200 px

200 px (Photo credit: Wikipedia)

A few months ago Nandan Nilekani had published an editorial in the National Medical Journal of India extolling the virtues of the Aadhar project for health. His article is available at Editorial-II.pdf

Anant Bhan  and Sunita Bandewar have responded to this article questioning some of the claims in the editorial.The resposne hasbeen published in the latest NMJI and is  below
The UIDAI project: why some of the optimism might be nir-aadhar

The article by Nandan Nilekani in the NMJI 2011 May-June issue[1] provides an interesting laundry list of advantages which an Aadhar number could provide to those registered through the Unique Identification Authority of India (UIDAI). Nonetheless, it is surprising to see no equivalent of a limitations section. The article fails to present a holistic and full picture of the landscape- in absence of any reference to expected challenges, the potential for duplication of existing mechanisms; and
threats the Aadhar project poses, particularly to privacy of personal information of individuals, and data security– and mention of any proposed measures the UIDAI is taking to address these.  Even a cursory uninformed examination of the claims in the article will lead the reader to believe that while the intention is laudable, the process and means can definitely be causes of concern. As readers, we had several questions related to the approach to, implementation of as well as legislative
adequacy of the UIDAI initiative and their implications for its success. .

 
Why two sets of identification data?

It is unclear as to why two sets of identification data – demographic and bio-informatics – are required for securing an Aadhar number. Also, the operational aspects and possible misuse could be causes of concern. Currently individuals face many problems in fulfilling the expectations of producing proof of residence, birth date etc. for securing other key government identification documents (such as voting card, passport and ration card) and it is unspecified how similar tribulations would be minimized for those seeking an Aadhar number?

Would securing an Aadhar number truly remain voluntary? 

While some benefits of having an Aadhar number are pointed out like immunization tracking for children, the system also worrying suggests a clear link between basic health provisioning (such as immunization) and the need for official proof of being an Indian resident (to be certified through the possession of an Aadhar number). If this is indeed the case, it would mean that providers especially in the public healthcare system might not be able to provide any kind of health services to vulnerable populations like ‘illegal’ immigrants in the country. It should not be the duty or responsibility of a healthcare provider to sit in judgment on a patient’s legal status of entitlement of health services. A patient presenting at a healthcare facility without an Aadhar number might be suspected of being a non-citizen- and stigmatized- and not provided any health services, or even worse, pursued by the state machinery. Linking Aadhar to essential public health services like immunization could mean that undocumented immigrants, among other vulnerable groups, would shun health programs and hence put themselves and others in the community at risk of vaccine-preventable and other communicable conditions.

Although, it is currently voluntary to opt to secure an Aadhar number, the emphasis on its use in health care context in the way Nilekani advocates in the article might run the risk of Aadhar number becoming almost inevitable and “mandatory” for better, swifter and smoother access to health care in due course of time. Aadhar has already become compulsory for LPG provision by government oil companies as part of a pilot project in Mysore[2]. Similar concerns have been expressed by others, too[3].

Wouldn’t the proposal of use of Aadhar for immunization tracking be duplication of efforts? 

The government has already launched a separate system for maternal and child health tracking,including immunization[4] through the National Rural Health Mission Health Management Information System  (http://nrhm-mis.nic.in/mchtracking.htm     http://nrhm-mcts.nic.in/) and it’s not clear why UIDAI should aim to replicate the same through Aadhar. We believe there might be other instances where such replication of efforts might be probable- this is both a waste of resources and increases the chances of threats to data security.

Is the health system sufficiently equipped to use Aadhar number? 

Assuming the Aadhar number could finally be used in the health care context as Nilekani delineates, is our health system equipped with the required e-platform across the nation; and are there adequately trained human resources to run such a sophisticated system  available, or being recruited, at every level within the health system?  It appears that the use of the Aadhar number as envisioned would warrant inter-ministerial and inter-sectoral coordination and resource investment for its meaningful realization. It is not clear as to how this is being planned and executed.

 
Would the system to protect privacy and data protection be truly foolproof? 

The issue of privacy of personal information (especially health) and associated challenges are not mentioned in the article. It is also not clear as how data safety will be ensured. In response to one of the questions in the parliament regarding mechanisms to protect data from unauthorised use in UIDAI, it was said that the data would be encrypted at source along with measures such as limiting physical use, and putting standard security infrastructure[5].

We wonder if that would be sufficient given the current trends of data theft from the supposedly safe and well protected sectors, such as banking and information technology which use similar mechanisms. As instances of theft and misuse of information becomes commonplace, as evidenced by increasing credit card fraud and frequent hacking of government websites[6],any framework for information collection which does not have robust safeguards  should be grounds for concern. As well, India does not have any coherent policy or law governing data encryption [7],[8], [9].

