Feedback submitted to MoHFW on draft Health Data Management Policy (HDMP) -with related aspects of the National Digital Health Mission (NDHM)

Click here to see the pdf of the submission AIPSN2MoHFW-on-NDHMDataPolicy2020unsd


Regd. No. PKD/CA/62/2020.

AIPSN Central Secretariat,                                                    E-mail:

o/o Tamil Nadu Science Forum                                              Ph: 094429 15101

6, Kakkathoppu Street, MUTA Building,                              Twitter: @gsaipsn

Madurai-625 001-Tamil Nadu                                                website:


President:                               General Secretary:                                        Treasurer:

Dr. S.Chatterjee                    Prof. P.Rajamanickam                                 Dr.S.Krishnaswamy



Feedback on NDHM policies

National Health Authority

Ministry of Health and Family Welfare

9th Floor, Tower-l, Jeevan Bharati Building, Connaught Place,

New Delhi – 110 001

e-mail address:



Sub: Comments and feedback on NDHM policies

Ref: Draft Health Data Management Policy


Following the extension of the notice period for draft Health Data Management Policy till 21st September, we offer the following response to draft Health Data Management Policy (HDMP)

-with related aspects of the National Digital Health Mission (NDHM) for your consideration and also insist that the responses received and discussions be placed transparently in a public accessible website.

Do acknowledge receipt of this response.

Thanking you in anticipation and with regards


Yours sincerely


General Secretary, AIPSN

 A Network of 40 People’s Science Movements working in 25 states



Response to draft Health Data Management Policy (HDMP)

-with related aspects of the National Digital Health Mission (NDHM)



  1. Extend the date for comments:

The period given for public responses to the Draft HDMP has been extremely short, making any intensive and detailed consultation with different stakeholders especially under constraints of Covid-related restrictions virtually impossible. The All India Peoples Science Network (AIPSN), arguably the largest civil society organization in science and technology, at the outset calls for an extension of the last date for comments at least to end of November, 2020 if not later. Further, Draft HDMP cannot be discussed in isolation, without also discussing the National Digital Health Mission (NDHM) announced by the PM as late as 15th August this year and the Personal Data Protection Bill (PDPB) 2019 which is still under discussion in Parliament.  The current effort seeks to rush through a number of policies without due consultations with States, health providers or specialized digital health experts. The lack of such consultation shows up in many weaknesses and inconsistencies in the draft HDMP which require much deeper debate. Nevertheless, AIPSN offers some preliminary comments within the current deadline of 21st September 2020. If MoHFW extends the last date, AIPSN may submit a fresh and more detailed Response.


  1. Discuss only along with National Digital Health Mission:

AIPSN notes that the HDMP is a subset of the NDHM, documents related to which became available barely two weeks ago. Public comments and discussion of the HDMP should include a discussion on the NDHM which itself has several serious flaws with direct impact on HDMP.  There are also significant areas where these two policy documents are not aligned, notably with respect to PDPB and many key features and assurances.


  1. Discuss only along with Personal Data Protection Bill 2019:

It is shocking that the HDMP makes no mention of the Personal Data Protection Bill 2019 currently before Parliament. It is simply not possible to discuss, leave alone adopt, a policy dealing with health data of citizens without adequate safeguards for such data which is the very subject of that Bill. It is essential that HDMP be discussed and adopted only after adoption of the PDPB. Government should also be interested in avoiding any impression that the HDMP seeks to evade or circumvent provisions of that Bill.


