Security & Privacy by Design - 'The Guiding Principle' of Health Data Management Policy by ABDM

Every byte of data has a story to tell. The question is whether the story is being narrated accurately and securely. Usually, we focus sharply on the trends around data with a goal of revenue acceleration but commonly forget about the vulnerabilities caused due to bad data management. Data possesses immense power, but immense power comes with increased responsibility. In today’s world collecting, analyzing and build prediction models is simply not enough. Keep in mind that we are in a generation where the requirements for data security have perhaps surpassed the need for data correctness. Hence the need for Privacy By Design is greater than ever.

“Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection. The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive. Privacy by design is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures. The adoption of security and privacy principles is a crucial step in building a secure, audit-ready program.

Privacy by Design is based on following 7 principles:

1. Proactive not Reactive; Preventative not Remedial - Privacy by Design comes before-the-fact, not after.
2. Privacy as the Default Setting - it is built into the system, by default.
3. Privacy by Design is embedded into the design and architecture of IT systems and business practices
4. Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner not Zero-Sum
5. End-to-End Security — Full Life-cycle Protection
6. Visibility and Transparency — Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives,
7. Respect for User Privacy — Keep it User-Centric

Privacy by Design in Health Data Management Policy by ABDM

Consider  data  protection  requirements  as  part  of  the  design  and  implementation  of  systems, services,  products  and  business  practices.  The  federated  design  of  the  National  Digital  Health  Ecosystem ensures  that  no  personal data other than  what  is  required  at  a  minimum  to  create  and  maintain  Health  IDs,  Facility  IDs  or  Health  Professional  IDs shall  be  stored  centrally.  Electronic  medical  records  shall  be  stored  at  the  health  facility  where  such  records  are created,  or  at  such  other  entities  as  may  be  specified  by  Policy.  Electronic  health  records  shall be  maintained  by  entities  specified  by  Policy,  as  a  collection  of  links  to  the  related  medical records.  ABDM  shall  issue  appropriate  technological  and  operational  guidelines  providing  for  the establishment  and  maintenance  of  the  federated  architecture,  for  ensuring  the  security  and  privacy  of  the personal  data  of  data  principals,  and  for  maintenance  of  electronic  medical  records  and  electronic  health records.

Prepare  a  privacy  policy  containing  the  following  information:

(a)  clear  and  easily  accessible  statements  of  its  practices  and  policies;  

(b)  type of personal  or  sensitive  personal  data  collected; 
(c) the  purpose  of  collection  and  usage  of  such  personal  or  sensitive  personal  data;   
(d)  whether  personal  or  sensitive  personal  data  is  being  shared  with  other  data  fiduciaries  or  data processors;   
(e)  reasonable  security  practices  and  procedures  used  by  the  data  fiduciary  to  safeguard  the personal or  sensitive  personal  data  that  is  being  processed. 

The  privacy  policy  referred  shall  be  published  on  the  website  of  the  data  fiduciary.  In  addition, the  data  fiduciary  shall  also  make  available  a  privacy  by  design  policy  on  its  website  containing  the following  information:

(a)  the  managerial,  organisational,  business  practices  and  technical  systems  designed  to  anticipate, identify  and  avoid  harm  to  the  data  principal; 

(b)  the  obligations  of  data  fiduciaries; 

(c)  the technology  used in  the  processing  of  personal data,  in  accordance  with  commercially  accepted or  certified  standards; 

(d)  the protection of privacy throughout processing from the point of collection to deletion of personal data; 

(e)  the  processing  of  personal  data  in  a  transparent  manner;  and 

(f)  the  fact  that  the  interest  of  the  data  principal  is  accounted  for  at  every  stage  of  processing  of personal  data. 

The  privacy  policy  issued  and  the  principles  of  privacy  by  design  followed  by  the  data  fiduciaries  should be  in  consonance  with  this  Policy  and  applicable  law.