In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Friday, December 29, 2017

12561 - A Healthy Dose of Privacy - EPW


Dhvani Mehta (dhvani.mehta@vidhilegalpolicy.in) is at the Vidhi Centre for Legal Policy,New Delhi.

The Supreme Court’s privacy judgment has important implications for the right to health, especially the protection of health information. The standards that laws will have to meet to impose restrictions on such protection are examined. In this context, the HIV/AIDS Act, 2017, the implications of a data protection law for health, and the unconstitutionality of mandatorily requiring Aadhaar to obtain treatment for HIV/AIDS and tuberculosis are discussed. 

The author is grateful to Shankar Narayanan for his inputs.

The almost academic nature of the Supreme Court’s judgment on the right to privacy in K Puttaswamy v Union of India (2017a) means that its practical implications will continue to be dissected until they fill several volumes. One of the most important impacts of the judgment is on health, and this article discusses its implications for the scope of the right and the extent to which it is to be balanced with other interests. Justice R F Nariman’s opinion highlights at least three aspects of the right to privacy, each of which has particular significance for health: privacy relatable to the physical body; informational privacy, vesting individual control over the dissemination of personal information; and the privacy of choice, granting individual autonomy over personal choices (K Puttaswamy v Union of India 2017c: para 81).

At various places, the judgment offers examples of the link between issues concerning health and the three aspects of privacy mentioned above. Justice J Chelameswar provides an example of bodily privacy by recognising that the refusal of life-prolonging medical treatment falls within the “zone of the right to privacy” (K Puttaswamy v Union of India 2017d: para 38). Justice D Y Chandrachud states that a reasonable expectation of privacy attaches to medical information (K Puttaswamy v Union of India 2017b: para 177), while personal reproductive choices, which have obvious implications for health, are also recognised to be at the core of the idea of privacy (K Puttaswamy v Union of India 2017b: part 3, para 3F).

The nature of the question before the Court did not, perhaps, allow it to flesh out the health-related aspects of privacy in greater detail. Nor did the Court have the opportunity to set out, exhaustively, the different kinds of public interest that might constitute reasonable restrictions on privacy in the context of health. The most specific pronouncement of this kind is made only in relation to health information: The unauthorised disclosure by a hospital of medical records submitted by individual patients would constitute an invasion of privacy.

However, it would be open to the state
to assert a legitimate interest in analysing data borne from hospital records to understand and deal with a public health epidemic … to obviate a serious impact on the population. (K Puttaswamy v Union of India 2017b: para 182)

The other context in which the judgment discusses health and privacy is in the process of describing the evolution of the privacy doctrine in India (K Puttaswamy v Union of India 2017b: para 57, 58). Justice Chandrachud discusses the Supreme Court’s decision in Mr X v Hospital Z (1998), where a person’s HIV+ status was disclosed to his fiancée and her family. In that case, the Court, while holding that the right to privacy formed an integral component of the right to life under Article 21 of the Constitution, justified the disclosure and held that the right could be restricted for the protection of health (of his partner), among other interests (K Puttaswamy v Union of India 2017b: para 28).

In the Puttaswamy judgment, the Court does not make any observation on the correctness of this decision so far as the balance struck between health and privacy. The Court also cites a judgment of the South African Constitutional Court that dealt with the disclosure of the HIV+ status of three women. But, the judges use it primarily to demonstrate the links between privacy, equality, and dignity, rather than as an example of the balancing of privacy with other interests.

For this balance, we must turn to Justice Chandrachud’s opinion, which lays down a threefold standard that must be met by restrictions on any aspect of the right to privacy: first, the restriction must be laid down by law; second, the restriction must be in pursuit of a legitimate state aim (including the preservation of public health); and third, it must be proportional to the object and the needs sought to be fulfilled by the restricting law (K Puttaswamy v Union of India 2017b: para 180).

However, it is unfortunate that the Court confined itself only to judicial examples while discussing the evolution of privacy in India and the manner in which it is to be balanced with other interests. Legislative protection of the right to privacy has, in some cases, gone far beyond the protection afforded by the courts. A good example of this is the Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Act, 2017 (the HIV/AIDS Act).

