Cover Policy Brief Safeguarding Patient Rights

Safeguarding patient rights within a digital ecosystem through a feminist framework — A policy brief

A report by
Radhika Radhakrishnan
in Data


Data protection policy frameworks in India, such as the National Digital Health Mission ecosystem, are incentivising the datafication of health by considering health data to be a commodity. However, in the age of big data, when health data is viewed as a disembodied resource, access to people’s health data becomes a form of power, giving those with such access the unparalleled and unprecedented power to influence the governance of people’s bodies and lives. This policy brief recognises the interconnections between our bodies and data from within a feminist framework, and through this alternative framework, proposes recommendations to safeguard patient rights from threats arising from the datafication of health. This policy brief was first published by the Data Governance Network.

Download Report


Historically, medical legislation and codes of ethics have been developed to ensure that patient rights remain safeguarded in the face of the datafication of health. However, in the age of big data, such regulation is falling short because of the rise in how much and what kinds of data is generated and consumed within the domain, blurring the boundaries of what constitutes health data and how it should be regulated. The quantitative explosion in the health data collected today is leading to an unprecedented shift in the qualitative experience of healthcare. Further, this data may be used by private actors to serve business interests over the patient’s best interests, with significant consequences for people and their rights.

Policy frameworks in India, such as that of the National Digital Health Mission (NDHM) launched in 2020 to create a national digital health ecosystem, are driving this datafication of health. They do so by conceptualising health data as a disembodied resource and an enabler for economic progress. Within these policy frameworks, data is predominantly understood as a resource available for human extraction, and existing independently from the bodies producing it. However, such disembodiment of data opens it up to possibilities of human exploitation and manipulation (Couldry & Mejias, 2019). To account for this harm, feminist scholars argue that data and bodies are intimately interconnected, calling for a deeper understanding of data as embodied (Kovacs & Ranganathan, 2019; Kovacs & Jain, 2020; Radhakrishnan, 2020; Van der Ploeg, 2012). Applying this understanding to health data, this policy brief engages with regulation around the datafication of health from feminist perspectives.

Main arguments

● The relationship of health data with a patient’s body at each stage of the data life cycle is blurred in policies such as the NDHM, and therefore undergoes disembodiment through: digitalisation when data is generated and collected; duplication of data when it is stored in a decentralised digital ecosystem; anonymisation and aggregation when data is processed; the use of proxies and portability when data is shared with different stakeholders; and dynamic interlinkages with other datasets when this shared data is analysed.

● In the age of big data, wider means of data collection are fueled and are increasingly accessible to stakeholders outside of traditional clinical boundaries. Three major shifts are observed within healthcare when data is viewed as a disembodied resource: 1. what data can be collected to determine a person’s health; 2. who can access this data about health; and 3. what they can know and do through such access to this data. As a result of these shifts, access to people’s health data becomes a form of power, giving those with such access the unparalleled power to influence the governance of people’s bodies and lives.

● Most importantly, the disembodiment of health data undermines patients’ right to healthcare in the age of big data, in particular their rights regarding consent, choice, privacy, control, clinical care, and accountability. The violations of these rights come into picture only when we analytically put bodies back into policy frameworks and question not only how data may be harmed, but how bodies may be harmed through their data, and how this harm threatens patients’ right to healthcare.

Policy recommendations

A feminist framework grounded in the notion of embodiment and bodily integrity is needed to reconceptualise how we fundamentally understand the nature of health data and the rights pertaining to it. Under this framework, I propose three levels of changes to empower patients to affirm their rights.

I. Regulatory and Legal Changes

  1. Enactment of a reworked Personal Data Protection (PDP) Bill, 2019: The PDP Bill, which provides a data protection framework for the country, has not yet been enacted, and in its current form, legitimises the data-as-resource framework (Internet Democracy Project, 2019). In such a scenario, private stakeholders are able to collect health data without oversight, as seen in collaborations between private health insurance companies and technology companies producing fitness trackers to offer discounts on insurance premiums to policyholders who attain a specific health score (Subramanian, 2018). Legislation is urgently needed that takes into account the challenges with the datafication of health in the age of big data.

