such personal data, as may be specified in the order, if it is in the interest of sovereignty and integrity of India, security of the State or friendly relations with foreign states . If the Bill had been enacted, as is, prior to the pandemic, these provisions would have given the government carte blanche to obtain and process personal data of individuals.

If one compares DISHA and the PDP Bill 2019, one observes that DISHA contains far more stringent restrictions on the processing of health data than the PDP Bill 2019. These contradictions are problematic. In scenarios like the present COVID-19 pandemic, if India had had conflicting laws, i.e., if both Disha and the PDP Bill had co-existed in their current forms, it does not tax the imagination to envision a scenario where all players, but particularly State players, seek refuge under the PDP Bill, to benefit from its flexibility. State actors, in particular, would certainly seek the benefit of the blanket exemptions under Section 35 of the PDP Bill. However, despite the public consultation process, DISHA was never pursued as a law to be enacted and was never introduced in the Parliament because, by this time, the Srikrishna Committee Report on Data Privacy and the Personal Data Protection Bill, 2018 (predecessor of the PDP Bill, 2019) had taken over the role of addressing all data privacy concerns.

To ensure that the goal of data privacy and protection is met, it is incumbent on the Government to prioritize the enactment of a comprehensive data privacy law in India which will meet the stated objective of safeguarding personal data, including health data.

Conclusion

A pandemic like COVID-19 requires certain restrictions to be placed by the government in order to contain its effects. Scientific experiments, contact tracing, clinical trials, statistical analyses, all require the processing of sensitive health data of individuals. However, privacy is an important and deep routed issue that haunts such data collection and storage.

Like the EU laws require, public authorities should first seek to process location data in an anonymous way (i.e. processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”). Personal data protection rules do not apply to data which has been appropriately anonymized. When it is not possible to only process anonymous data, the e-Privacy Directive enables Member States to introduce legislative measures to safeguard public security (Art. 15). If measures allowing for the processing of non-anonymized location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.

In order to seek a balance of conflicting requirements, it is important that data collectors such as the government address questions relating to use of data collected once the health crisis is over, and make voluntary submissions to data principals that restricting the use of data is the duty of the government. The purpose limitation principle should be adhered to while collecting and processing personal data under such emergencies and a commitment that, while data principals will offer informed consent, by the same token governments must guarantee that this data will not be normalized in order to track people for other ‘public interest’ causes. The balance between protecting public health and the personal privacy of individuals will be a long drawn out battle for rights of data principals and data collectors. However, the State, in a democratic system, must never become the perpetual owner of such data to use it at its will alone.

[1] EDPB official statement available at: https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf
[2] Available at: https://www.cdc.gov/eis/field-epi-manual/chapters/Legal.html
[3] Justice Puttaswamy and Anr Vs. Union of India Ors {WRIT PETITION (CIVIL) NO 494 OF 2012} ; Full Judgment available at: https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
[4] s.2(1) of the Epidemic Diseases Act
[5] s. 3(iii) of the SPDI Rules.
[6] Chapter 7, reg.7.14 (ii) and 7.14(iii)
[7] Available at : https://www.icmr.nic.in/sites/default/files/guidelines/ICMR_Ethical_Guidelines_2017.pdf
[8] Guideline 3.3.2 of the Ethical Guidelines for Biomedical Research, 2017
[9] The order can be viewed at : http://egazette.nic.in/WriteReadData/2018/194066.pdf
[10] s. 29(5), DISHA: Purposes of collection, storage, transmission and use of digital health data
[11] s.34(3) of the DISHA read with S.29 (1) (d).
[12] s.12 (d) and (e) of the Personal Data Protection Bill 2019

POST TAGS