On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law. The DPDPA imposes various obligations on personal data processing entities to ensure that the process is lawful, fair, and transparent.
With the evolving digital landscape, data privacy laws have a significant impact on the healthcare sector. Such developments make it essential for the healthcare industry to adopt best practices to support a safer and patient-focused healthcare environment by boosting patient trust, ensuring data security, and facilitating responsible data exchange. In that context, this note closely examines the impact of the DPDPA on health data processing by businesses and the challenges they may face once the DPDPA is implemented.
The intended operation of DPDPA was to regulate the “personal data” processing. According to the legislation, personal data is any data about an individual who is identifiable by such data or in relation to such data.
However, businesses will not attract higher healthcare law compliance obligations merely because they collect and process health data. Currently, the laws applicable in India with regard to health data processing inherently subject health data processors to higher compliance obligations. These laws include the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 issued under the Information Technology Act, 2000.
Personal data may only be processed for a lawful purpose with the “consent” of the data principal, or for certain “legitimate uses” prescribed under the DPDPA. Where consent is the basis of processing, the consent sought must be free, specific, informed, unconditional, and an unambiguous indication of the data principal’s wishes indicated through a clear affirmative action. Additionally, every request for consent must be accompanied by a notice containing a description of the personal data sought to be collected, the purpose of processing such personal data, the manner in which data principals may exercise their rights under the DPDPA and make complaints to the Data Protection Board of India or the “Board” (the authority proposed to be entrusted with the implementation and enforcement of the DPDPA).
On the other hand, the DPDPA provides that data fiduciaries may process personal data for certain legitimate uses, which include :
We expect that businesses in the healthcare, pharmaceuticals, and life sciences space will largely be able to rely on the grounds of legitimate uses for their business purposes. To illustrate, an individual’s consent to process their data may be deemed to be “voluntary” by the hospitals when that individual seeks medical services. Similarly, hospitals providing medical assistance during emergencies, disasters, epidemics, or the breakdown of public order may also rely on this ground.
The Digital Personal Data Protection Act (DPDPA) imposes certain obligations on data fiduciaries, such as:
(a) Ensuring that its data processors comply with the law
(b) Implementing security measures to protect personal data
(c) Notifying affected data principals as well as the Board in the event of personal data breaches
(d) Establishing effective mechanisms for grievance redressal and enabling data principals to exercise their rights
(e) Erasing personal data as soon as the purpose for which it was collected has been satisfied. Businesses in the health space will have to comply with these obligations.
In terms of its consistency with other laws, the law that in the event of a conflict between the DPDPA and other laws, the provisions of the DPDPA will prevail to the extent of such conflict. However, conflicts in laws concerning personal data transfers outside of India seem to be the only exception.
Under the Digital Personal Data Protection Act, transfers of personal data to countries outside India will be permitted except to countries listed within the “negative list”, which the government intends to notify. Nevertheless, when there is a conflict of law, a higher degree of protection or restriction on the transfer of personal data is imposed on the data fiduciary outside India by the other law, and it shall prevail over the DPDPA.
The draft version of the revised Health Data Management Policy, applicable to entities in the Ayushman Bharat Digital Ecosystem, imposes a strict data localisation mandate and proposes that personal data must not be stored beyond the geographical boundaries of India. If this draft policy is enacted, it will prevail over the DPDPA in terms of cross-border data transfers.
Businesses in the health space can kickstart their compliance with the DPDPA by undertaking the following steps:
By following these steps, businesses in the healthcare sector can proactively address data privacy and protection concerns, minimise risks, and demonstrate a commitment to secure personal data in accordance with the data privacy act in India.
If you have any queries or would like to know more about the DPDPA, 2023, reach out to Spice Route Legal, recognised as the best data protection law firm in India. Email id: contact@spiceroutelegal.com.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.