The UID or the Aadhar started as an ID that could separate Indian Citizens in border areas from illegal migrants and serve the national security purpose.
Subsequently, it has become a project to provide a control mechanism to reduce pilferage in Government subsidies reaching the target citizens.
When the system began the only concern about Privacy in Aadhaar was about the collection of “biometrics” and its possible misuse. Arguments were both on the technical issues of false rejections and positives as also the use of unreliable vendors who could steal the biometric data either at the time of creation or when it was in storage.
Government brushed aside the objections and went ahead with linking the Aadhaar with the Banking information of an individual extending the privacy concerns to the financial information.
Presently we see that KYC system in Banking is completely dependent on the Aadhaar number being provided as a “Photocopy of the Aadhaar document” which exposes all the parameters attached to the ID (except biometric) in the form of a paper document. Similar paper documents are available with Gas dealers, Mobile Companies, schools and many others who may have little understanding of the meaning of “Privacy” let alone the legal concept of “Privacy Protection”.
To this risk of biometric and financial information being combined and spread all over in an insecure manner, we are now adding the healthcare information since the UID is set to be the “Universal ID” to be associated with patient information in the proposed HDPSA (HealthCare Privacy and Data Security Act).
Though the details of the proposed act are not yet available, the document which the Government of India (Department of Health and Family Welfare) released for public comments in 2013 on the “Electronic Health Standards of India” contained detailed guidelines on what the Government intends to do.
This Circular which was released earlier gets a new life with the recent public announcement that a “Draft Health Care Privacy and Data Security Act” is now under the consideration of the Government. We should logically presume that many of the suggestions made in the earlier circular will be adopted in the new Act as and when it becomes a reality. Afterall the circular was founded on a time tested framework adopted in US under the HIPAA in 1996 which carries todate.
According to the circular, the standaridization of healthcare information collection, storage, transmission and processing will adopt a system of using unique IDs for every patient, every medical practitioner, every hospital, every pharmacy, along with adoption of medical codes for diseases, procedures, health encounters etc.
In this process the circular speaks of “UHID” which is the Unique Health Identifier to act as a Patient identifier, for which UID will be used in all EMR systems.
This would now mean that Aadhaar details will now be available in all hospital records of the patients and gets integrated with the Bank details and the associated biometric data.
In principle there is nothing wrong in adopting this nationally unique ID which integrates a person with health and financial data. However this raises the issue of how the information security is handled by all the entities who may have access to any one of these fundamental parameters.
The Information Security community which deals with the sensitive personal information in electronic form as well as the physical security community in health care organizations where the sensitive personal information is available in the form of paper, will now need to devise their strategies to upgrade their security arrangements.
The needs in “Hospitals” which includes the neighborhood clinics and other health care entities such as pharmacies need to start their learning of the principles of Privacy.