Health Data Privacy — The Emerging Need 

Privacy is Prime

Right to privacy is one of the most important and fundamental facets of life all over the world. Even in India, it is encompassed under Article 21 of the Indian Constitution. The Indian judicial system, time and again, has recognised the right to privacy i.e. right to maintain confidentiality and privacy in matters related to body, personal life, etc.

In K.S. Puttaswamy v. Union of India[1], the Court observed that:

right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. Once the facts in a given case constitute a right to privacy, Article 21 is attracted. The said right cannot be curtained “except according to procedure established by law”.

Health Data — What Does it Imply?

By and large, all agree that any individual’s personal data must be legally protected. The expression “personal data” has been defined in the Personal Data Protection Bill, 2019 (hereinafter referred to as “PDPB 2019”) under Section 3(28). Further, under Section 3(36) of PDPB 2019, the data is further categorised into “sensitive personal data” which includes financial data, health data, official identifier, genetic data, sex life, transgender status, etc.

Till date, there is no Indian legislation that has been implemented specifically protecting “personal data” which includes data about or relating to a natural person who is directly or indirectly identifiable.

The definition of “health data” as provided in PDPB 2019 and the definition of “digital health data” as provided in Digital Information Security in Healthcare Act which is at Bill stage (hereinafter referred to as “Disha”) are quite similar.

“Health data” under PDPB 2019 is defined as:

the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services.[2]

The definition of “digital health data” under Disha has some additional aspects in relation to the foregoing definition of “health data” which includes donation details of the individual pertaining to any body part or bodily substance, test results of body or body substance, details of the clinic whose services are availed by the individual. The other aspect is that the definition only covers health data in digital format.[3]

Key Pointers

(1) Disha specifically deals with electronic data of health-related information, whereas PDPB 2019 deals with personal data of any type which also includes health data (in electronic form or otherwise).

(2) The PDBP 2019 is a comprehensive data privacy law which deals with the flow, usage, security protections, remedies of breach associated with personal data across industries, whereas Disha is a sectoral legislation pertaining industry dealing with health data.

(3) Disha primarily applies to clinical establishments[4] which include: hospital, maternity home, nursing home, dispensary, clinic, pathological labs, diagnostic centres, irrespective of the entity nature i.e. company or proprietorship or partnership or government entity or run by a single doctor, etc. and health information exchanges and others established under it.

(4) It is not clear as to the necessity of Disha when we are supposed to enact PDPB 2019. The basic idea is to a have a sector-specific privacy legislation as health data breach is more severe as it causes social discrimination which has economic ramifications as well, adverse profiling, violence and embarrassment to the affected individuals. Apart from this, there is a need to plug the gaps leading to data breaches mainly caused by hacking/IT incidents, unauthorised access/disclosures, theft, improper disposal specific to health information.

(5) As per a global study conducted in 2019, it has been found that nearly 15% of the data breach happen to take place in healthcare organisations.[5] Other global surveys too reflect exponential losses due to health data breach.

Creation of Specific Statutory Bodies Exclusive to Implement Health Data Privacy

In order to ensure confidentiality of “sensitive personal data” specifically referring to health data, the Government is contemplating on passing Disha apart from the recently introduced PDPB 2019 which is the amended version of 2018 Bill. Both the Bills are complementary yet a bit distinct from each other.

PDPB 2019 has a wider scope as compared to Disha which covers all sorts of data including financial data, biometric, religious belongingness, etc. On the other hand, Disha specifically focuses on regulation of the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data.[6]

Disha, in order to ensure confidentiality and privacy of digital health data, seeks to establish National electronic Health Authority of India (NeHA), State electronic Health Authorities (SeHA), the National Executive Committee, State Executive Committees to assist the NeHA and SeHA, health information exchanges which will be managed by Chief Health Information Executive (CHIE), the data controlling authority of the exchange, to regulate and form new standards and protocols for the purpose of proper transmission & collection of digital health data, among other functions for discharge under Disha.

The NeHA and SeHA shall have powers of the civil court under Section 26 of Disha with respect to summoning, examination of witness, inter alia. So, Disha realises the need to have specific bodies to have jurisdictions pertaining this nature of disputes as the current courts are already overburdened with numerous cases.

