The government Wednesday released a draft of its Health Data Management Policy, detailing how patient information will be collected, processed and managed under the National Digital Health Mission’s (NDHM) digital health IDs. The National Health Authority (NHA), which is implementing the mission, has sought public comments on the draft by September 3.

The policy, which comes in the absence of clear data protection and security laws, draws from existing and proposed legislation to propose a framework that would safeguard patient information.

The Indian Express reported on August 19 that NHA had carved out two policies in an effort to implement NDHM’s “privacy by design” approach to safeguarding patient information. The mission was launched by Prime Minister Narendra Modi on Independence Day during his address from the ramparts of the Red Fort.

The draft states that patients who opt for the health ID will be given “complete control” and decision making power over the manner in which their personal data and any sensitive data associated with them is collected and processed. They will also be allowed to withdraw their consent “at any time”.

Those processing the data, including health information providers and health information users, are expected to formulate and implement a “personal data breach management mechanism”.

This is to ensure that any instances of violations and non-compliance, including any unauthorised or accidental disclosure, sharing, alteration or use of the personal data, are “promptly” reported to the NHA and other relevant entities.

The NHA, on its part, shall formulate and implement procedures to “identify, track, review and investigate” such incidents and will maintain a record of these instances along with the action taken.

“Without prejudice to the foregoing, in the event of any incident of data breach, the person responsible for such breach shall be liable in accordance with the provisions of applicable law,” states the draft policy.