  1. Unaccountable and arbitrary governance by the Executive:

The HDMP section on governance needs to be rejected outright and comprehensively re-written.  In its current formulation (Section 6, p.6), HDMP would be governed by structures and rules created from time to time by the National Health Authority (NHA). The NHA, despite its name, has not been created through an Act of Parliament unlike the National Highways Authority or Telecom Regulatory Authority. It was created as the National Health Agency in 2017 for the sole purpose of managing the PM Jan Arogya Yojana (PM-JAY), and later declared an “authority” by a Cabinet order and placed under Niti Aayog. Thus HDMP governance now stands to be an executive or departmental function, each policy or action is subject to change at any time by executive order, and rights described in HDMP would not be legally enforceable by citizens. The Aadhar experience has shown how a policy that began with assurances of voluntary participation gradually became a mandatory requirement by a series of executive orders. Further, NHA creates a government appointed Data Protection Officer who will have wide ranging and ambiguous powers. In the HDMP, both the Ministry of Health & Family Welfare (MoHFW) and Ministry of Electronics & Information Technology (MEIT) are marginalized, and therefore so is all parliamentary scrutiny. However, the NDHM policy document visualizes the legal and regulatory framework as part of the functions of MoHFW and MEIT, and not of the NHA. The NDHM also has a Mission Steering Group and Empowered Committee which are not mentioned in HDMP. The governance provisions of HDMP also do not match those proposed in the Personal Data Protection Bill which calls for a separate legally mandated Data Authority, with which the NDHM document in turn promises to align. Clearly, the governance structures and mechanisms of HDMP are arbitrary, unaccountable and subject to executive whims, not aligned with either NDHM or PDPB, and hence completely unacceptable.


  1. Need for Legislation:

It is necessary that the National Health Authority and its mandate to manage the NDHM and the HDMP should be secured in appropriate legislation passed by Parliament after the Personal Data Protection Bill is enacted.


  1. Not fit for purpose:

Another major issue with governance of HDMP, and of NDHM, is that the “fit for purpose” of all the digital health data collected and processed, and how these relate to the broader health ecosystem, are inadequately addressed. Health data digitization and management is viewed in HDMP as a stand-alone purpose, which may serve the interests of the telecom, data, corporate health and insurance industries, but it is not clear how this will enable  better access to, or quality of, public health services, or how this would improve health outcomes for citizens with dignity and privacy.


  1. HDMP focus is individual data not public health informatics:

Flowing from this, HDMP engages only with personal health data records in its objectives (Section 3, p.2). There is no objective relating to disease prevalence, infection control (even at the time of a huge pandemic), morbidity and mortality estimates, or expenditure on healthcare etc. Thus the entire exercise is focused only on individual case management as is applicable to an insurance company or health management organization. The NDHM strategy document does mention public health outcomes, but predominant focus is still on individual health data, which may have salience for pharma and insurance companies or health management institutions, but not on informatics for public health. Information of public health importance could theoretically flow out of individual digital health records, but experience in India shows that this does not reflect reality due to a number of structural barriers. Such data collection, processing and linkage with a public health system requires very high levels of investment and technical capability in the Indian environment of highly atomized and often non-institutional health care encounters.  For most of India’s population, the absence of a digital health data file which contains, to quote the PM’s Independence Day speech, “details of every test, every disease, the doctors you visited, the medicines you took and the diagnosis,” is not the critical problem. Getting a proper and affordable consultation in a public health facility, being able to pay for medicines prescribed, getting a bed in an affordable facility, these are day-to-day challenges. Once again, the public health utility of the proposed digital health data system, and the huge amount of funds required for it, are highly questionable.


  1. Illusory power of data principals:

HDMP’s framework on consent of individuals (data principals) regarding their personal health data (Section 3) contains assurances that cannot be taken seriously. For example, it is stated that “data principals would have complete control and decision-making power over the manner in which personal or sensitive personal data associated with them is collected and processed further.” However, given the high levels of information asymmetry (i.e. that there is a big gap in knowledge between citizens and data professionals about health data, their uses and implications for patient confidentiality) even most educated middle class persons would not be able to exercise such control. Further, persons seeking healthcare have high vulnerability, would be in no position to bargain over their data rights, nor would it be possible even for those collecting data to inform them adequately of such rights.  Contradicting itself in a later section, the right of data principals to erase their health data is so highly restricted and so conditional in HDMP that, in practical terms, there is a total loss of control over one’s data.


  1. No need for unique health ID with problematic scope:

The need to create a unique health ID and the scope of such a health ID, as prescribed in HDMP are both highly problematic. Although a bland assurance is given that lack of this Health ID cannot be a basis for denial of healthcare, this assurance is far from convincing, given past experience with Aadhar and the Aarogya Setu App. An ID is made essential for all heath care users, health providers, professionals, facilities and data operators to be part of the scheme. And once insurance schemes and healthcare providers move to this platform, all access to publicly financed healthcare would become inaccessible without such a platform and ID. When the current standards of practice are that patients with life-threatening illnesses are being denied treatment due to the lack of an Aadhar card, it would be foolish to believe that this ID will not be mandatory in one form or another. The stated uses of a unique health ID, like portability of personal health information, can just as easily be achieved with any of the many existing IDs. It is to be noted that the NDHM strategy document also clearly states that “all government health programmes… are required to integrate with the service and issue Health IDs as part of their programs. This will ensure that health information from visit to public health facilities and those being captured across various health programs like RCH, NIKSHAY, NCD, PMJAY will be included in the patients’ longitudinal health record.” This clearly shows that the Health IDs are meant to be system-wide and compulsory in practice.


