Collection of Data: All data collected in CARE is done so after obtaining valid consent from the Data Principle (patient or guardian or nominee of the patient). Such consent is obtained through Data fiduciaries (users in CARE). The data fiduciaries shall follow the rules below to ensure that the consent obtained from Data Principles is valid and in compliance with Clause 8 and Clause 9.2 of the Health Data Management Policy.

1. The processing of all personal data will be in a fair and reasonable manner, ensuring the privacy of the data principal

2. Only such data essential to serve the purpose of providing quality health care to the patient is collected at any point in time in CARE.

3. Such data collected shall only to share with other systems and entities outside of CARE through the Consent framework set up by ABDM.

4. No data shall be shared between entities through CARE without obtaining consent from the data principal.

5. Data principles may choose to withhold or not share any particular data. There shall be no coercion to collect personal details from the data principles.

Accountability towards protecting personal health Data: CARE has safeguards against data breaches including firewall protection, data management protocols, and other measures followed as standard practice. CARE is also audited for data security by independent auditors from time to time.

Transparency: All necessary steps shall be taken to implement practices, procedures, policies, and systems in a manner proportional to the scale, scope, and sensitivity of the personal data collected, in order to ensure compliance with the privacy principles and the laws applicable from time to time.

The choice to opt out: The data principle may opt out of having their health data linked to their ABHA IDs by informing the Data fiduciary of such a decision to revoke consent. The data fiduciary shall immediately unlink the data of such patient from the identified ABHA No. The data principle, in such cases, shall not be made to justify the choice.

Access: Data principle may at any point demand access to their own health records, which shall be readily made available by the Data Fiduciary.

Grievance Redressal: eGovernments Foundation that maintains CARE is committed to protecting the privacy and rights of data principles as stipulated under ABDM Data Privacy Policy. For the same reason, a data protection Officer is designated to redress all grievances relating to privacy. Details of the Data Protection Officer are as below: Name: Aparna Sathianathan Phone Number: +91 9745150779 Email ID: aparna.sathianathan@egov.org.in Any grievance by Data principles regarding data privacy may be emailed and such grievance shall be addressed within 7 working days. A record of such grievances shall be maintained.

Equity: No data principle shall be restricted to exercise their rights under the ABDM Data Privacy Policy based on factors such as language, disability status, technological knowledge, etc.