Implications of Data Collection during the Pandemic on Data Principals In India
Documented
pandemics have occurred at periodic intervals, often causing widespread
devastation to the human community. In the wake of the alarming numbers and
visuals of the ongoing COVID-19 pandemic, it becomes important for citizens to stay
aware on multiple fronts, including the knowledge of how mass surveillance and
access to their personal data by the government can affect their legal rights and
privacy.
A
preparedness planning exercise certainly requires enhanced surveillance measures
to monitor the evolution of the disease. This post aims to analyse the various
measures that countries adopt to collect personal data and how they are legitimizing
restrictions on freedoms during such an emergency, with special emphasis on the
existing and upcoming data laws in India.
Technology,
Public health Vs. Personal Privacy – The Emerging Trends
COVID-19
has clearly indicated how several countries, including India have leaned on technology,
especially Artificial Intelligence, to monitor and track the data of
quarantined and potentially exposed individuals. BlueDot , Infervision ,
Google’s Verily
and the Alibaba
AI systems are significant examples of how AI assists in predictions, data
collection, surveillance analysis of the official numbers and most importantly,
contact tracing.
In
China, for example, under the guidance of the e-government office of the State
Council General, AI has accelerated the development of a new unified national Health
Code for epidemic prevention and control based on the national integrated government
service platform “System”. To apply for a code, residents must register with
their name, national identification number, and phone number; and answer basic
questions, including travel history and health status – all this self-reported
information is verified using public
data. The system generates green, yellow, or red codes based on these answers.
Individuals with a green code can move around the city freely, yellow codes
require a seven-day quarantine, and red-coded persons must observe a fourteen-day
quarantine.
In
EU, the European Data Protection Board has released a statement [1], which was adopted on 19th March
2020, where it was confirmed that safeguarding public health will enjoy the national
and/or public security exemption (Articles 6 and 9) of the General Data
Protection Regulation (GDPR). The public security exemption refers to the global
emergency posed by the pandemic and recognizes that this emergency is a legal
condition which may legitimize restrictions of freedoms, provided these
restrictions are proportionate and limited to the emergency period.
The
Centre for Disease Control and Prevention (CDC) at the United States has a Field
Epidemiology Manual[2]
which lists out actions that can potentially stop the spread of disease. These
include obtaining clinical specimens, including data, from persons affected by
an outbreak; obtaining data from healthcare facilities; protecting the privacy
of personal information; and implementing and enforcing control measures (such
as vaccination, chemoprophylaxis, quarantine), through appropriate actions
which could extend to seizure or destruction of private property.
In
India, there have been reports of government officials obtaining citizen and
reservation data from airlines and the railways to track suspected infections.
Some states were using indelible ink to stamp people arriving at airports. The
hand stamps include the data that a person must remain under home quarantine
and some people have reportedly signed self-declaration forms stating that they
would not travel as they could be potential carriers. Thousands of squads have
been formed to track people following reports of people skipping quarantine.
Use of GPS, travel data, address tracking, facial recognition techniques, etc. are some of the most common mechanisms currently
being used in India for data collection and mass surveillance.
Indian
law relating to COVID-19 response through Data Processing and Mass Surveillance
The
landmark Justice Puttaswamy judgment[3]
called the right to privacy a fundamental right, which should be subject to
‘reasonable restrictions’ and demanded a comprehensive data protection policy.
The population of India generates a phenomenal volume of health-related
information, but, unfortunately, such information remains unprotected as draft
laws in this sphere are yet to be enacted and the present laws on data
protection in general, and health data privacy in particular, are woefully inadequate.
This
raises a critical question- What legal authority do Indian governments
have to access health-related personal data and impose restrictions?
Generally,
the state is often provided with significant authoritarian powers in
circumstances that entail ‘legitimate or public interest’, in order to ensure
general well-being and protection of its citizens.
· The
Epidemic Diseases Act 1897,
which was enacted to tackle the bubonic plague in Bombay, has been used
routinely to contain various diseases in India. It explicitly bestows power on the
Central Government to take special measures if the state is threatened with an
outbreak of any dangerous epidemic disease, and where the ordinary provisions
of the law, for the time being in force, are insufficient for the purpose[4].
