India’s wake-up call on health data privacy

Data and the cracks

If trust issues are holding people back from using health apps, Anja Kovacs would not be surprised. As the founding partner of Feminist Futures who is actively espousing for an embodied approach to data, Kovacs reminds that these are the very moments of crisis when people start to look at data in the way they should always have.

“This situation is a good example of the link between an individual’s body and data – especially when decisions taken on the basis of data have real consequences for that individual,” she said.

To Raghavendra Prasad T S, the leading man behind Project StepOne, a volunteer-driven telehealth initiative, the situation could be more pronounced in India, which lacks the strong data protection regulations of the US. “Users should apply discretion on the real value they are getting out of the data they share,” he said.

The lack of awareness around data privacy is contributing to the problem. Prasad noted that the healthcare tech space in India is still in its infancy, with most laws around data applied at a contractual level.

But the silver lining, as Prasad contended, is that a large chunk of India’s health tech industry is self-regulated.

“Most business models of apps are not structured around data sharing, and I have seen very few instances of that. Health tech is very small and nascent in India compared to mainstream tech like ridesharing, food and delivery apps,” he said.

Incidentally, Mozilla, which issues labels on products that consumers should think twice about before buying, found that as many as 28 out of 32 mental health and prayer apps were slapped with privacy warning labels, indicating strong concerns over user data management. 

The reasons are not hard to dig. Almost all the apps reviewed were capturing users’ personal data, with some harvesting additional data for third-party platforms. Insurance companies also get to collect extra data on the people they insure while data brokers continue to enrich their databases with even more sensitive data.

Strangely, when it comes to protecting people’s privacy and security, mental health and prayer apps are worse than any other product category that Mozilla researchers have reviewed over the past six years.

“We are just one disgruntled employee away from a lot of data getting out there in the world,” warned Jayanth Ganapathy, director of Plum, an employee health insurance platform.

Ganapathy, who has earlier led the telemedicine, health screening and diagnostics business units at Practo, Connect & Heal, Qikwell and MedTrail, said app developers are not doing enough to address data privacy.

“The scenario is serious because we have so many apps now in India, with at least eight to 10 mental health apps alone. We need better standards and organisations need to regulate themselves with a sharp eye and rigour. Although information security standards like ISO 270001 are there, it’s not that difficult to get certified.”

Gen Z users more savvy

Concerns around data privacy are hard to deny especially in some segments as observed by Anshul Kamath, founder at Evolve, a mental health and personal growth app that was awarded by Google as best personal growth app last year.

Kamath noted the growing awareness of data rights, especially among Gen Z users who have actively reached out to Evolve on data privacy matters.

“We also believe that irrespective of data laws like SOC2 [Service Organisation Control 2] and GDPR [General Data Protection Regulation], it’s our responsibility as a company to create a safe space for our users in the truest sense, so for us, privacy is and will continue to be a high priority. We also see positive policy shifts from both Google and Apple where they are ensuring all app developers start to respect user privacy and data more,” he added.

Ganapathy noted that the real danger lurks in the dashboards and analytics reports that an operations team member can get easily. “If they are not easy to download, especially bulk data, then that’s a good step to start with.”

Dixit Sood, founder of Ayurshakha.com, an aggregator of herbal, organic and ayurvedic products, said while the habit of sharing data is common, that’s not how his venture looks at monetisation. “We are a small player, but we do not sell data to third parties.”

Evolve’s Kamath echoes that approach and takes pride in protecting data privacy. “A lot of our users spend time on our app being vulnerable and honest with themselves and introspecting on their life and areas of stress.

“Users own their data and can delete their accounts at any time, and we do not share any data with third-parties. We don’t have any ads on our app, and we also ensure that any third-party integrations are compliant when it comes to data privacy,” he said.

Such efforts would matter a lot as India’s healthcare market is set to grow. According to the India Brand Equity Foundation, the healthcare market in India would hit $372bn by 2022 while the e-health market would reach about US$10.6bn by 2025.

Add to that, the size of India’s medical tourism market, which was valued at $2.89bn in 2020, is set to grow to $13.42bn by 2026. This has led to calls for the industry to get proactive on health data privacy before the problem becomes too big to grasp.

“Like in every crisis, something good will come out of it too,” Kovacs said.