  1. IT System(s) problems:

It is common these days to see considerable enthusiasm in government programmes for digital data and IT data processing and management systems, almost as if by their mere introduction, they would provide a panacea to solving all our problems! Unfortunately, there is little attempt to critically review or reflect upon the rather mixed experience so far. In this light, while it is welcome that HDMP talks of open source software and open standards, it does not reflect on the sobering fact that these have been MEIT policy for two decades now, and yet India is no closer to its realization. The HDMP itself calls for compliance with standards like Snomed-CT which, irrespective of merits, is not open standard at all, and is closely wedded to healthcare digitization practices in the US. Similarly, while there is much brave talk of inter-operability and federated structures, there is little understanding or discussion of why India currently has dozens of parallel IT systems in the Centre and in the States. Most of these IT systems are sub-functional or dysfunctional, completely unable to talk to each other, and often have vendor lock-ins which has been a roadblock to future development. Neither the NDHM strategy nor the HDMP show awareness of these and other risks including, for example, the marketing practices of private sector vendors, or the duplication and fragmentation of data.


  1. No Penalties, weak grievance redressal:

There is no clarity in HDMP or NDHM as to what penalties would be incurred or compensation provided if and when citizens’ rights are violated, or how violations can be traced. The accountability of data management firms provided for is essentially that they would be de-empanelled, but this would not be easy, when they hold health records of a large proportion of the population. The grievance redressal mechanisms in HDMP are also extremely weak.


  1. Dangers of State Surveillance and growing authoritarianism:

There is growing danger in India from the increasing resort to gathering and storing of citizens’ data through various means, including through often mandatory digitization of citizens’ access to government services, all in the name of either greater efficiency of service delivery or national security. The extreme centralization of such data and the lack of transparency and accountability regarding use of this data especially by security agencies have heightened fears of enhanced and dangerous state surveillance of civic life, especially in the context of growing authoritarian trends in the country. So, even though the Health ID and personal health data are not really a priority or even irrelevant for public health needs as discussed above, they can be used for surveillance purposes. The repeated assertion in the NDHM Strategy that all registries and other master databases of NDHM will be built as “Single Source of Truth” on different aspects and backed by strong data governance is a matter of great concern. Countries with longer and arguably stronger liberal traditions have consciously insisted on multiple sources of identity and information, precisely in order to protect citizens from capture of knowledge by centralized executive power. Conversely, erasure of data from a centralized data base could lead to a total destruction of all identity, entitlements and rights. These anxieties require to be addressed.


  1. Opening pathways to corporate Profits:

HDMP enables and enhances corporate profits in five significant ways:

  1. immediate beneficiaries are IT companies who would get large new lucrative contracts.
  2. IT industry in general also benefits through data mining and commercialization of personal and aggregate health data.
  • digital health care corporates such as e-pharmacies, related e-retailers, e-consultations and prescriptions, e-diagnostics would benefit by obtaining increasing share of retail healthcare.
  1. insurance companies would benefit enormously by obtaining personal health information, targeting consumers of insurance products, and adjusting premiums, etc.
  2. perhaps the main danger is the space and opportunity opened up in India for multinational health management organizations and healthcare corporates to penetrate the Indian healthcare industry. There is already a fairly high flow of FDI into the hospital and insurance sector following gradual and diminishing controls. NDHM and HDMP now enable corporate penetration into the primary and secondary healthcare segment, and that too in Tier-2 and Tier-3 towns and cities by a process of aggregation and consolidation of small-scale providers on one hand, and increasing restriction of public providers to residual health care on the other. In other words, public providers would be limited to providing care only for those disease conditions and those people that the private sector is not interested in.



For clarifications contact:

  1. Rajamanickam 9442915101 T. Sundararaman 99874388253  D. Raghunandan  9810098621