Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Asia Cloud Computing Association’s (ACCA) Response to India’s Draft Health Data Management Policy


Published on

21 Sep 2020 Asia Cloud Computing Association’s (ACCA) Response to the Indian Ministry of Health and Family Welfare’s Draft Health Data Management Policy

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

Asia Cloud Computing Association’s (ACCA) Response to India’s Draft Health Data Management Policy

  1. 1. Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 1 of 4 Ministry of Health and Family Welfare National Health Authority 9th Floor, Tower-l, Jeevan Bharati Building Connaught Place, New Delhi - 110 001 India 21 September 2020 Dear Sir/Madam, Re: Asia Cloud Computing Association’s (ACCA) Response to India’s Draft Health Data Management Policy The ACCA appreciates the efforts of the Ministry of Health and Family Welfare (MoHFW) to craft a policy framework for health data management. We believe that crafting clear and enabling data policies is important in promoting use of technology in the healthcare sector, which has become even more vital as technology is utilized to help combat the COVID-19 pandemic. As the apex industry association for Asia Pacific stakeholders in the cloud computing ecosystem, the ACCA represents a vendor-neutral voice of the private sector to government and other stakeholders. The ACCA’s mission to accelerate the adoption of cloud computing throughout Asia Pacific by helping to create a trusted and compelling market environment, and a safe and consistent regulatory environment for cloud computing products and services. We are committed to strengthening digital resilience, and to the development of a safe and secure ecosystem where data is protected by the best technology and regulatory frameworks, in support of a better world for all. Following discussions with our member companies, we are submitting the following comments to the Draft Health Data Management Policy. Should you have any questions on our comments, I would be pleased to arrange for a videoconference discussion with our members. Thank you, and I look forward to hearing from you on the issues raised. Yours sincerely, Lim May-Ann Executive Director Asia Cloud Computing Association
  2. 2. Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 2 of 4 Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy The ACCA thanks the Ministry of Health and Family Welfare (MoHFW) for the opportunity to submit feedback on the Draft Health Data Management Policy (the “Draft Policy”). 1. General Comments a. Alignment with international best practices. i. Data protection best practices. The ACCA recommends that where possible, the Draft Policy be aligned with international best practices on data protection such as the EU General Data Protection Regulation (GDPR).1 ii. International standards. The ACCA recommends also that in addition to ISO 27001, the “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” i.e. ISO 27018 should also be included as a standard in the policy. This international standard focuses on security controls for public cloud service providers acting as PII processors. iii. Health data best practices. We also encourage MoHFW to consider how the Health Insurance Portability and Accountability Act of 1996 HIPAA in the United States has addressed similar issues on data protection in the healthcare sector. Employing a similar approach to that of the US would allow Indian healthcare providers to use global technology providers, such as hyperscale cloud service providers (CSPs). b. Internal alignment with other policies in India. In addition, to ensure consistency we recommend that the Draft Policy leverage off the draft Personal Data Protection Bill, 2019 (the “PDP Bill”) where applicable. i. Linking Aadhar ID and Health ID. The ACCA also notes that there may be a need for more clarity with regard to the linking of the Aadhaar ID to the new health ID. As the usage of the Aadhar ID has been restricted by the Supreme Court, this linkage may potentially violate the ruling. ii. Law enforcement data requests. This policy does not provide sufficient information on events under which governments may seek to access health records, which may raise law enforcement access concerns. 2. Applicability (Section 2) on Storage a. This does not provide detail on the level at which data is classified and how the data are therefore stored and processed, and by which provider. This leads us to a reading where each data set has to be stored by the relevant entities within India only. The ACCA recommends to take a risk management approach which matches the level (i.e. federal; state; individual hospital) with the determination on how the data is stored/processed and with what provider. 1 content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG&toc=OJ%3AL%3A2016%3A119%3ATOC
  3. 3. Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 3 of 4 3. Definition of Biometric Data (Section 4(b)) a. The definition of biometric data currently contained in the Draft Policy is ambiguous and could potentially stymy widespread use of important privacy-protecting innovations in healthcare. b. In this context, biometric data is not being used for identification purposes, but to develop tools that can help diagnose disease. We therefore suggest clarifying the definition of biometric data and/or enacting explicit de-identification standards for biometric data being used to advance healthcare. 4. Classification of Personal Data as Defined in the Draft Policy (Section 4(y) and 4(ee)) a. We understand that the PDP Bill remains pending in the Lok Sabha. The PDP Bill contains definitions for critical personal data, which can only be processed in India and can be transferred outside of the country in very limited circumstances, and for sensitive personal data, which can be transferred out of the country with the explicit consent of the data principal but should continue to be stored in India. b. As the PDP Bill already covers the concept of sensitive personal data, we do not believe there is a need for an additional policy which reiterates the same protection. To avoid confusion and provide certainty on the treatment of health data— particularly as it overlaps with the PDP Bill—we recommend that the Draft Policy explicitly state its relationship to the PDP Bill and that personal health data within the scope of the Draft Policy will be considered as “sensitive personal data”, per the PDP Bill definition. c. We would also like to note that as a general matter, data localization does not necessarily increase data protection and should be discouraged. In the context of cloud service providers (CSPs), the level of data protection is dependent on the security and privacy controls implemented by data fiduciaries. As such, physically locating data in India or a specific jurisdiction does not necessarily offer better protection. As opposed to data localization, governments should focus on permitting cross-border data flows with adequate protections, which will allow local businesses and consumers to take advantage of innovative technologies while assuring that their data remains secure. 5. Rights of Data Principles (Section 14) a. The obligation of data erasure should be limited to data controllers, not data processors. This distinction has not been made within this policy, and should be clarified. 6. Data Fiduciary Checks on Data Processor (Section 27) a. We request clarity on the requirement for a data fiduciary to conduct checks on the system of the data processor, in particular whether this would mandate a physical audit of data centers. In lieu of physical audits, which can be intrusive and present an increased security risk for data centers, the ACCA recommends that third party audits conducted with international standards such as the ISO and SOC, and other relevant certifications should suffice.
  4. 4. Asia Cloud Computing Association’s (ACCA) Response to the Draft Health Data Management Policy | Sep 2020 | Page 4 of 4 7. Breach Notification (Section 33) a. The current requirements for breach notifications in Section 33 are drafted as a requirement for any breach without a defined level of risk or the number of records that are affected. As this exceeds the scope of most data breach notification laws, we suggest that this provision be altered to align with breach notification standards such as those in the EU GDPR.