The National Health Policy, 2017[1] (“Policy”) envisaged the creation of a digital health technology ecosystem, aiming to leverage the potential of digital health data. The advantages of such digitalization and the potential of technology can hardly be overlooked, yet the proposals in this policy essentially involve large-scale creation, collection and sharing of health data. An increasing focus is on the complete lack of privacy or security protection for health data under laws in India.
Two significant steps forward have thus been the release of the draft Digital Information Security in Healthcare Act (“DISHA”)[2] in March, 2018, and the draft of the Personal Data Protection Bill, 2018 (“PDP Bill”)[3], in July, 2018. While both take a consent-based approach to data protection and create a trust-based relationship between an individual and the entity taking his data, there is a stark difference in the position of an individual under each. DISHA imposes significant restrictions on the use of health data and places an individual squarely in control of his data, while the PDP Bill takes a more relaxed approach. Some key provisions of these laws and their collective impact on the use and governance of health data are looked at in this article.
Creating a digital health technology ecosystem
An early step of the government towards creating a digital health technology ecosystem was the mandate for all clinical establishments to maintain electronic health records under the Clinical Establishments (Central Government) Rules, 2012[4]. The ‘National Health Information Architecture’ proposed by the Policy took this preliminary digitalization many steps further. An integrated health information system, the use of Aadhaar, creation of registries for enhanced public health/ big data analytics, creation of a health information exchange platform and a national health information network, use of National Optical Fibre Network, use of smartphones/tablets for capturing real time data, and so on, were all key strategies of the Policy.
The aim of this movement towards such an ecosystem was, on the one hand, to include ensuring a continuity of care across various levels of healthcare services, and on the other, to recognize and utilize the integral role of technology (eHealth, mHealth, Cloud, Internet of things, wearables, etc.) in healthcare delivery. A National Digital Health Authority was also proposed here. This was soon followed by the National Health Stack proposed by Niti Aayog[5] in July, 2018.
Existing privacy laws for health data in India
Existing privacy laws in India are simply not designed to deal with the scale of data creation and sharing being proposed. Under Section 43A[6] of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 framed under the IT Act, which govern data protection in India, the fundamental requirement is for body corporates to have suitable security measures in place. A failure to safeguard data for the lack of such measures will require a body corporate to award compensation to the individual affected. As a data protection ‘law’, this is hardly adequate.
An additional issue is that the application of Section 43A is restricted to body corporates, thus restricting the application to hospitals, clinical establishments, etc. that are body corporates, while excluding those that are not. Section 43A defines a body corporate to mean a company[7], while the Clinical Establishments (Registration and Regulation Act, 2010) does not require clinical establishments to be incorporated[8]. The result is that while a large number of hospitals are companies (for example, the All India Institute of Medical Sciences is a body corporate under Section 3 of the All India Institute of Medical Sciences, Act, 1956), there may also be establishments that are not incorporated, and thus not ‘body corporates’ under Section 43A.
In addition to Section 43A, there are also several individual provisions on privacy and confidentiality, to be found under various medical laws. An example is the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002[9], which imposes a secrecy obligation on physicians in relation to any patient data entrusted to them, including personal or domestic information. Entries in “Admission Registers”[10] for abortions are not permitted to be disclosed[11], while third party administrators for insurance companies, in addition to confidentiality obligations are required to maintain records for at least 3 years[12].
Such provisions thus, impose obligations like consent, confidentiality, restrictions on disclosures and retention periods only for the specific areas that the laws deal with. These scattered obligations, along with Section 43A, are thus the sole law on protection of health data at present. As can be seen, such provisions cannot secure and safeguard health data in the digital ecosystem proposed to be created. A comprehensive law, imposing obligations for the protection of health data as a whole like collection, purpose or storage limitations, consent requirements, and so on, is missing.
DISHA and the PDP Bill: Different approaches to data governance
Both DISHA and the PDP Bill, create such a comprehensive data protection system, and will both be a significant step forwards towards the holistic protection of health data. Each adopts a different approach, with DISHA clearly offering stronger protection to an individual vis-à-vis his data. In fact, DISHA clearly specifies the purposes and processing that health data can be put to, and disallows processing under any other grounds, including consent. If a purpose or processing is specified under DISHA, then additionally, there is a requirement of either the individual’s consent or a law requiring such use. These have been discussed in more detail later in this article.