In the contemporary context of globalised terrorism, it would also be challenging for the UIDAI to comply with the promise of confidentiality towards data collected if faced with mounting pressures from investigation and intelligence agencies, whether domestic or foreign, to share bioinformatics information of individuals suspected to be associated with terrorism and violence.  Although a
somewhat different context, the recent episode of a vaccination campaign launched by the US intelligence agency CIA aimed specifically at collecting DNA samples from the Osama Bin Laden household in Abbottabad in Pakistan[10] is representative of reasons for our concerns on this front of the potential of misuse of a public health program collecting identifiable data.

The initial Aadhar registration system being implemented also provides reason for worry. As the enrolment process has been sub-contracted via tenders to private firms, there is seemingly no guarantee of how information and data security will be maintained. Moreover, ensuring data protection from interested parties such as insurance companies who could choose to deny health insurance coverage to individuals based on their health profiles is paramount. Unless stringent safeguards are built in, the Aadhar number could be a serious and risky intrusion into our privacy.

Furthermore, it is ambiguous as to how harmonization and reconciliation across various legal apparatuses, such as, the National Identification Authority of India Bill and the proposed Right to Privacy Bill[11] would be achieved with regards to protecting personal information gathered under the Aadhar project.

Against this backdrop,we believe the editorial by Nilekani raises more questions than provides answers, and hence it is apt to question the claims of the article.

Finally, we also find it disconcerting that though the author declares his affiliation with the UIDAI, there is no conflict of interest statement in the article. Nilekani as head of the initiative is expected to have a positive bias towards the program. We believe it would have been good practice for a conflict of interest statement to have been appended with the article.

Anant Bhan, Pune, Maharashtra
[email protected]

Sunita V S  Bandewar, Pune, Maharashtra
[email protected]

REFERENCES

________________________________

[1]Nilekani N. Building a foundation for better health: The role of the Aadhaar number. Natl Med J India.2011 May-Jun;24(3):133-5.

[2]Milton L. Aadhaar number to be must for LPG services. The Times of India. 2011 Aug 8 [cited 2011 Aug 18]. Available: http://timesofindia.indiatimes.com/city/mysore/Aadhaar-number-to-be-must-for-LPG-services/articleshow/9533385.cms

[3]Ramanathan U. A private right or a public affair? Tehelka Magazine. 2011 Jul 9 [cited 2011 Aug 18]; Vol 8, issue 27. Available:  http://www.tehelka.com/story_main50.asp?filename=Ne090711PROSCONS.asp

[4]Government Health. Now, a tracking system for immunisation in India. 2011 August 3 [cited 2011 August 18]. Available:
http://www.igovernment.in/site/now-tracking-system-immunisation-india

[5]  Unique Identification Authority of India. Government of India Planning Commission, Rajya Sabha Questions. Question no 393(Answered on 2011 Feb 24) [cited 2011 Aug 20].  Available:http://uidai.gov.in/index.php?option=com_content&view=article&id=171&Itemid=150#rs

[6]Kurup D. ‘State actor’ linked to major cyber intrusions in India, world. The Hindu Bangalore edition. 2011 Aug 4 [cited 2011 Aug 18]. Available: http://www.thehindu.com/news/article2319894.ece

[7]Data Security Council of India.Recommendations for Encryption Policy Regulation u/s 84A of the Information
Technology (Amendment) Act, 2008.  Prepared by DSCI/NASSCOM with inputs from the industry.  2009 Jul 13 [cited 2011 Aug 16]. Available:http://www.dsci.in/sites/default/files/encryption_policy_dsci_final_submission_to_dit.pdf

[8]Dalal, P.Encryption policy of India needed.  2011 Jun 19 [cited 2011 Aug 5]. Available: http://ictps.blogspot.com/2011/06/encryption-policy-of-india-is-needed.html

[9]Waris S. Government asleep over encryption regulations. 2009 Aug 20 [cited 2011 Aug 21], Available: http://www.legallyindia.com/20090820138/Legal-opinions/government-asleep-over-encryption-regulations

[10]Reardon S. Pakistan. Decrying CIA vaccination sham, health workers brace for backlash. Science.2011 Jul 22;333(6041):395.

[11]Venkatesan J. Bill on ‘right to privacy’ in monsoon session: Moily. The Hindu, 2011 June 7 [cited 2011 Aug 17]. Available: http://www.thehindu.com/news/national/article2082643.ece