“One-time consent is not a pass to all your data.”

What does your data have to do with public health? A campaigner for digital rights explains.

Illustration by Nikhil K.C

Rohin Garg works as Associate Policy Counsel with the Internet Freedom Foundation (IFF), a public charitable trust that works on ensuring that technology deployment respects fundamental rights. The IFF, comprised of erstwhile volunteers at the SavetheInternet.in campaign, generates public conversations and campaigns, analyses policy change and recommends interventions with the fundamental aim that Indian citizens can use the Internet with liberties guaranteed by the Constitution.

The Third Eye speaks to Rohin about the advantages and pitfalls of the rapid digitisation of the Indian public health system, surveillance and privacy, and the Universal Health ID card.

What are some of the central areas IFF is looking at, vis-à-vis digital rights and public health?

A part of my work is looking at how policy interacts with the world. So, we have worked on labour issues, we work on agriculture, we worked on how privacy affects, in a real way, the way we offer Internet access. And recently, one big point of departure for me was the Universal Health ID (UHID), which got notified last year. And it was very curious that in the middle of a pandemic, you’re choosing to push through changes which even in normal times, would take a significant amount of bureaucratic smoothening out, regardless of any other harms such as privacy or exploitation of data, or the entire Aadhaar linkage.

So, basic thing: for example, they said the UHID would be voluntary. But as we saw in PGIMR in Chandigarh and in Puducherry, the local administrations sent out notices saying, no, you may solicit the doctors only after you register and get the health ID. In Puducherry, they were asking schools to ensure all children and their parents were enrolled in the health ID program in the middle of the pandemic, without any basis. I think this is sort of where we got concerned, that okay, what is the need for this at this moment?

The argument for a universal health ID is that patients can move healthcare providers seamlessly, as their case files will be transferred digitally…

Actually, the need for electronic health records itself has been questioned [internationally]. For example, Australia has implemented a large-scale electronic health records program. Firstly, there was almost too much information – so medical practitioners ended up using around 10 to 15% of the information uploaded. And the benefits did not outweigh the sheer effort of digitising, as well as the dangers it poses.

So, why was that all that data collected? And the answer, or it seems to be on reading of the policy documents, is that data is being made available for monetising.

How would you monetise someone’s health data? What is the exact danger of having your health data online?

There’s a host of issues. And I’ll work backwards, which means, I’ll come to consent last.

The basic one is, of course, state capacity. Does the state have the sort of infrastructure and human capacity to fulfil the vision of – and it’s a grandiose vision – that the remotest rural village will have interoperability of records considering we know the state of our primary health centres (PHCs)?

The questions we are asking are, who gets access to this data? Can insurance companies pay in the future and access my health records? What does that mean?

Can they raise my premium? Can I be charged differential rate for medical services by moving health liabilities on to patients rather than healthcare providers? Medical debt is one of the largest reasons of household indebtedness in India today. Will the UHID push me further into the private healthcare nexus?

Linking the UHID to Aadhaar, as it’s being done, raises very serious privacy concerns about linking a person’s health data with other databases, and increases the likelihood of the National Digital Health Ecosystem being connected with systems beyond the health sector.

Along with the Centre for Health Equity, Law, and Policy, we have drafted a working paper analysing the National Digital Health Mission’s Health Data Management Policy. We have raised these questions and concerns there.

You said there are issues of consent while implementing the UHID. Could you explain that more please?

We are saying that to implement a UHID card, there will be some exclusion and there will be some coercion. The exclusion bit is clear – we saw with the whole CoWIN experience that digitising such a basic health service failed spectacularly and the government had to make the vaccinations walk-ins/camps/door-to-door – as we have done for all of India’s vaccination programs, historically. The digital divide has been much talked about, and the Supreme Court has also taken cognisance of this.

As for coercion:

As you can see, the UHID program has been rolled out surreptitiously. And to make the public sign up, there are various coercions in place. The most common is financial coercion. So, for example, AIIMS in New Delhi has been running the UHID program for a couple of years. And what they would do is that they would offer to waive their Rs.100 registration fee if you registered for the UHID.

