In September 2021, the Indian government launched the Ayushman Bharat Digital Mission (“ABDM”) to digitise the entire health ecosystem of India. The ABDM outlines the foundational elements and strategic roadmap designed to facilitate universal health coverage in an effective, accessible, inclusive, secure, and timely manner. The National Health Authority (“NHA”) is the apex body established for implementation of the ABDM and functions under the aegis of the Ministry of Health and Family Welfare (“MoHFW”). As of December 2023, more than 50 lakh individuals have enrolled in the ABDM to manage their health records digitally, and 50 crore individuals have signed up for ABDM-specific unique identifiers. Other participants in the ABDM include 2.6 lakh verified doctors and nurses, and 2.26 lakh hospitals, clinics, labs, pharmacies, etc. Over 56,000 hospitals across the country use ABDM-enabled solutions.   

The ABDM sets out policies, strategy documents, and circulars to regulate personal data processing within the ABDM, including the Health Data Management Policy (“Policy”). An attempt to actualise the ABDM’s principle of “security and privacy by design”, the Policy aims to safeguard digital personal data within the ambit of the ABDM and cultivate a privacy-oriented culture.

This note provides an overview of the data protection and cybersecurity obligations that ABDM participants must comply with and provides practical recommendations on compliance.

1.Basic Tenets

1.1. Applicability

The Policy regulates the processing of “personal data”. It imposes enhanced compliance obligations for the processing of “sensitive personal data”, a subset of personal data, which is defined under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 issued under the Information Technology Act, 2000 (“SPDI Rules”). Sensitive personal data includes details relating to an individual’s physical, physiological, and mental health conditions, and their medical records and history.

Introduction – What is Generative AI?

A major portion of the recent discourse on emerging technologies has been the advent of generative artificial intelligence (“Generative AI”). The integration of Generative AI into daily tasks has been a fast but permanent process. Various businesses around the world have commenced integrating Generative AI into their workflows and customer services to offer increasingly creative solutions within their existing services.

Generative AI is generally considered to be an offshoot of language training models, which have been around for a long time now. Language training models have seen continuous business use, from automated  search results on search engines such as Google to word suggestions on Microsoft Word. Language training models generally use two types of learnings: supervised learning and unsupervised learning. The system in supervised learning is trained on a dataset in which the input is connected with matching labelled outcome. By modifying its variables depending on the difference between the projections and the real labels, the algorithm develops the ability to convert inputs to outputs. As a result, the model may generalise and make accurate projections on previously unknown data. Unsupervised learning, on the contrary, entails tasks in which the algorithm investigates the intrinsic structure of unlabelled data without specific output direction. It frequently comprises tasks such as clustering or minimising dimensionality, with the goal of discovering trends, correlations, or descriptions in data without predetermined target categories.

Data Protection and Generative AI – The Indian Law Perspective

Training Data – Right to Use

The Digital Personal Data Protection Act, 2023 (“DPDPA”), India’s yet-to-be implemented new data protection law, may offer Generative AI trainers respite. While the DPDPA expands its scope of application to all categories of personal data and not just SPDI, the DPDPA also hosts an important exemption. The applicability of the entire DPDPA is precluded when dealing with personal data which has been made public by the individual themselves. However, further guidance is expected from the government and the incoming Data Protection Board of India to lay down various standards under the DPDPA, including standards on what would be considered as data that has been “made public” by individuals. This may include guidance on whether posting on social media accounts, communication platforms, or other forms of internet based interaction would be included within the scope of “public data”.