  2. Revision of what counts as health data: Given the expansion of what counts as health data in the status quo, a consensus must be established to decide what kinds of data can be used to determine a person’s health and well-being, and the risks of doing so. For instance, proxy data and data pertaining to non-clinical predictors of health need to be regulated keeping in mind that they are often used to predict a person’s health but may not be accurate.

  3. Imposition of a duty of care upon corporations: Tools that collect health data to make health-related decisions, such as wearable fitness trackers, must be regulated similar to how medical devices are regulated. A duty of care’ should be established for corporations towards individuals whose health data they collect and process.

  4. Regulation of anonymised and de-identified health data: Anonymisation and de-identification don’t provide sufficient privacy protection since trends identified through such datasets can be used to target individuals by predicting patterns of behaviour. Access to anonymised and de-identified health data must be strictly controlled by pre-determining a set of stakeholders who would be permitted to access such data and the purposes for which they can do so.

  5. Cybersecurity protections: There is a lack of cybersecurity protocols on the ground to protect data collected while enrolling citizens for a NDHM Health ID. Clear guidelines need to be devised to ensure that this data is protected, including provisions such as protocols for generating strong passwords during Health ID registrations for those with low digital literacy.

  6. Consent for data collection: An individual’s family members are being enrolled to participate in the NDHM ecosystem by generating their Health IDs without their consent. This partly enables insurers to use the health data of family members to make statistical extrapolations and set premiums for an individual in accordance with data collected about their family. Consent must always be obtained directly from able adults, and exceptions can be made to this only in the case of minors or persons with mental disabilities who may not be able to consent themselves.

  7. Accountability: Consensus needs to be established on questions of who would be held responsible in case of an error in a data-driven decision, malfunction of a digital health tool, or the use of inaccurate data in the health system; how liability of stakeholders would be determined; and what the process for recourse would be. Higher accountability needs to be placed upon stakeholders collecting and processing health data, given the understanding that this impacts people’s lives and bodies.

II. System-level and Structural Changes

  1. Alternative identification for enrolment of Health ID: Though Health IDs can be created using a mobile phone number or Aadhaar, Aadhaar details are likely to get linked to the Health ID. The registration system has also been designed to incentivise the use of Aadhaar which is troubling because Aadhaar is an exclusionary form of digital identification (Khera, 2017). Other valid digital identity proofs such as a person’s driving license or passport number, which are not necessarily linked to Aadhaar, must be introduced for the registration of a Health ID, and system-level nudges’ making enrolment through Aadhaar preferred must be removed.

  2. De-duplication of the Health ID: A recurring challenge that health workers noted was the duplication of Health IDs wherein a single individual could make multiple Health IDs without their knowledge, thus fragmenting their health data across various systems. De-duplication must be implemented to provide a longitudinal view of a patient’s health history in one place for their ease of access.

  3. Electronic Medical Records (EMR): EMR systems should be piloted in some parts of the country, studying their impact upon the practices of clinical care and embodied experiences of health professionals and patients in low-income contexts, and making necessary adjustments in practice before rolling them out nation-wide.

  4. Transparency: Under the NDHM, decisions made about an individual’s health are likely to be opaque and proprietary, such as what data points have been used by an insurance company to determine an individual’s premium. Transparency must be introduced in decision-making drawing on health data so that individuals understand what they are signing up for and can challenge decisions to get recourse when needed.

III. Ground-Level Changes

  1. Internet access and digital literacy: Lack of Internet access and digital literacy are barriers to registrations for Health IDs. Digital infrastructure and digital literacy need to be strengthened for proposed benefits of the NDHM to reach communities who are already underserved in the delivery of health services.