However, Disha provides for certain matters to be dealt at Sessions Court under Section 43(2) which are as follows:

(a) Data theft.

(b) Fraudulent or dishonest obtaining of health information of another person, which such person is not entitled to obtain.

(c) Where there is serious breach of digital health data under Disha.

Different Layers of Breach and Associated Penalty

Another feature which can be observed is that Disha categorises the penalties for “breach” under Section 37 and “serious breach of digital health information” under Section 38 based on the criminal intent i.e. prescribing penal consequences for intentional, fraudulent or negligent breach of data by the collector. A serious breach under Section 38 would result in punishment with imprisonment from three years up to five years or fine of rupees five lakhs, provided the fine amount may be provided as compensation either in full or partial to the victim of such breach at the discretion of court. A “breach” on the other hand shall result in paying of damages by way of compensation to the owner of such digital health data.

No Commercial Use

Disha puts an express bar on commercial uses of the digital health data. It expressly bars the disclosure to insurance companies, employers, human resource consultants and pharmaceutical companies. This obligation has been imposed on clinical establishments and health information exchanges.

The nature of digital health data is not a concern here, whether the data is identifiable or even anonymous, the prohibition applies.

Health Data Interoperability

One of the anomalies that has been addressed in Disha is the transmission or transfer of data from one clinical establishment to another i.e. the interoperability of health data, in colloquial term, it may be referred to as portability of health data. A patient’s health data when transferred to other clinical establishments not only prevents repetition, but also saves time and money. This provision as enabled by Disha will encourage reuse of digital health data and may result in health practitioners doing away prescribing same tests repetitively, one of the reasons of which is lack of access to patient’s medical history.

Disha also seeks to establish a central regulatory authority to ensure seamless flow of sensitive health data. It provides that Government shall ensure that health information exchanges transmit the data with the consent of data principal i.e. a patient is to be treated as the sole owner of the digital data and no other party including any clinical establishment or any entity has the right to store the information without written consent from the data owner.

Disha provides for security measures to ensure confidentiality of digital health data in the form of the following enabling provisos:

(1) The NeHA shall lay down protocol for transmission of digital health data to and receiving it from other countries under Section 22(1)(e) as well as lay down standards for physical, administration, technical measures keeping in mind privacy and confidentiality for transmission of digital health data.

(2) A clinical establishment shall transfer the data to health information exchange in an encrypted form.

Consent in General under PDPB 2019 with Some Exceptions Versus Stricter Consent Principle in Disha

The similarity of Disha and PDPB 2019 is that both the Bills have adopted same approach to regulate and restrict the health data which is sensitive data of a data principal via the consent-based approach. The point of difference that can be observed between the Bills is that Disha adopts more stringent rules, it requires consent of the data principal at every stage (i.e. from the stage of generation, collection, storage, processing, transmission, access and disclosure). It mandates the data- holder to take consent for any further processing or retaining the data. Disha imposes primary focus on the consent of data principal. It bestows various rights on the owner of data under Section 28 which includes some of the following:

(a) Right to privacy, confidentiality, and security of the digital health data collected or stored.

(b) Right to refuse or grant consent for use, generation or storage of data for specific purposes and to withdraw the consent granted.

(c) It provides right to the owner to know entities or establishments accessing the data.

(d) The right to prevent any transmission or disclosure of any sensitive health-related data that is likely to cause damage or distress to the owner.

(e) Owner has the right to ensure that health data is shared with family members in cases of medical emergency, etc.

(f) The right not to be refused health service, if the data principal refuses consent of generation, collection, storage, transmission and disclosure of their health data.

Section 29(3) of Disha expressly prohibits the use of data for any other purpose, except for which consent has been given. The other cases i.e. for public health-related purposes where digital health data can be used are:

(a) To facilitate health and clinical research.

(b) To promote detection, prevention and management of chronic diseases.

(c) To carry out public health research and analysis.

(d) To undertake academic research.

