COVID-19 vaccine beneficiaries were assigned unique health IDs without their consent

A woman shows a registration message on her mobile phone to an official as people wait in line during a vaccination drive against the coronavirus at a government health centre in Noida on 3 August 2021. Altaf Qadri / AP Photo
01 October, 2021

In early May 2021, 29-year-old Sweta Sundar went with three members of her family to a government school in south Delhi to get their first doses of the Covishield vaccine. The staff at the vaccination centre insisted that they verify their identities by submitting their Aadhaar details, even though, according to government issued guidelines, beneficiaries can provide six other types of government identification. “At the time, I just did as I was told,” Sundar said. “I didn’t think too much about it.” When Sundar returned home, she saw that she had been issued a Unique Health ID or UHID with the number printed on her vaccination certificate above her beneficiary reference number. Sundar was not sure what this identification number was. The three members of her family who had also been vaccinated after providing their Aadhaar information had been issued health ID numbers too. “They had not told us anything about a health ID or that they were issuing us one,” Sundar told me. “There was no conversation around it, let alone a consent seeking process. How could I give consent when I didn’t even know what the health ID was?” 

 

The UHID that Sundar and her family found on their vaccination certificates is a unique identification code generated under the National Digital Health Mission or NDHM. The government launched the mission in August 2020 with the stated aim of leveraging technology for better health outcomes. The National Health Authority, the governmental body responsible for implementing various central health schemes including the NDHM, describes the mission on its website as one that “aims to develop the backbone necessary to support the integrated digital health infrastructure of the country.” The UHID is supposed to link each beneficiary of the NDHM to several other components of a digital health ecosystem by digitising personal health records, providing access to healthcare services including online pharmacies and telemedicine providers. The UHID is supposed to allow beneficiaries to access all their health records such as lab reports, prescriptions and discharge summaries and all other personal health data. Despite the NHA’s assurances of safeguarding sensitive health data shared under the NDHM, there are concerns about how such data can be used when India still lacks a data protection law. The government has also claimed that opting in by creating a UHID, and opting out by requesting a deletion of all personal data from the NDHM, is completely voluntary. However, several people like Sundar had already been allotted UHIDs without their consent. 

On 27 September, Prime Minister Narendra Modi announced the nationwide launch of the NDHM, now called the Ayushman Bharat Digital Mission, in a video conference. Before this, the NDHM had been implemented only as a pilot across six union territories—Chandigarh, Ladakh, Dadra and Nagar Haveli and Daman and Diu, Puducherry, Andaman and Nicobar Islands and Lakshadweep. The Caravan reported in September 2020 on how the Chandigarh administration was compelling healthcare workers to register for UHIDs and in December 2020 on aggressive push for registration among other residents. 

From the time the pilot NDHM was started in August 2020 to the end of September 2021 when the mission was launched nationwide, people residing outside the union territories were not supposed to be able to generate health IDs on the NDHM website. However, The Caravan spoke to six people across India living outside the union territories who were issued UHIDs before the national launch and while going through verification for COVID-19 vaccinations. All six  people had used their Aadhaar cards as a proof of their identity before September. Two of the six said that their vaccination centres had insisted on Aadhaar as identification proof, one person said that he did not know he could provide other documents as proof, and three people submitted their Aadhaar details voluntarily. 

An engineer from Bengaluru, who did not want to be identified, told me that he registered both himself and his partner online for a vaccination slot in May using their permanent account numbers or PAN. However, when his partner went to get his first dose of the Covishield vaccine at a private hospital, the staff did not accept his PAN card as a valid form of identification. “The staff made my partner wait for hours, because he didn’t want to give his Aadhaar details. We are both aware that Aadhaar details are sensitive information and we would rather not share,” the engineer said. “But in the end, he gave his details because he just wanted to get it done with and he was automatically given a health ID as well. The staff had not said anything about it!”

In its 2018 judgment on the validity of the Aadhaar Act, the Supreme Court remarked that no person can be denied the benefits of a public welfare scheme in the event that they are unable to produce their Aadhaar card or number. In December 2020, just before the launch of the COVID-19 vaccination programme, the government issued guidelines stating that Aadhaar details were not mandatory to get the vaccine. Meanwhile, the National Health Authority also states on its website that Aadhaar details are not necessary for creating UHIDs. People living in union territories who wish to create health IDs can simply use their phone numbers to register. Yet, several people who provided Aadhaar as identity proof, voluntarily or otherwise, on the CoWIN platform were registered with the NDHM with UHIDs. 

CoWIN is the online platform that allows beneficiaries to register and schedule COVID-19 vaccination slots. It also allows healthcare workers to fill in the details of beneficiaries and authenticate their identities at vaccination centres. Healthcare workers who have been on vaccination duty explained to me how people who submitted their Aadhaar details were registered for UHIDs on CoWIN. “In the portal, we first choose whether the beneficiary is using Aadhaar or some other photo ID for verification,” a doctor who is the nodal officer in charge of COVID-19 vaccination at a private hospital in south Delhi, told me. “If they give Aadhaar details, we go to another window which says that the beneficiary has consented to register for a health ID. Most staff members just automatically tick on that box without asking for the beneficiary’s consent.” The doctor, who asked for anonymity, told me that there was no discussion between the staff members and people who came to get vaccinated about the health ID. Staff members often themselves remain uninformed as to what the Health ID is. “When they tick that box, it technically says that consent was given, so the government or any of us healthcare workers would technically never get into trouble for this. But on the ground, there is no process to take consent,” the doctor said. 