The advantage of the PDP Bill on the other hand lies in the fact that despite its drawbacks, it is a more complete data protection law. When read together, the PDP Bill does serve to fulfil certain lacunae in DISHA. It, for instance, can supplement DISHA with provisions such as more detailed notice requirements, the right to data portability, audit requirements in the form of a Data Protection Impact Assessment, and provisions on the cross-border transfer of data. Penalties under the PDP Bill are also significantly larger, with the former’s penalties going up to Rs. 15 crores or 4% of annual global turnover[13], while the latter prescribes a maximum penalty of Rs. 5 lakhs (Rs. 1 Crore is specified for only one offence under DISHA)[14].
Consent and consent-related rights
Data governance under DISHA takes an entirely consent-based approach, giving the individual significant rights and putting him squarely as the owner of his data. Under DISHA, an individual has been given an actual say in what happens with his data[15]. Firstly, he has been given explicit rights to give or refuse consent at every stage of processing- generation, collection, storage, transmission, access and disclosure. He also has the right to withdraw consent for storage and transmission of his data. Two very significant consent-related rights in addition to these are the need for explicit, prior permission for every use of his data in an identifiable form[16], and the right not to be refused health care if he refuses consent at any stage[17].
The consent related rights under DISHA thus place an individual in a very strong position. This can be compared to his position under the PDP Bill, which also creates a largely consent based regime. The PDP Bill lists various grounds of processing, of which the primary ground available to a company for processing personal data is consent, and for sensitive data like health data, it is explicit consent[18]. This is unlike the General Data Protection Regulation 2016/679 of the European Union (“GDPR”), under which a company has several grounds such as legitimate interests and performance of contract. The other grounds under the PDP Bill can be seen as exemptions to consent-based processing. For sensitive data these include processing by the State, processing under a law and processing for emergencies[19].
So far, the PDP Bill and DISHA take a similar approach to sensitive data, in terms of the need for consent and the exceptions drawn. The differences then are firstly, with the non-consent based processing under the PDP Bill. Under DISHA, non-consent based processing under a law is only allowed for using, accessing or disclosing data for the limited purposes specified under DISHA, such as to advance the delivery of patient care or to improve public health activities[20]. The purposes under the PDP Bill for non-consent based processing under a law are unspecified and thus much broader. A similar difference can be seen for non-consent based processing by the state, which is discussed in the next section.
The second difference is that under DISHA, consent is required repeatedly and at every stage, such as the need for explicit prior permission before every use of his data in an identifiable form[21]. A third difference is with the withdrawal of consent. Under the PDP Bill, withdrawal of consent has no effect for non-consent based processing, such as processing by the state. Under DISHA, a person’s right to consent and withdraw consent remains even in relation to non-consent based processing. For instance, even if the State can access his data under a law for a specified purpose, he can withdraw his consent for storage of his data[22]. His prior approval would still be required for a use of his data in an identifiable form. Similarly, DISHA allows him to withdraw his consent at various stages- generation, collection, storage, transmission or use[23]. The PDP Bill, further, allows an individual to restrict or prevent disclosure of data, but it does not grant a right of erasure[24]. In other words, unlike under DISHA, an individual cannot withdraw his consent for the storage of his data and require it to be deleted under the PDP Bill.
Governmental access of the data
In relation to State access of data as well, there is a significant difference in the approach between the PDP Bill and DISHA. Under the former, data can be processed without consent for any function of the Parliament or the function of the State under any law[25]. Under DISHA, access to health data is restricted to permitting governmental departments to seek access from the National Electronic Health Authority established under the Act for the following purposes[26]:
- For public health activities or to deal with public health threats
- To facilitate health and clinical research.
- To promote detection, prevention and management of chronic diseases.
- To carry out public health research and analysis, and
- To undertake academic research.
Apart from this, DISHA permits access for an investigation via a court order[27]. State processing of data is additionally permitted under DISHA as processing by any other ‘entity’, which is discussed below.
Processing of data by ‘entities’ other than clinical establishments
There are a number of provisions for processing by all other ‘entities’[28] apart from clinical establishments and health information exchanges, which will apply to the processing of health data in any other form such as, for example, the State or an intermediary or service provider (say a pharmacy) in use by a clinical establishment.
Such other ‘entities’ are highly restricted under DISHA, and are only permitted to generate, collect and store health data for the following purposes only[29]:
- To advance the delivery of patient centered medical care,
- To provide information to guide medical decisions, or
- To improve coordination of care and information among hospitals, laboratories, etc.