· The
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules (the SPDI Rules), 2011 recognize health
information as constituting ‘sensitive personal data’[5]
and, thus, regulate its collection, use and disclosure. However, SPDI Rules
apply only to a very limited section - “body corporate”. Body Corporate, for
the purpose of the SPDI Rules, is defined in Explanation (i) of Section 43A (Compensation
for failure to protect data) to mean “any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or
professional activities”. This definition will encompass the for-profit private
sector and instrumentality of state engaged in commercial activities (such as
BSNL). But, non-profit organizations (whose activities cannot be called
“commercial” or “professional” and sovereign state actions (such as Aadhar/ID
cards, public health initiatives) will remain outside the scope of the SPDI
Rules. This becomes problematic when
considering data privacy of health information.
· The
Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 set the professional standards for
medical practice whereby physicians are obliged to protect the confidentiality
of patients during all stages of interaction. These Regulations
govern all aspects of information provided by the patient to the doctor,
including information relating to their personal and domestic lives. It also imposes
an obligation on the physician to enlighten the public concerning quarantine
regulations and measures for prevention of epidemic and communicable diseases. The
only exception to this mandate of confidentiality is if the law requires the
revelation of certain information, or if there is a serious and identifiable
risk of a notifiable disease to a specific person and/or community[6]. In
case of such communicable/notifiable diseases, the concerned public health
authorities should be informed immediately.
· It
is evident that the world today has pinned its hopes for salvation from
COVID-19 on clinical trials for development of vaccines. Data protection and
privacy rights for clinical trials are governed by the Ethical Guidelines
for Biomedical Research on Human Subjects [7],
under which confidentiality is an important principle. The researcher is
obligated to safeguard the data of participants involved in clinical trials.
The guidelines mandate that best practices should be adhered to for the
collection of data; that researchers should be sensitive to the participants’
needs; and that due informed consent shall be obtained in the prescribed manner[8].
· Surveillance
powers are vested in the Central Government primarily under the Information
Technology Procedure and Safeguards for Interception, Monitoring and Decryption
of Information) Rules, 2009 which was framed under Section 69 of the
Information Technology Act, 2000. Under
this Rule, the government authorized ten agencies, including the Intelligence
Bureau, the Central Bureau of Investigation, the National Investigation Agency,
etc., to conduct surveillance[9].
However, there was backlash against this move as it led people to feel that the
country was becoming a surveillance state.
Significant
Bills on Data protection in India
(a)
Digital
Information in Security and Healthcare, 2018 (DISHA)
· In
2018, the Ministry of Health and Family Welfare published the draft of the
“Digital Information in Security and Healthcare, Act – DISHA” and solicited
public comments. The Ministry planned to set up a nodal body called the
"National Digital Health Authority", through an Act of Parliament, as
a statutory body for the promotion/ adoption of e-health standards, to enforce
privacy & security measures for electronic health data, and to regulate
storage & exchange of electronic health records.
· Some
of the main objectives of the Act are: (a) to provide for electronic health
data privacy, confidentiality, security and standardization; (b) to standardize
and regulate the processes related to collection, storing, transmission and use
of digital health data; (c) to ensure reliability, data privacy,
confidentiality and security of digital health data; and (d) such other
incidental or related matters.
· Under
this proposed Act, ‘Sensitive health-related information’ refers to
information, that if lost, compromised, or disclosed, could result in
substantial harm, embarrassment, inconvenience, violence, discrimination or
unfairness to an individual and it includes, but is not limited to, one's
physical or mental health condition and HIV status.
· The
processing of health data by smartphone apps and the like is not
permissible, even if consent is in place. DISHA, moreover, goes on to place an
express bar on all commercial uses of health data, whether such data is in an
identifiable form or has been anonymized.[10]
· Under
DISHA, government departments, through their respective secretaries, may submit
request for digital data in de-identified or anonymized form, to the National
Electronic Health Authority to improve public health activities
and facilitate the early identification and rapid response to public health
threats and emergencies, including bio-terror events and infectious disease
outbreaks[11].
(b)
Personal
Data Protection (PDP) Bill, 2019
· The
Personal Data Protection Bill, 2019 is one of the most anticipated, discussed
and well-known draft legislation on data protection in India. Despite being
nearly 2 years in the making, it is still under scrutiny by a Joint
Parliamentary Committee (JPC).
· In
this Bill, ‘Health data’ is categorized as ‘Sensitive Personal Data’ under s.3(36)(2).