Not all people who went for vaccination and submitted Aadhaar information were assigned UHIDs. The nodal officer at the private hospital said that this was because healthcare staff needed to manually check the box confirming a beneficiary’s consent in CoWIN to generate the number. Some vaccination centres, such as the one where this nodal officer works, received specific instructions to check the consent box. "Initially our healthcare workers were trained by immunisation officers on how to authenticate and register beneficiaries on CoWIN,” the doctor said. “Staff members were told to check in the box which says that the beneficiary has consented to give their Aadhaar details for health ID generation. Now the healthcare workers are learning how to do this on the job, learning from the people who were on duty before them." 

The nodal officer also told me that CoWIN has been set up in a way to incentivise using an Aadhaar card over other photo identification for verification. “If they use Aadhaar cards, we just have to enter the Aadhaar card number,” the doctor said. “But if it is some other ID, then we have to take the picture of the beneficiary along with a picture of their photo ID and upload them to the CoWIN portal. It is a much more arduous process.” Navneet Sindhu, a doctor at a private hospital in Delhi who spent a month on vaccination duty, told me that his hospital accepted only Aadhaar cards from for the vaccination verification process. The hospital’s administrative staff told Sindhu and his colleagues to accept only Aadhaar. “It is just the instructions we have. We always insist that beneficiaries bring Aadhaar. There is no other photo ID card to use,” he said. “Even beneficiaries themselves prefer to provide their Aadhaar details and as far as I know healthcare staff are doing the same at most other vaccination centres as well.” 

The nodal officer for vaccination at the south Delhi hospital told me that in the initial period of the vaccination drive between January and February, staff members were given explicit orders to create health IDs for all healthcare workers getting vaccinated. The doctor said that in early January, he and other vaccination nodal officers from other private hospitals met the district magistrate for South East Delhi. The doctor said the district magistrate told the group to register as many vaccine beneficiaries as possible with UHIDs. “The order had come from [South East] Delhi’s district magistrate and there was a target number of health IDs that we had to produce. So, for that, we always insisted that healthcare workers bring their Aadhaar card,” the doctor said. The doctor added there was no longer an explicit mandate to allot UHIDs, but most staff members did it anyway. “It has become an unsaid thing, if someone provides Aadhaar details we tick on the box for generating a health ID for them,” the doctor said. The Caravan emailed Vishwendra, the district magistrate for South East Delhi who goes by one name, asking about the meeting and the specific instructions given to nodal officers for vaccination but did not get a response.  

“This is a complete farce,” Raman Jit Singh Chima, Asia policy director and senior counsel at Access Now, a non-profit organisation which defends the digital rights of people around the world, said. “How can they create health IDs and not even inform people about them?” In August 2020, the National Health Authority formulated a Health Data Management Policy for the NDHM. This policy aimed to create guidelines for managing consent for citizens who are enrolled with the NDHM. The draft policy was open for consultation till December 2020, after which it was finalised and approved by the union government. According to this policy, consent given by a beneficiary—referred to as the “data principal” in the document—will be considered valid only if the data principal is informed and provided with a privacy notice. This privacy notice should contain detailed information on consent management and the rights of the data principal with regards to sharing their private health data.

Chima was concerned that the government had begun registering people for digital health IDs without any data protection law in place. “There is no oversight and there are no legal provisions in place to safeguard citizen’s data and privacy rights here,” he said. “Nor is there any autonomous body in place to address any potential complaints.” The Personal Data Protection Bill, which aimed at protecting privacy and data rights of citizens, was submitted to the parliament in December 2019, but is yet to be ratified as a law.

Chima said that the Health Data Management Policy document was not enough to ensure that citizens’ data rights are protected. In a submission to Rajesh Bhushan, the union health secretary, in September 2020, Access Now said that though the document would provide a general direction to the government on managing consent, the “rights of users must be provided in robust law with adequate avenues of redressal.” The submission also highlighted that the NHA, which will be responsible for managing consent and protecting sensitive health data of beneficiaries, “has been constituted under an executive order and its own legal status in running this proposed scheme and managing the collection, use, and regulation of health data of residents from states across the breadth of the country is potentially circumspect with regards to the provisions of the Constitution of India.”

Lawyers and data rights activists are raising questions as to why the government is in a rush to create health IDs and link citizens to the NDHM ecosystem, especially considering the dire circumstances of the pandemic. Srinivas Kodali, an independent researcher working on data, governance and the internet, said that the hurry was motivated by private interests rather than public ones. “Truly if the scheme is beneficial for citizens, then the government can take its time to explain its provisions to beneficiaries, and would not have to coerce citizens into creating health IDs or take their consent through unethical means,” he said. Kodali told me that health data had become a crucial resource for the information technology industry in India. “Building a digital health system will allow them to share this data with private companies and to insurers, who can benefit from such large databases,” he said. 

Concerns that data will be shared with private entities arise from the fact that the NHA has on many occasions mentioned “interoperability” of health-related data under the NDHM. Interoperability is the ability of different devices, software and information systems to use data for different purposes. The NHA has claimed that interoperability will help UHID holders to access different services for better healthcare. In its new consultation paper on a Unified Health Interface, the NHA states, “The current NDHM building blocks have been built with the primary goal of ensuring the seamless interoperability of health-related data. Stakeholders in the ecosystem may use the NDHM APIs to access, share and verify health records, healthcare professionals and healthcare facilities.” Access Now submitted comments on the UHI consultation, in which it remarked that “in the absence of a rights-affirming framework which puts user interests at the center of the system, interoperability is a recipe for disaster”. 

The instances of UHIDs being generated for people getting their vaccines without their knowledge and consent once again raises questions of data privacy even as the government pushes ahead with its digital health mission. “It is completely immoral and unethical that the government is using the cover of the pandemic and an essential commodity like vaccines to push their own agenda,” Chima said. 

This reporting was supported by a grant from the Thakur Family Foundation. Thakur Family Foundation has not exercised any editorial control over the contents of this reportage.