  2. People-centric awareness drives, not data collection drives: Medical Officers, health workers, and patients have limited knowledge of the Health ID. People cannot meaningfully exercise any control over their data if they aren’t aware of their participation in the digital health ecosystem. The state should initiate people-centric awareness drives and provide training for all stakeholders involved in the ecosystem.

  3. Voluntary participation and meaningful choice: The NDHM stipulates voluntary participation of individuals, but in practice participation is often being mandated. For people to have a meaningful choice in their participation, they must have the option to access healthcare through any provider without participating in the NDHM.

  4. Non-exclusion: Though the NDHM states that it will follow the principle of non-exclusion, there is evidence that people are being denied access to medication without a Health ID. Strict guidelines should be devised regarding non-exclusion and these should be displayed in prominent locations in all health facilities so people are informed of their rights. Cases where there is evidence of a denial of health services must be strictly and independently investigated and institutions found violating this principle must be held liable.

This policy brief is based on research carried out for the paper: Radhakrishnan, Radhika. (2021). Health Data as Wealth: Understanding Patient Rights in India within a Digital Ecosystem through a Feminist Approach. Mumbai, Data Governance Network.


Couldry, Nick, & Mejias, Ulises A. (2019). Data colonialism: Rethinking big data’s relation to the contemporary subject. Television & New Media, 20(4), 336 – 349.

Internet Democracy Project. (2019). Personal Data Protection Bill 2019: Submission to the Joint Parliamentary Committee.

Khera, Reetika. (2017). Impact of Aadhaar on Welfare Programmes. Economic & Political Weekly. Vol. 52, Issue No. 50, 16 Dec, 2017. https://​www​.epw​.in/​j​o​u​r​n​a​l​/​2017​/​50​/​s​p​e​c​i​a​l​-​a​r​t​i​c​l​e​s​/​i​m​p​a​c​t​-​a​a​d​h​a​a​r​-​w​e​l​f​a​r​e​-​p​r​o​g​r​a​m​m​e​s​.html

Kovacs, Anja, & Jain, Tripti. (2020) Informed Consent — Said Who? A Feminist Perspective on Principles of Consent in the Age of Embodied Data. Mumbai, Data Governance Network. https://​datagov​er​nance​.org/​f​i​l​e​s​/​r​e​s​e​a​r​c​h​/​1606371436.pdf

Kovacs, Anja, & Ranganathan, Nayantara. (2019). Data sovereignty, of whom? Limits and suitability of sovereignty frameworks for data in India. Mumbai, Data Governance Network. https://​datagov​er​nance​.org/​f​i​l​e​s​/​r​e​s​e​a​r​c​h​/​IDP_-Data_​sovereignty-_Paper_3.pdf

Radhakrishnan, Radhika. (2020). I took Allah’s name and stepped out”: Bodies, Data and Embodied Experiences of Surveillance and Control during COVID-19 in India. Mumbai, Data Governance Network. https://​datagov​er​nance​.org/​f​i​l​e​s​/​r​e​s​e​a​r​c​h​/​1606371784.pdf

Subramanian, A. (2018, February 14). Max Bupa launches GoActive’ : A digitally enabled Everyday Use’ Health Insurance Plan. GOQII Blog. https://​goqii​.com/​b​l​o​g​/​m​a​x​-​b​u​p​a​-​l​a​u​n​c​h​e​s​-​g​o​a​c​t​i​v​e​-​a​-​d​i​g​i​t​a​l​l​y​-​e​n​a​b​l​e​d​-​e​v​e​r​y​d​a​y​-​u​s​e​-​h​e​a​l​t​h​-​i​n​s​u​r​a​n​c​e​-​plan/

Van der Ploeg, I. (2012). The body as data in the age of information. Kirstie Ball, Kevin & David Lyon (Eds.), Routledge Handbook of Surveillance Studies, 176 – 183.