DIGITAL PERSONAL DATA PROTECTION ACT (DPDPA), 2023: IMPACT ON AND CHALLENGES TO HEALTH DATA PROCESSING

On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law. The DPDPA imposes various obligations on personal data processing entities to ensure that the process is lawful, fair, and transparent. 


With the evolving digital landscape, data privacy laws have a significant impact on the healthcare sector. Such developments make it essential for the healthcare industry to adopt best practices to support a safer and patient-focused healthcare environment by boosting patient trust, ensuring data security, and facilitating responsible data exchange. In that context, this note closely examines the impact of the DPDPA on health data processing by businesses and the challenges they may face once the DPDPA is implemented.

PROTECTED CATEGORIES OF DATA

The intended operation of DPDPA was to regulate the “personal data” processing. According to the legislation, personal data is any data about an individual who is identifiable by such data or in relation to such data.

However, businesses will not attract higher healthcare law compliance obligations merely because they collect and process health data. Currently, the laws applicable in India with regard to health data processing inherently subject health data processors to higher compliance obligations. These laws include the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 issued under the Information Technology Act, 2000.

GROUNDS FOR PROCESSING

Personal data may only be processed for a lawful purpose with the “consent” of the data principal, or for certain “legitimate uses” prescribed under the DPDPA. Where consent is the basis of processing, the consent sought must be free, specific, informed, unconditional, and an unambiguous indication of the data principal’s wishes indicated through a clear affirmative action. Additionally, every request for consent must be accompanied by a notice containing a description of the personal data sought to be collected, the purpose of processing such personal data, the manner in which data principals may exercise their rights under the DPDPA and make complaints to the Data Protection Board of India or the “Board” (the authority proposed to be entrusted with the implementation and enforcement of the DPDPA).

On the other hand, the DPDPA provides that data fiduciaries may process personal data for certain legitimate uses, which include :

  • When the data principal voluntarily provides their personal data to the data fiduciary for specified purposes.
  • For responding to medical emergencies.
  • In relation to providing medical treatment and health services during an epidemic, disease outbreak, or when there is a threat to public health.
  • In relation to providing any individual with assistance, or services or taking any measures to ensure their safety during any disaster or breakdown of public order.

We expect that businesses in the healthcare, pharmaceuticals, and life sciences space will largely be able to rely on the grounds of legitimate uses for their business purposes. To illustrate, an individual’s consent to process their data may be deemed to be “voluntary” by the hospitals when that individual seeks medical services. Similarly, hospitals providing medical assistance during emergencies, disasters, epidemics, or the breakdown of public order may also rely on this ground.

DATA PROCESSING OBLIGATIONS

The Digital Personal Data Protection Act (DPDPA) imposes certain obligations on data fiduciaries, such as:

(a) Ensuring that its data processors comply with the law

(b) Implementing security measures to protect personal data

(c) Notifying affected data principals as well as the Board in the event of personal data breaches

(d) Establishing effective mechanisms for grievance redressal and enabling data principals to exercise their rights

(e) Erasing personal data as soon as the purpose for which it was collected has been satisfied. Businesses in the health space will have to comply with these obligations.

INTERACTION WITH SECTORAL LAWS

In terms of its consistency with other laws, the law that in the event of a conflict between the DPDPA and other laws, the provisions of the DPDPA will prevail to the extent of such conflict. However, conflicts in laws concerning personal data transfers outside of India seem to be the only exception. 

Under the Digital Personal Data Protection Act, transfers of personal data to countries outside India will be permitted except to countries listed within the “negative list”, which the government intends to notify. Nevertheless, when there is a conflict of law, a higher degree of protection or restriction on the transfer of personal data is imposed on the data fiduciary outside India by the other law, and it shall prevail over the DPDPA.

The draft version of the revised Health Data Management Policy, applicable to entities in the Ayushman Bharat Digital Ecosystem, imposes a strict data localisation mandate and proposes that personal data must not be stored beyond the geographical boundaries of India. If this draft policy is enacted, it will prevail over the DPDPA in terms of cross-border data transfers.

PRACTICAL GUIDANCE FOR BUSINESSES

Businesses in the health space can kickstart their compliance with the DPDPA by undertaking the following steps:

  • A data mapping exercise to identify the personal data points collected and processed by the organisation.
  • Identifying sectoral data protection and cybersecurity obligations that may conflict with the DPDPA
  • Identifying actor characterisations for each processing activity. Characterisation as a data processor under the new data privacy law in India reduces the compliance obligations notably for data processors. Identifying appropriate legal bases for processing each category of personal data.
  • Identifying the cross-border data flows and preparing server maps.
  • Choosing the best data protection law firms to provide expert guidance and assistance in achieving compliance with healthcare law.

By following these steps, businesses in the healthcare sector can proactively address data privacy and protection concerns, minimise risks, and demonstrate a commitment to secure personal data in accordance with the data privacy act in India.

If you have any queries or would like to know more about the DPDPA, 2023, reach out to Spice Route Legal, recognised as the best data protection law firm in India. Email id:  contact@spiceroutelegal.com.