AIIMS is the most sought-after hospital for most of the general citizens in India, and if it says, we won’t charge you registration as long as you enrol in a government program, of course everyone will say yes. This is effectively financial coercion, because Rs.100 for registration is a lot to most people. And if you have a relative on a gurney, you know you fill any form they will ask you to.

The second part to this is linking my Aadhaar to the UHID. Who has actually given informed consent to this? If you have got your vaccination through your Aadhaar card, you are being enrolled into the UHID. How we discovered this is because when you get your vaccination through your driver’s license, there is a blank space for where it says UHID. But if you have got your jab through your Aadhaar, you’ll have that number. Now, this means a certification has been issued for you without any prior information or consent.

This is at odds with the consent framework that the Health Data Policy seems to uphold. See, one-time consent is not a pass to all your data.

Once you have this UHID, how do you withhold your privacy rights – let’s say in case of abortion, HIV, sex change operations, suicide attempt or any mental illness, once every health visit of yours will be a data point in a centralised data base?

Why is the Aadhaar not enough as an ID, is that what you are asking?

Actually, what we are asking is, why is the Aadhaar card, which is known for a lot of vulnerabilities, is known to have data leaks, is still being used as the sort of cornerstone of your authentication program at any point of service? We’ve all heard from places where, at PDS (public distribution system) shops for example, authentication is not happening fully.

Migrant workers, especially those who work in the hands-on [labour] sectors as construction etc., a common complaint is that their fingerprints actually get worn away. So, even if it’s their own ID card and they go and press the thumb, [the system] doesn’t recognise the fingerprint, because obviously it’s worn away, and there’s nothing to authenticate.​

Most people assume the Aadhaar is compulsory to get vaccinated.

It’s not. We have a Supreme Court ruling for this! We need to make people aware of their rights. For example, when I got my domestic help registered for the vaccine, she said she didn’t have an Aadhaar, so how will she get vaccinated? And I showed her the ten different documents you can use to get vaccinated. But they don’t say this in the health communications. She was surprised.

I think fundamentally, it’s a very different relation to the state for the poor. It is one where the state has obviously failed them in a variety of ways, but obviously, compared to the private sector, it is still seen as some sort of refuge. But given the sort of the aggressive bureaucratism – I will use that specific word – that persists in service delivery from PDS to ASHA (Accredited Social Health Activist) workers. There is a sort of understanding that the state is in a position of authority, and it’s best not to argue — jhagda mat karo ja ke, kagaz banva lo.

But to make people aware that even staking claim to the conversation is necessary. So if you are in a hospital, to ask is it necessary to fill this form? Is there an alternative? If I don’t give you my data will you deny me treatment? I think it’s important to make people confident enough to ask these questions.

If you work with labour, to ask migrant labourers if they have a Migrant Labour Card? Do you know what the state owes you? Just making the claim, I think, is a significant step.

So, what are the dangers of linking AADHAAR to UHID?

So many, but we’ll flag the prime ones. Your health data can now be linked to your Aadhaar and hence your PAN, etc. We are not aware of the security measures they have built in, but what is protecting your data from exploitation by the private sector and/or governments? There are some exemptions for data-sharing with insurers, which is another sort of issue that we flagged. The easiest example to explain the dangers of health data in this manner, is that if you have this sort of open, data-sharing-across-sectors sort of regime, insurers could collect this data, and then once they get that data, they will obviously raise your premiums way higher.

The second is the issue of surveillance. Aadhaar is an extremely centralised database, right?

So, for example, I live in Gurgaon, and here the Haryana government has started this family plan where they will keep track of every family through a family ID card that will also be linked to an Aadhaar. Which is linked to the Vahan database, where they can see what vehicle I drive. Of course, your electricity, mobile, all utilities, are linked to Aadhaar. Now, combine this with your health and medical history, and bank accounts, that is a staggering set of data points available to anyone in authority, on any citizen.​

Now, that is a threat at an abstract level, sure, but on a more concrete level, let’s talk about ASHAs. If, for example, let’s take ASHA workers: one of the most organised groups in this country.