HIV/AIDS Act
The HIV/AIDS Act contains comprehensive provisions on the protection of confidential health information. Section 8 of the act imposes a general prohibition on the disclosure of a person’s HIV status, permitting it only in the limited circumstance of a order of a court that deems it “necessary in the interest of justice for the determination of issues in the matter before it.” When information about HIV status has been imparted in confidence through a relationship of a fiduciary nature, such information shall not be disclosed without the informed consent of the concerned person. Informed consent may be waived, again, only in limited circumstances. These will include disclosure in the case of a judicial order; for the care and treatment of HIV+ persons; in cases where the information is shared between two healthcare providers for the purpose of treatment; where only statistical information (that could not reasonably be expected to lead to identification) is disclosed; and to officers of the central or state governments for the purposes of monitoring and evaluation.

Unlike the judgment in Mr X v Hospital Z (1998), there are strict conditions laid down for the disclosure of the HIV status of a person to their partner in the HIV/AIDS Act (Section 9). Every healthcare establishment that keeps records of HIV-related information is also under an obligation to adopt data protection measures to ensure the confidentiality of the information (Section 11). Section 39 prescribes a penalty for breach of confidentiality, which may extend to a fine of `1 lakh, although this is confined to the disclosure of information obtained during the course of court proceedings.

The act also protects bodily and decisional aspects of privacy by stating that no person shall be compelled to undergo an HIV test or be subjected to medical interventions, treatment, or research, except with the informed consent of such a person, and in accordance with specified guidelines (Section 5). Informed consent may be waived by a court for the use of a human body or any part thereof in medical research and therapy, for epidemiological purposes, and for screening purposes in a licensed blood bank (Section 6).

These provisions demonstrate that legislation, rather than judicial determination, is more suited to providing a context-specific and nuanced balancing of rights and interests. Each encroachment on privacy imposed by the HIV/AIDS Act is the least restrictive it can be, narrowly tailored to achieve legitimate state interests in the administration of justice and the protection of health of others, encompassing both individual and public health interests.

The value of the Puttaswamy judgment lies in the fact that it will ensure that the HIV/AIDS Act does not remain the exception. The judgment imposes a positive obligation on the state to, first, ensure that all existing restrictions on privacy are contained only in the form of law, and, second, to update or amend existing laws to make sure that they strike a reasonable balance between privacy and other interests.

Review of Health Legislation
There are nearly 100 central laws that have a direct or indirect bearing on health, ranging from the Epidemic Diseases Act, 1897 to the Transplantation of Human Organs and Tissues Act, 1994 and the Protection of Children from Sexual Offences Act, 2012 (POCSO Act). The Ministry of Health and Family Welfare (MoHFW), in consultation with the Ministry of Law and Justice, must undertake a thorough review of these laws to determine whether they meet the standards laid down in the Puttaswamy judgment. For instance, Section 19 of the POCSO Act requires all persons, including medical practitioners who suspect that an offence has been committed under the act, to report it to the Special Juvenile Police Unit or the local police. Although there is obviously a legitimate state interest in the prevention of crime against children, there are concerns about protection of privacy involved in compulsory reporting (Chandra 2017). The act may need additional safeguards to allow the doctor to provide treatment while keeping the patient’s identity confidential.
Varying standards apply to health-related information collected under different legislations. For instance, the Information Technology Act, 2000 and the rules framed under it will apply to confidential prescription information held by online or e-pharmacies (Drugs Consultative Committee 2016), while the protection of information collected during clinical trials is governed by the Guidelines for Clinical Trials on Pharmaceutical Products in India (Good Clinical Practice Guidelines). The Transplantation of Human Organs and Tissues Rules, 2014 itself contains different standards, neither of which provides much detail. Rule 28(f)states that tissue banks applying to be registered must use a unique donor identification number for each donor and restrict access to donor records. They do not specify who may access the records or the conditions under which such access is to be restricted. Rule 32(11), in relation to organ donation and tissue registries, merely states that “measures shall be taken to ensure security of all collected information” without any indication of the different factors that such measures ought to take into account.

