[Column]: The Becoming Health Data Legal Regime in India

Bar & Bench September 22 2018

Shruti Vats

Introduction

Digitalization has and continues to build a parallel virtual world but what is catching up is the regulation of the same. As rightly remarked in the Srikrishna Committee’s Report on data privacy, freedom and fairness are the cornerstone of our constitutional framework, the raison d’etre of our struggle for independence.

Today, the formula of freedom and fairness remains the same but the equation of struggle of independence has changed, the variable of struggle is now of the data principal (owner of data) and data fiduciaries (entities with whom the data is shared) and the independence is in the form of the free and fair digital economy.

With the submission of draft of the Personal Data Protection Bill, 2018 (hereinafter referred to as the “Bill”) to the Ministry of Electronics and Information and Technology on 27th July 2018, the time has come to up the ante in the legislations of most susceptible data i.e. the health data.

Scattered at a number of destinations (like hospital, nursing home, clinics, dispensary etc.), information of this nature can result in substantial harm, inconvenience and unfairness when handled negligently or simply without any concern for the confidentiality of the same. Besides this, the transformative potential of the digital economy in the area of medical research has been specifically averred in the report.

Interestingly, as a precursor to the said report and bill, the Ministry of Health and Family Welfare (e-health section), had, on 21st March, 2018 itself, placed the draft for Digital Information Security in Healthcare Act abbreviated as DISHA, in public domain soliciting comments, earmarking the digital health data protection in India. Further action was, reportedly, stalled in anticipation of the Srikrishna Committee’s Report on data privacy. With as many as 112 sections and 2 schedules, the Bill is, undoubtedly, an extended and detailed legislation piece for health data, over DISHA, which has 55 sections and 1 schedule.

Applicability

DISHA was drafted with an aim to regulate and standardize the processes related to the collection, storing, transmission and use of digital health data, as undertaken by clinical establishments or ‘other entities’ (further defined in the draft). For ensuring the reliability, privacy, confidentiality and security of such data, the draft also provides for the establishment of National and State eHealth Authorities (NeHA and SeHA) and of Health Information Exchanges.

The Bill, on the other hand, applies on the processing of personal data (not anonymised), by state, Indian citizen/company, any person or body of persons incorporated or created under Indian law. The emboldened 3-Ps are important for understanding the new Bill.

Processing of data refers to a set of operations performed on personal data and provides for a long inclusive list of operations like collection, recording, structuring, retrieval, and disclosure among others.

Personal data is the data that helps in directly or indirectly identifying a natural person through any trait, attribute or other feature or a combination of such factors.

Person has been given a wide definition which along with the category of an individual inter alia also includes a residuary category in which every artificial juridical person not specifically provided for in the definition also finds coverage.

Thus, the Bill applies to all who deal in personal data (not anonymised), subject to certain exemptions under chapter IX. The Bill also provides for establishment of a Data Protection Authority of India. The authority is required to act as per the provisions of the Bill and only in consultations with other regulator or authority established under other law of the Parliament/State legislature and in this case NeHA and SeHA that would be established under DISHA. A similar duty of collaborating with existing institutions has been put on NeHA.

Naturally, the Bill also applies to entities like clinical establishments and others dealing in digital health data. The contents of the draft of DISHA are largely covered within the almost plenary legislation prepared by the Committee. This article seeks to ostensively throw light on the additional obligations under the Bill for e-pharmacies and other clinical establishments that are already covered by DISHA.

Health data as under the legislations

The definitions of ‘Digital Health Data’ as under DISHA and of ‘Health data’ as under the Bill are of similar scope and include information about the physical or mental health (of past/present/future under the Bill), the details of clinical establishments and specific health services availed by a person (referred to as ‘data principal’ under the Bill and ‘owner’ under DISHA).

DISHA, additionally, enlists the details of any body-organ or bodily substance donations as part of ‘digital health data’ as such details might not particularly form part of health services provided or availed by a person but might still be confidential.

Under the Bill, health data has been classified as ‘Sensitive Personal Data’ and is, by virtue of such classification subject to explicit consent (which must be informed, clear and specific) and to enhanced penalty and punishment. While the Bill lays down provisions for processing of data for reasonable purposes and for purposes related to employment, the same has been deliberately omitted in the case of sensitive personal data, also including health data. Such omission is in line with the complete bar on the use of health data for commercial purposes under DISHA.

A possible source of conflict can arise from the fact that DISHA further delineates the health data into ‘Sensitive health-related information’. If separate standards in terms of purposes of data collection, code of practice, penalties and punishments are provided within this legislation, practical difficulties can result in implementation which might effectively render the classification under DISHA effete.

