21 Sep 2020 Asia Cloud Computing Association’s (ACCA) Response to the Indian Ministry of Health and Family Welfare’s Draft Health Data Management Policy https://ndhm.gov.in/stakeholder_consultations/ndhm_policies
Asia Cloud Computing Association’s (ACCA) Response to India’s Draft Health Data Management Policy
Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 1 of 4
Ministry of Health and Family Welfare
National Health Authority
9th Floor, Tower-l, Jeevan Bharati Building
Connaught Place, New Delhi - 110 001
21 September 2020
Re: Asia Cloud Computing Association’s (ACCA) Response to India’s Draft Health Data
The ACCA appreciates the efforts of the Ministry of Health and Family Welfare (MoHFW) to craft a
policy framework for health data management. We believe that crafting clear and enabling data
policies is important in promoting use of technology in the healthcare sector, which has become
even more vital as technology is utilized to help combat the COVID-19 pandemic.
As the apex industry association for Asia Pacific stakeholders in the cloud computing ecosystem, the
ACCA represents a vendor-neutral voice of the private sector to government and other stakeholders.
The ACCA’s mission to accelerate the adoption of cloud computing throughout Asia Pacific by
helping to create a trusted and compelling market environment, and a safe and consistent
regulatory environment for cloud computing products and services. We are committed to
strengthening digital resilience, and to the development of a safe and secure ecosystem where data
is protected by the best technology and regulatory frameworks, in support of a better world for all.
Following discussions with our member companies, we are submitting the following comments to
the Draft Health Data Management Policy. Should you have any questions on our comments, I would
be pleased to arrange for a videoconference discussion with our members.
Thank you, and I look forward to hearing from you on the issues raised.
Asia Cloud Computing Association
Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 2 of 4
Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy
The ACCA thanks the Ministry of Health and Family Welfare (MoHFW) for the opportunity to submit
feedback on the Draft Health Data Management Policy (the “Draft Policy”).
1. General Comments
a. Alignment with international best practices.
i. Data protection best practices. The ACCA recommends that where possible,
the Draft Policy be aligned with international best practices on data
protection such as the EU General Data Protection Regulation (GDPR).1
ii. International standards. The ACCA recommends also that in addition to ISO
27001, the “Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors” i.e. ISO 27018
should also be included as a standard in the policy. This international
standard focuses on security controls for public cloud service providers
acting as PII processors.
iii. Health data best practices. We also encourage MoHFW to consider how the
Health Insurance Portability and Accountability Act of 1996 HIPAA in the
United States has addressed similar issues on data protection in the
healthcare sector. Employing a similar approach to that of the US would
allow Indian healthcare providers to use global technology providers, such
as hyperscale cloud service providers (CSPs).
b. Internal alignment with other policies in India. In addition, to ensure consistency
we recommend that the Draft Policy leverage off the draft Personal Data Protection
Bill, 2019 (the “PDP Bill”) where applicable.
i. Linking Aadhar ID and Health ID. The ACCA also notes that there may be a
need for more clarity with regard to the linking of the Aadhaar ID to the new
health ID. As the usage of the Aadhar ID has been restricted by the Supreme
Court, this linkage may potentially violate the ruling.
ii. Law enforcement data requests. This policy does not provide sufficient
information on events under which governments may seek to access health
records, which may raise law enforcement access concerns.
2. Applicability (Section 2) on Storage
a. This does not provide detail on the level at which data is classified and how the data
are therefore stored and processed, and by which provider. This leads us to a
reading where each data set has to be stored by the relevant entities within India
only. The ACCA recommends to take a risk management approach which matches
the level (i.e. federal; state; individual hospital) with the determination on how the
data is stored/processed and with what provider.
Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 3 of 4
3. Definition of Biometric Data (Section 4(b))
a. The definition of biometric data currently contained in the Draft Policy is ambiguous
and could potentially stymy widespread use of important privacy-protecting
innovations in healthcare.
b. In this context, biometric data is not being used for identification purposes, but to
develop tools that can help diagnose disease. We therefore suggest clarifying the
definition of biometric data and/or enacting explicit de-identification standards for
biometric data being used to advance healthcare.
4. Classification of Personal Data as Defined in the Draft Policy (Section 4(y) and 4(ee))
a. We understand that the PDP Bill remains pending in the Lok Sabha. The PDP Bill
contains definitions for critical personal data, which can only be processed in India
and can be transferred outside of the country in very limited circumstances, and for
sensitive personal data, which can be transferred out of the country with the explicit
consent of the data principal but should continue to be stored in India.
b. As the PDP Bill already covers the concept of sensitive personal data, we do not
believe there is a need for an additional policy which reiterates the same protection.
To avoid confusion and provide certainty on the treatment of health data—
particularly as it overlaps with the PDP Bill—we recommend that the Draft Policy
explicitly state its relationship to the PDP Bill and that personal health data within
the scope of the Draft Policy will be considered as “sensitive personal data”, per the
PDP Bill definition.
c. We would also like to note that as a general matter, data localization does not
necessarily increase data protection and should be discouraged. In the context of
cloud service providers (CSPs), the level of data protection is dependent on the
security and privacy controls implemented by data fiduciaries. As such, physically
locating data in India or a specific jurisdiction does not necessarily offer better
protection. As opposed to data localization, governments should focus on permitting
cross-border data flows with adequate protections, which will allow local businesses
and consumers to take advantage of innovative technologies while assuring that
their data remains secure.
5. Rights of Data Principles (Section 14)
a. The obligation of data erasure should be limited to data controllers, not data
processors. This distinction has not been made within this policy, and should be
6. Data Fiduciary Checks on Data Processor (Section 27)
a. We request clarity on the requirement for a data fiduciary to conduct checks on the
system of the data processor, in particular whether this would mandate a physical
audit of data centers. In lieu of physical audits, which can be intrusive and present
an increased security risk for data centers, the ACCA recommends that third party
audits conducted with international standards such as the ISO and SOC, and other
relevant certifications should suffice.
Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 4 of 4
7. Breach Notification (Section 33)
a. The current requirements for breach notifications in Section 33 are drafted as a
requirement for any breach without a defined level of risk or the number of records
that are affected. As this exceeds the scope of most data breach notification laws,
we suggest that this provision be altered to align with breach notification standards
such as those in the EU GDPR.