Apart from this, health data cannot be generated, collected, stored, accessed or disclosed for a purpose not listed under the DISHA[30]. Even use for a purpose listed under DISHA will additionally require either consent or a legal requirement.
Thus, processing by any entity, including the government, is not recognized or allowed for any other purposes apart from those listed here, including if there is a legal requirement. This throws into question, for instance, the proposed governmental storage of DNA data, under the DNA Technology (Use and Application) Regulation Bill, 2018[31], since DNA data will amount to ‘digital health data’ as defined under DISHA[32].
Processing of health data by smartphones, wearable devices, etc.
A reading of DISHA, and in particular of these provisions on processing by other ‘entities’, indicates that it is a law that is designed primarily to apply to processing of health data by clinical establishments and health information exchanges. The same provisions on processing by other ‘entities’, however, will need to be interpreted to apply to processing of health data by smartphone health apps, wearable devices and the like as well. The uses that the data is put to by such apps and wearable devices can include large scale research, data analytics, sale for marketing, disclosure to other third parties, and so on. None of these uses, however, are permitted under DISHA, unless they are found to fit with the three categories listed above. The PDP Bill, on the other hand, is fundamentally designed to permit processing of this nature. The only requirement is of express consent[33].
Private and commercial use of health data
Processing of health data by smartphone apps and the like is thus not permissible, even if consent is in place. DISHA, moreover, goes on to place an express bar on all commercial uses of health data, whether in an identifiable or anonymized form[34]. In fact, DISHA expressly bars access, use and disclosure to insurance companies, employers, human resource consultants and pharmaceutical companies, and allows the Central government to prescribe more such entities. A limited exception for insurance companies is to seek consent for accessing data for the specific purpose of processing insurance claims[35]. The use of such data for marketing of any sort, another fundamentally commercial activity, will also not be possible.
Outsourcing- sharing/ receiving of anonymized data
Another sector where medical data is often processed is in the outsourcing sector, where anonymized or pseudonymized medical and health data of individuals from around the world is received by medical process outsourcing companies in India. The PDP Bill expressly does not apply to the processing of anonymized data[36], but DISHA contains some requirements in relation to anonymized health data as well, such as the bar on commercial use[37].
DISHA, however, does not expressly deal with such processing of data by outsourcing companies, since it generally deals with data received directly from an individual. The protections of DISHA, however, are not restricted to Indian citizens and data with Indian clinical establishments or entities. Thus, the same provisions for use by other entities as discussed previously will apply to the extent possible. Such data, further, will be governed by the laws of other countries, such as the GDPR for the EU, or the Health Insurance Portability and Accountability Act, 1996 for the US.
Bringing DISHA and the PDP Bill in conformity
The PDP Bill and DISHA take a very different approach to protecting health data, not only in terms of the position of the individual, but also in terms of the terms, their definitions, the fundamental concepts, and the uses envisaged under each. A difference can also be seen between DISHA and other medical laws, say the Clinical Establishments Act, 2010. Both the PDP Bill and DISHA need further work, and there is also a need to bring the two in conformity with each other. Both the state and private companies are likely to prefer the PDP Bill, given the leeway it offers. However it is important that the PDP Bill be aligned in the same direction as DISHA to offer stronger protection to the people.
In the absence of this, there is a possibility of interpreting the two laws in a way which can weaken the protection offered by DISHA. Both the PDP Bill[38] and DISHA[39] have clauses which allow their provisions to override the provisions of any other conflicting law. The general rule when two laws deal with a similar subject-matter is that a harmonious construction must be adopted, which requires the reading of the law as whole. Another important rule is generalia specialibus non derogant, under which the general law, here, the PDP Bill, must give way to the special law, here, DISHA.
An attempt to resolve the conflicting provisions of the PDP Bill and DISHA may lead to different interpretations, one of which could be to narrow the scope of DISHA to apply to processing in relation to clinical establishments, health information exchanges and related entities specifically, and to the digital health data created and processed in relation to their activities, as opposed to all health data. Further, based on such an interpretation, other uses such as the use of health data by smartphone apps and the like may be interpreted to be governed under the PDP Bill and not DISHA. Similarly, such an interpretation may allow state access to health data (apart from the specific data with clinical establishments and the like) under the PDP Bill, beyond the restrictive access permitted under DISHA. An example of such an access would be access to data in a state created DNA databank. An interpretation of this sort will narrow the scope of the special law, allowing a harmonious construction of both the laws, while simultaneously weakening the protection of DISHA. Given the movement towards a digital ecosystem in India, protecting an individual and his data must be of the utmost priority.