Similar to the GDPR, this Bill provides for processing of Personal Data without
consent, if such processing is necessary to respond to any medical emergency
involving a threat to the life of a person or a severe threat to the health of
the data principal or any other individual[12]. The Bill also
authorizes the State to take any measure to provide medical treatment or health
services to any individual during an epidemic, outbreak of disease or any other
threat to public health;
· The
Bill provides a plethora of exemptions and powers to the sovereign. , Section
35 is a broad and sweeping section that permits the Central Government to, by
order, specify that all or any of the provisions of this Act (now, Bill) shall
not apply to any agency of the Government with respect to processing of such personal
data, as may be specified in the order, if it is in the interest of sovereignty
and integrity of India, security of the State or friendly relations with
foreign states . If the Bill had been enacted, as is, prior to the pandemic, these
provisions would have given the government carte blanche to obtain and process personal
data of individuals.
If
one compares DISHA and the PDP Bill 2019, one observes that DISHA contains far more
stringent restrictions on the processing of health data than the PDP Bill 2019.
These contradictions are problematic. In scenarios like the present COVID-19
pandemic, if India had had conflicting laws, i.e., if both Disha and the PDP
Bill had co-existed in their current forms, it does not tax the imagination to
envision a scenario where all players, but particularly State players, seek
refuge under the PDP Bill, to benefit from its flexibility. State actors, in
particular, would certainly seek the benefit of the blanket exemptions under
Section 35 of the PDP Bill. However, despite the public consultation process,
DISHA was never pursued as a law to be enacted and was never introduced in the
Parliament because, by this time, the Srikrishna Committee Report on Data
Privacy and the Personal Data Protection Bill, 2018 (predecessor of the PDP
Bill, 2019) had taken over the role of addressing all data privacy concerns.
To
ensure that the goal of data privacy and protection is met, it is incumbent on
the Government to prioritize the enactment of a comprehensive data privacy law
in India which will meet the stated objective of safeguarding personal data,
including health data.
Conclusion
A
pandemic like COVID-19 requires certain restrictions to be placed by the
government in order to contain its effects. Scientific experiments, contact
tracing, clinical trials, statistical analyses, all require the processing of
sensitive health data of individuals. However, privacy is an important and deep
routed issue that haunts such data collection and storage.
Like
the EU laws require, public authorities should first seek to process location
data in an anonymous way (i.e. processing data aggregated in a way that
individuals cannot be re-identified), which could enable generating reports on
the concentration of mobile devices at a certain location (“cartography”).
Personal data protection rules do not apply to data which has been
appropriately anonymized. When it is not possible to only process anonymous
data, the e-Privacy Directive enables Member States to introduce legislative
measures to safeguard public security (Art. 15). If measures allowing for the
processing of non-anonymized location data are introduced, a Member State is
obliged to put in place adequate safeguards, such as providing individuals of
electronic communication services the right to a judicial remedy.
In
order to seek a balance of conflicting requirements, it is important that data
collectors such as the government address questions relating to use of data
collected once the health crisis is over, and make voluntary submissions to
data principals that restricting the use of data is the duty of the government.
The purpose limitation principle should be adhered to while collecting and
processing personal data under such emergencies and a commitment that, while
data principals will offer informed consent, by the same token governments must
guarantee that this data will not be normalized in order to track people for other
‘public interest’ causes. The balance
between protecting public health and the personal privacy of individuals will
be a long drawn out battle for rights of data principals and data collectors. However,
the State, in a democratic system, must never become the perpetual owner of
such data to use it at its will alone.
[1] EDPB official statement available at: https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf
[1] EDPB official statement available at: https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf
[3]
Justice Puttaswamy and Anr Vs. Union of India Ors {WRIT PETITION (CIVIL) NO
494 OF 2012} ; Full Judgment available
at: https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
[4] s.2(1)
of the Epidemic Diseases Act
[5] s.
3(iii) of the SPDI Rules.
[6] Chapter
7, reg.7.14 (ii) and 7.14(iii)
[8] Guideline
3.3.2 of the Ethical Guidelines for Biomedical Research, 2017
[10] s.
29(5), DISHA: Purposes of collection, storage, transmission and use of
digital health data
[11] s.34(3)
of the DISHA read with S.29 (1) (d).
[12] s.12
(d) and (e) of the Personal Data Protection Bill 2019