Health laws require a review to minimise such differences and to evolve common principles that will govern the collection, storage, and disclosure of health information. The expert committee on data protection mentioned earlier will do some of this work, but the MoHFW must also play an active role in adapting these principles to the context in which they will operate, and framing detailed rules to put these principles into operation. A sense of the work that will be required is evident from the overview of the existing standards on electronic health records.

Electronic Health Records
An Electronic Health Record (EHR) is a “collection of various medical records that get generated during any clinical encounter or event” (National Health Portal 2015). The purpose of collecting such records is to improve evidence-based care, allow quicker diagnosis, and avoid multiple clinical investigations. Currently, EHR standards are largely confined to prescribing the software and hardware requirements for the capture, storage, and exchange of health information.1 These standards are explicitly held not to apply to “wider implementation scenarios of an administrative, legal, or regulatory nature,” although the document setting out these standards also provides its own definitions of data privacy and security (National Health Portal 2015).

The first requirement of the Puttaswamy judgment is that any restriction on the right to privacy may only be imposed by a law. The EHR standards, which currently exist only in the form of a circular issued by the MoHFW, do not meet this requirement, and will have to be revised based on the data protection framework that is likely to be enacted on the recommendations of the expert committee. The standards will now have to be extended explicitly to administrative, legal, and regulatory scenarios, and the definitions of data privacy and security will have to be harmonised with the more general data protection principles that will be developed. These standards should additionally be harmonised with those prescribed for the maintenance of records under Section 12(1)(iii), read with Section 52(2)(f) of the Clinical Establishments (Registration and Regulation) Act, 2010.2

As important as the protection of individual health records is, the Court in the Puttaswamy case explicitly recognises the value of such data for the protection of the larger public health interest. The need for this and the conditions under which such data may be used require some discussion.

Privacy and Public Health Interests
There is a vital role that big data can play in solving some of India’s more acute public health problems. Outbreaks of infectious diseases can be predicted with the use of “collated data sources” (Kang 2016). However, accurate data collection in India is very difficult, especially given the lack of available information in rural areas (Merten 2013). To remedy this, states like Karnataka are making cancer reporting mandatory and creating cancer registries that can provide an
accurate picture of the disease burden in the state (Ghosh 2015). While a legitimate state interest in registries created by such mandatory reporting is clearly made out, what are the safeguards that can be implemented to ensure that the confidentiality of individual patient’s information is preserved to the extent possible?

In 2017, the Indian Council of Medical Research issued the National Ethical Guidelines for Biomedical and Health Research Involving Human Participants. Section 8 of the guidelines deals comprehensively with public health research. This includes the manner in which data may be collected and used, and the instances in which informed consent for the use of such data may be waived.3

However, these guidelines may not be sufficient for the conduct of such research, given that the Puttaswamy judgment clearly requires any restrictions on the right to privacy to be imposed through a law. A bill to regulate biomedical research has now been in the offing for nearly four years (Dhar 2013). The Puttaswamy judgment might provide the right impetus to give it the shape of law.

Mandatory Use of Aadhaar
A discussion on health and privacy would not be complete without considering the implications of the mandatory submission of the unique identifier, Aadhaar, to obtain treatment for HIV/AIDS at anti-retroviral therapy (ARTs) centres or cash benefits under the Revised National Tuberculosis Control Programme. When the linking of the Aadhaar number was introduced as a pilot programme by the National AIDS Control Organisation, the move was initially welcomed as a way to track patients who might drop out of their treatment regime (Chatterjee 2014). However, the compulsory submission of Aadhaar details (introduced by the Madhya Pradesh State AIDS Control Society) is alleged to have made patients avoid government hospitals and ARTs centres for fear of disclosure of their identity (Tomar 2017).

A constitution bench of the Supreme Court will soon hear petitions that have challenged the mandatory use of the Aadhaar under several such schemes (Indian Express 2017). In the absence of any evidence to demonstrate that patients fraudulently obtain HIV/AIDS treatment (and it is very hard to see why they would) or cash assistance for tuberculosis, it is unlikely that the mandatory use of the Aadhaar under these two schemes will withstand constitutional scrutiny. It is difficult to point to any legitimate state interest. The compulsory submission of this information is entirely disproportionate to the aim of stemming the “dissipation of social welfare benefits” (K Puttaswamy v Union of India 2017b: para T[I][5]). Instead, by depriving persons of their right to obtain medical treatment, it violates the right to health guaranteed by Article 21 of the Constitution.