This article has been authored by Asheeta Regidi with inputs from Nehaa Chaudhari. Regidi is an independent consultant in technology laws and a GDPR compliance specialist (CIPP/E/A). Chaudhari is Public Policy Lead, Ikigai Law.
[1] National Health Policy, 2017, issued by the MoHFW, available at http://cdsco.nic.in/writereaddata/national-health-policy.pdf
[2] MoHFW Notification: Placing the draft of “Digital Information Security in Healthcare, act (DISHA)” in public domain for comments/views-reg, Ministry of Health and Family Welfare, dated March 21st, 2018, Notification No. F.No.Z-18015/23/2017-eGov, available at https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
[3] Available at https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
[4] Rule 9(iv) of the Clinical Establishments (Central Government) Rules, 2012: Other conditions for registration and continuation of clinical establishments, available at http://clinicalestablishments.gov.in/WriteReadData/386.pdf
[5] Available at http://niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf
[6] Section 43A, IT Act, 2000: Compensation for failure to protect data, available at https://indiankanoon.org/doc/76191164/
[7]Explanation, Ibid.
[8] Section 2(c), Clinical Establishments (Registration and Regulation Act, 2010): Definitions, Clinical Establishments
[9] Available at https://www.mciindia.org/documents/rulesAndRegulations/Ethics%20Regulations-2002.pdf
[10] Rule 2(b), The Medical Termination of Pregnancy Regulations, 2003: Definitions, “Admission Register”, available at https://indiacode.nic.in/ViewFileUploaded?path=AC_CEN_12_13_00006_197134_1517807320428/regulationindividualfile/&file=MTP+Regulations.pdf
[11] Rule 5, Ibid.: Maintenance of Admission Register, and Rule 6, Ibid.: Admission Register not to be open to inspection,
[12] Rule 22, Insurance Regulatory and Development Authority (Third Party Administrators- Health Services) Regulations, 2001: Maintenance of Confidentiality of Information, available at https://www.irdai.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo25&flag=1
[13] Chapter XI, PDP Bill, 2018: Penalties and Remedies
[14] Chapter V, DISHA, 2018: Offences and Penalties
[15] Section 28, DISHA, 2018: The rights of the owner of digital health data
[16] Section 28(8)(b), DISHA, 2018: The rights of owner of digital health data
[17] Section 28(8)(f), DISHA, 2018: The rights of owner of digital health data
[18] Section 18, PDP Bill, 2018: Processing of sensitive personal data based on explicit consent.
[19] Chapter IV, PDP Bill, 2018: Grounds for processing of sensitive personal data
[20] Section 29, DISHA, 2018: Purposes of collection, storage, transmission and use of digital health data
[21] Section 28(8)(b), DISHA, 2018: The rights of owner of digital health data
[22] Section 28(3), DISHA, 2018: The rights of the owner of digital health data
[23] Section 28, DISHA, 2018: The rights of owner of digital health data
[24] Section 27, PDP Bill, 2018: Right to be forgotten
[25] Section 13, PDP Bill, 2018: Processing of personal data for functions of the State.
[26] Section 34(3), DISHA, 2018: Access to digital health data
[27] Section 34(4), DISHA, 2018: Access to digital health data
[28] Section 3(1)(f), DISHA, 2018: Definitions, Entity
[29] Section 29(2), DISHA, 2018: Purposes of collection, storage, transmission and use of digital health data
[30] Section 29(3), DISHA: Purposes of collection, storage, transmission and use of digital health data
[31] Available at https://www.prsindia.org/sites/default/files/bill_files/DNA%20Technology%20Bill%2C%202018%20as%20passed%20by%20LS.pdf
[32] Section 3(1)(e), DISHA: Definitions, ‘Digital Health Data’
[33] Section 18, PDP Bill, 2018: Processing of sensitive personal data based on explicit consent
[34] Section 29(5), DISHA: Purposes of collection, storage, transmission and use of digital health data
[35] Ibid.: Proviso
[36] Section 2(3), PDP Bill, 2018: Application of the Act to processing of personal data
[37] Section 29(5), DISHA: Purposes of collection, storage, transmission and use of digital health data
[38] Section 110, PDP Bill, 2018: Overriding Effect of this Act
[39] Section 52, DISHA, 2018: Act to supersede any other law
