Spice Route Legal
Protecting Patient Data: Indian Data Protection Framework
The Indian healthcare sector is expected to grow into a USD50 billion industry by 2025 due to digital innovation, such as in remote healthcare, medtech, and artificial intelligence. However, cyberattacks on AIIMS Delhi, a premier Indian healthcare institution, demonstrate the importance of robust data privacy laws that protect health data and encourage innovation. This is the first of a two-part series on Indian health data protection laws and looks at present laws.
No single Indian law specifically regulates health data processing. Relevant laws include the Information Technology Act, 2000, and rules and directions under it, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (rules), and cybersecurity directions issued by the Indian Computer Emergency Response Team, India’s cybersecurity regulator. The rules do not differentiate between controllers and processors and apply to all body corporates, which include companies, firms, sole proprietorships, or other associations of individuals engaged in commercial or professional activities. Most healthcare providers, including hospitals, clinics, and independent practitioners are body corporates and must comply with the rules. The rules impose additional obligations on the processing of “sensitive personal data or information” (SPDI), which includes data on the health conditions of individuals and their medical records.
The sole grounds for SPDI collection under the rules is consent. The rules also impose obligations such as transparency, purpose limitation and data minimisation. They provide individuals with access, correction, consent withdrawal and grievance redressal rights.
Laws governing clinical establishments such as hospitals, clinics, nursing homes, dispensaries, and healthcare facilities impose limited data protections on clinical establishments. The Charter of Patient Rights and Responsibilities issued under the Clinical Establishments (Registration and Regulation) Act, 2010 (a central model law issued for states and union territories), gives individuals rights to confidentiality and privacy. Patients may access their medical records and consent to their digitisation.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.