Provided in the foregoing situations such data should be in de-identified or anonymised i.e. the natural person cannot be identified from such form of data. So, in other words, no consent shall be required in the above four instances as well as when it is a statutory or legal requirement as provided under Disha. The exact instances of statutory or legal requirement are neither expressly nor in finite terms mentioned in the current version and is thus dependant on any form of orders, court decisions or other laws. Disha is supposed to prevail over any other law pertaining digital health data, but there is ambiguity in this regard which is discussed later.

Section 31 of Disha provides that the absolute ownership of the data digitalised is the individual whose data has been digitised, the entities or clinical establishments shall use the data in trust for the owner.

Under PDPB 2019, the approach is a bit relaxed and simpler. The data principal’s consent to use of data is required, but at the same time it has provisions where personal data can be used without consent of the other party i.e. data can be used in cases of medical emergencies, for providing benefits to data principal which is from the State, for compliance with court order, controlling law and order situation, for any licence grant by the State.[7]

The other ground to proceed devoid of consent is on account of “reasonable purposes”[8] which include:

(a) prevention and detection of any unlawful activity;

(b) whistleblowing;

(c) mergers and acquisitions;

(d) network and information security;

(e) credit scoring;

(f) recovery of debts;

(g) processing of publicly available personal data; and

(h) the operation of search engines.

Thus, the instances of non-consent-based dealing with personal data which may comprise health data is more under PDPB 2019 in comparison to Disha.

Which One Prevails PDPB 2019 or Disha? The Possible Lacuna to be Addressed Before its too Late!

Both PDPB 2019 and Disha have overriding provisions which basically outline that the respective laws prevail over any other law wherever inconsistent. Section 52 of Disha and Section 96 of PDPB are the respective provisions. This results in a drawback of possible misconstrued interpretation in cases where a litigant or a party might take the benefit of relaxation in consent terms inter alia as allowed under PDPB 2019 over Disha which has stricter consent terms and has enhanced privacy obligations.

This difficulty should be removed either through amendment or in the form of more elaborative rules connected with the respective Bills when legislated, so that a party does not take advantage of this lacuna quite easily.

However, it appears that the Government’s two wings Ministry of Health and Family Welfare (MoHFW) and Ministry of Electronics and Information Technology (MeitY) are in discussion whether to subsume the protective provisions of digital health data within PDPB 2019 or its amendments to avoid duplicity of efforts.[9]

It may be submitted that a sector-specific legislation is always advisable bringing in the dynamics of a particular sector which it carries. On the other hand, a general law would not be able to accomplish it. Also, that PDPB shall have to be overhauled with the dynamics prevailing in healthcare industry to make its applicability significant.

Another good point is that under Section 55(5) of Disha, it has an enabling provision wherein the Government undertakes to do comprehensive review of all laws relating to health within 1 year of Disha going live so that those are compatible with Disha.

So, there seem to be two alternative approaches working together – one on subsuming Disha into PDPB from the perspective of protecting digital health data; and second on making consistent provisions or removing inconsistent ones to the best extent in compatible with Disha to avoid conflicts among multiple laws.

India, despite being the world’s biggest democracy, has failed to implement the fundamentals of data privacy so far. Time and again, Indian Government has missed to maintain confidentiality of database collected in the form of Aadhaar, etc. There have been several instances of data breaches in the recent past. In the recent report of Compritech’s Global Survey, India has been ranked as third worst for data privacy[10]. The survey ranks the countries on the basis of data enforcement, biometrics, etc.

The degrading position in terms of Global Surveillance Index necessitates the need to implement PDPB 2019 along with other sector-specific legislations like Disha which is delayed, year after year. Akin to India’s rise in “Ease of Doing Business” rankings, we do hope to see the rise of India in data privacy rankings as well.

---

* Bhumesh Verma is Managing Partner at Corp Comm Legal and can be contacted at bhumesh.verma@corpcommlegal.in.

Sayantan Dey, Legal & Compliance Professional and can be contacted at deysayantan59@gmail.com 

Shruti Jaju, 4th year student, Rajiv Gandhi National University of Law, Patiala.

[1] (2017) 10 SCC 1

[2] S. 3(21)of PDPB 2019

[3] S. 3(1)(e) of the DISHA.

[4] S. 3(1)(i) of the DISHA.