In Haryana, we heard that citing privacy concerns, more than 22,000 ASHA workers have decided to shun a mobile app introduced by the National Health Mission, which is for tracking and updating their daily targets.

I spoke to the Gurgaon ASHA workers who handed their phones back to the National Health Mission as a gesture of protest against this app. And their point was that why should we tell the government where we are at all times? There was a question of basic dignity, because what they also wanted to do is track when we go to the washroom, and how long we spend in there. Now, why does the government need to know that, in general, they ask?

Now, your mobile is already linked to your Aadhaar, then you have employee tracking apps, so you will know if I am at a protest or a union leader’s house, so all we are asking is, why are you collecting all this data on ordinary citizens? So, Aadhaar is a very good enabler for any other surveillance system to come in.

Is employee tracking emerging elsewhere in the public sector?

In Chandigarh, sanitation workers have been protesting forceful wearing of GPS watches that tracked their movements. The GPS watches have been given by the Municipal Commissioner [at the cost of Rs. 2.24 crore a year] “to record attendance of field staff”.

GPS watches when there are no protection suits for sanitation workers?

Yes, I guess, the returns are not high enough on that investment.

Have you all worked on how Aarogya Setu app was used during the pandemic and what issues that may have brought up?

Yes, we have. Aarogya Setu’s main issue is that it didn’t work for the purpose it was set up for. Which is contact tracing during Covid-19. There were numerous malfunctions: cases where people would go to high Covid-density areas and the app would say its green [safe].

But besides these technical issues, the main problem was what it was being used for.

We keep going back to this example: when political prisoners are being released, they are asked to download Aarogya Setu. Why? Even Supreme Court noted that this app is doubling as a tool for surveillance. About 300 million people have downloaded this app on their phone. That means the government can effectively track about one-sixth of the country.

You know, on one hand we are all pushing for digital, even in social sectors, so all populations have access, and on the other we are constantly saying it’s dangerous. How do we find a way to ensure that digital interventions go hand-in-hand with public good?

We get this even on social media, and I want to expressly say we are, in fact, very much for digital technology! I think digital technology has been one of the most revolutionary forces in the history of mankind. It has brought access and services at an unparalleled scale, so no one’s against that, but it’s about the context in which it’s deployed and the cost we pay for it. Like let’s say for search. Is your Google search free? No. You are paying because they harvest your data. Now, in spite of the fact that Google’s PageRank algorithm actually came from DARPA (Defence Advanced Research Projects Agency), a government sort of grant, it has been allowed to exploit people in such a way.

So, the issue is not the technology, it's about the way its deployed.

Fundamentally, the service that Google provides has no intrinsic need to collect data from us. But even if I give you my data, there is no technical impediment to saying that, okay, we’ll silo it, we ourselves won’t be able to use it, only our algorithm can use it, we will have a grievance redressal mechanism, because things can obviously also go wrong.

I think is the same thing with this. Even if you take health data, there are ways to ensure technically that it’s not exploited, it’s not used. And what we’re seeing is that this particular deployment of data, of technology, is what’s at fault here. It’s what this particular idea that okay, even in the midst of pandemic, the private sector needs have to be catered to.

Ideologically, I’m firmly pro-public sector. And actually, we want more technology! We want more people in tech. But like we are seeing in agriculture, which is undergoing huge tech investment, is the technology going to benefit the farmers or agri businesses and big corporates?

So what I mean is, of course we want more tech, we want more Internet, we are for Internet freedom, but it also has to happen in a way that benefits the public and not in a way that detracts from their well-being and quality of life.

The Third Eye is being written and developed by a team of educators, documentary filmmakers, storytellers; people with extensive experience of gathering narratives, oral histories and developing contextual pedagogies for the rural and the marginalised.
Share on facebook
Share on twitter
Share on whatsapp
Share on email
Share on print

Suggested read

Share on facebook
Share on twitter
Share on whatsapp
Share on email
Share on print
Skip to content