Security & Privacy by Design - 'The Guiding Principle' of Health Data Management Policy by ABDM

Every byte of data has a story to tell. The question is whether the story is being narrated accurately and securely. Usually, we focus sharply on the trends around data with a goal of revenue acceleration but commonly forget about the vulnerabilities caused due to bad data management.?Data possesses immense power, but immense power comes with increased responsibility. In today’s world collecting, analyzing and build prediction models is simply not enough. Keep in mind that we are in a generation where the requirements for data security have perhaps surpassed the need for data correctness. Hence the need for Privacy By Design is greater than ever.

“Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection. The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive.?Privacy by design is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures.?The adoption of security and privacy principles is a crucial step in building a secure, audit-ready program.

Privacy by Design is based on following 7 principles:

1. Proactive not Reactive; Preventative not Remedial - Privacy by Design comes before-the-fact, not after.
2. Privacy as the Default Setting - it is built into the system, by default.
3. Privacy by Design is embedded into the design and architecture of IT systems and business practices
4. Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner not Zero-Sum
5. End-to-End Security — Full Life-cycle?Protection
6. Visibility and Transparency — Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives,
7. Respect for User Privacy — Keep it User-Centric

Privacy by Design in Health Data Management Policy by ABDM

Consider data protection requirements as part of the design and implementation of systems, services, products and business practices. The federated design of the National Digital Health Ecosystem ensures that no personal data other than what is required at a minimum to create and maintain Health IDs, Facility IDs or Health Professional IDs shall be stored centrally. Electronic medical records shall be stored at the health facility where such records are created, or at such other entities as may be specified by Policy. Electronic health records shall be maintained by entities specified by Policy, as a collection of links to the related medical records. ABDM shall issue appropriate technological and operational guidelines providing for the establishment and maintenance of the federated architecture, for ensuring the security and privacy of the personal data of data principals, and for maintenance of electronic medical records and electronic health records.

Prepare a privacy policy containing the following information:

(a) clear and easily accessible statements of its practices and policies;??

(b) type of personal or sensitive personal data collected;?

(c) the purpose of collection and usage of such personal or sensitive personal data;??

(d) whether personal or sensitive personal data is being shared with other data fiduciaries or data processors;??

(e) reasonable security practices and procedures used by the data fiduciary to safeguard the personal or sensitive personal data that is being processed.?

The privacy policy referred shall be published on the website of the data fiduciary. In addition, the data fiduciary shall also make available a privacy by design policy on its website containing the following information:

(a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;?

(b) the obligations of data fiduciaries;?

(c) the technology used in the processing of personal data, in accordance with commercially accepted or certified standards;?

(d) the protection of privacy throughout processing from the point of collection to deletion of personal data;?

(e) the processing of personal data in a transparent manner; and?

(f) the fact that the interest of the data principal is accounted for at every stage of processing of personal data.?

The privacy policy issued and the principles of privacy by design followed by the data fiduciaries should be in consonance with this Policy and applicable law.