



Initially, it’s unclear whether the unique 14-digit health identifier, like the Aadhaar ID, is meant to be a confidential number. If this is the case, then due to the publication of the ID on the vaccination certificates, the confidentiality of the ID is already compromised. The requirement for vaccination certificates in various public places such as airports, hotels, restaurants means that the ID is available for those who do not have a business to store it. In addition, in June 2021, the National Digital Health Mission published the Health Data Management Policy (HDMP), which considers confidentiality by design, accountability and transparency as guiding principles for entities processing health data. sensitive health of citizens.

However, much like the issue of informed consent of citizens, a closer examination of the Policy reveals several gaps and flaws in the conception of citizen privacy. Internet Freedom Foundation (IFF) stresses that HDMP allows for wide possibilities for data processing as well as the storage and processing of data for longer periods than a business should be allowed.

These threaten to violate ABDM’s privacy principles regarding limitation of purpose, collection, use and storage. According to the IFF, the data management policy does not contemplate a strong accountability mechanism to enforce confidentiality. For example, in the event of a security breach, only notification to the NDHM was mandated, while notification to the user was not made mandatory! Meanwhile, the carte blanche given to process and use anonymized personal data as non-personal data ignores several security risks, IFF says.