Conclusions
The Puttaswamy judgment also has implications for laws like the Medical Termination of Pregnancy Act, 1971 and the Surrogacy (Regulation) Bill, 2016, where the bodily integrity and decisional autonomy aspects of privacy are involved. However, a discussion of these issues is beyond the scope of this article. On the whole, the judiciary will continue to play an important role over the coming months in ensuring that the principles articulated in the Puttaswamy judgment are given meaningful content in practical challenges to executive encroachment, particularly in the form of the Aadhaar. In the meantime, civil society must continue bringing pressure to bear on Parliament to ensure that a healthy dose of privacy is injected into our legislative framework.

Notes
1 ISO standards have been prescribed for an Electronic Health Record Architecture, while different international standards are recommended for imaging, scanned or captured records, and data exchange.
2 One of the requirements for the registration of establishments under this act is that they fulfil the prescribed provisions for the maintenance of records.
3 These guidelines lay down that informed consent may be waived in cases of research conducted on routinely collected data under national programmes, where people concerned have been informed at the time of collection that data may be used for other purposes; where obtaining consent is impractical and research is to be conducted on stored anonymous data.

References
Chandra, Aparna (2017): Panel Discussion on Privacy and Reproductive Rights hosted by the Vidhi Centre for Legal Policy, India International Centre, New Delhi, 13 October.
Chatterjee, Pritha (2014): “Plan to Link Benefits for HIV Patients to Aadhaar No,” Indian Express,
24 November, viewed on 31 October 2017, http://indianexpress.com/article/cities/delhi/plan-to-link-benefits-for-....
Dhar, Aarti (2013): “Bill to Make Biomedical, Health Research Ethical,” Hindu, 19 September, viewed on 31October 2017, http://www.thehindu.com/todays-paper/tp-national/bill-to-make-biomedical....
Drugs Consultative Committee (2016): “Report of Subcommittee Constituted by the Drugs Consultative Committee to Examine the Issue of Regulating the Sale of Drugs over Internet under the Drugs and Cosmetics Rules, 1945,” 30 September, viewed on 30 October 2017, http://www.cdsco.nic.in/writereaddata/Sub-Committee%20Report%20on%20e-ph....
Ghosh, Padmaparna (2015): “Karnataka Takes the First Step towards Reducing Cancer Rates—By Mapping the Epidemic,” Scroll.in, 9 October, viewed on 30 October 2017, https://scroll.in/article/754178/karnataka-takes-the-first-step-towards-....
Indian Express (2017): “Aadhaar Case: Supreme Court to Set up Five-judge Constitution Bench to Hear Pleas,” 30 October, viewed on 31 October 2017, http://indianexpress.com/article/india/aadhaar-case-supreme-court-to-set....
K Puttaswamy v Union of India (2017a): SCALE,
SC, 10, p 1.
— (2017b): SCALE, SC, 10, p 1 (plurality opinion).
— (2017c): SCALE, SC, 10, p 1 (Nariman, J, concurring).
— (2017d): SCALE, SC, 10, p 1 (Chemaleswar, J, concurring).
Kang, Gagandeep (2016): “Mapping Disease with Big Data,” Hindu, 25 December, viewed on
30 October 2017, http://www.thehindu.com/sci-tech/health/Mapping-disease-with-big-data/ar....
Merten, Martina (2013): “The Problem with Data Collection in India,” Pultizer Center, 25 October, viewed on 30 October 2017, https://pulitzercenter.org/reporting/problem-data-collection-india.
Mr X v Hospital Z (1998): SCC, SC, 8, p 296.
National Health Portal (2015): “Electronic Health Records Standards,” 3 June, viewed on 30 October 2017, https://www.nhp.gov.in/executive-summary_mtl.
Tomar, Shruti (2017): “Linking Benefits for AIDS Patients to Aadhaar Triggers Privacy Concerns,” Hindustan Times, 3 April, viewed on 31 October 2017, http://www.hindustantimes.com/bhopal/linking-benefits-for-aids-patients-....

Updated On : 27th Dec, 2017