Common features of the draft legislations

Electronic data -The most important thing to note is that DISHA applies only to electronic record of health-related information about an individual while the Bill applies even to manual processing of personal data. Therefore, while manual processors of digital health data may not be subject to DISHA but they will be subject to the mandate of the Bill, if enacted.

Application of drafts to anonymised data- While the Bill has no application over anonymised data, DISHA takes account of even the anonymised digital health data. The other side of the coin is, however, the non-application of DISHA on health data not digitalized. Such data, in such a scenario would be governed by the new Bill subject to the exemptions wherein manual processing by small entities is exempted from certain provision.

Purposes for processing-Both the legislations provide that the data must be processed only on a ‘need to know basis’ i.e. for purposes that are clear, specific and lawful. Such purposes for which data can be processed have been enlisted in both the drafts. The data must be processed in a fair and reasonable manner under the Bill. Both the drafts provide for the obligation that only as much processing of data must be undertaken as is necessary for the purpose.

Rights and duties-Both the legislations intend to bring about data privacy, security and confidentiality through enforcement of rights of owners of digital data and duties/obligations of processors of data. While the Bill lays down a polarized structure for both rights and duties, DISHA, on the other hand, relatively lacks on the side of the duties to be exacted from the processors of data. Rights common to both the drafts are –

1. Right to Privacy, confidentiality  and security of data
2. Right to give, withdraw or refuse consent
3. Right to access the data
4. Right to know the processors of data having access to their data or those who may have access.
5. Right to rectify data
6. Right to require permission before each transmission of data.
7. Right not to be refused services when consent is refused in related matters

Notice before processing the data-Both the drafts make it mandatory for the processors of data to serve a notice to the data owner specifying details like purpose of collection, rights of the owner and identity of the recipients of the data who may have access to the data.

Categorisation in relation to sensitive data-The Bill abundantly provides for the category of ‘sensitive personal data’ with even an advanced requirement of explicit consent from the data owner. On the other hand, DISHA, though, provides for such distinction of sensitive data (on different grounds) but fails to deliver in terms of separate provisions for their specific governance.

Standards for privacy, confidentiality and security of data- Both the drafts focus on imbibing the requirements of privacy, confidentiality and security of data in the functioning of the processors of data and hence, have provided for transparency and accountability measures (‘privacy by design’, transparency provisions etc.) in the Bill and provided the power of formulating operational guidelines, standards and protocols and data security measures for all stages of processing to NeHA under DISHA.

Record-keeping- Both the drafts require the processors to keep a record of all the activities undertaken by it in relation to the data. The Bill requires the data fiduciary to maintain accurate and up-to-date record of important operations in the data lifecycle including periodic review and assessments undertaken as per the provisions while the draft of DISHA requires the processors to keep registers of authorized transactions.

Cross-border transfers-Cross-border transfer of data under DISHA is to be governed by a protocol to be laid down by NeHA. Under the Bill, certain restrictions have been clearly provided for cross-border transfers of sensitive personal data. Additionally, the Bill empowers the Central Government to categorise certain data as critical (to be processed in a server or data centre located only in India) and also provides the power to prescribe certain transfers as permissible, to the Central Government.

Distinguishing features of the draft legislations

DISHA, 2018

- Ownership- The draft clearly provides that the ownership of the data continues to be with the person to whom it relates and the data processor only holds the information in trust. Additionally, the draft states that the processors of data hold such health data on behalf of the NeHA and is thus to be handled accordingly.

- Provisions in case of death of data owner-The draft provides for provisions that may empower the legal representatives and heirs in event of death of the person whose data was subject to the provisions of the draft. Additionally, the draft lays down that the data of a dead person can only be used in anonymised form.

- Rights of minor - Under the draft, minor’s legal guardian or representative can for her best interest give proxy consent in relation to her data. The draft also provides for the right of withdrawing or modifying her consent after attaining majority, for further processing.

- Enforcement – The draft provides for ordinary breach and serious breach of data. While the complaints of ordinary breach of data may be made to State Adjudicating Authority from which appeals lie to Central Adjudicating Authority, the serious breach of data as an offence may be taken cognizance of by the court.

Personal Data Protection Bill, 2018

- Incidental Purposes- Data must be processed only for purposes that are clear, specific and lawful. Such purposes for which data can be processed have been enlisted in the Bill. The Bill in addition to such purposes also provides legality to the incidental purposes that may be required to be undertaken by the processors of data.

- Detailed notice to data owner – The new Bill in addition to basic details (rights, purposes and contact details), lays down further categories to be provided for in the notice to the data owner like the details of the categories of personal data being processed, the basis for such processing, cross-border transfer details, time period for which the information will be retained, grievance redressal mechanisms, ratings on the basis of data trust score etc. On request from the owner, the processor must provide a brief summary in easy and comprehensive language laying down important details about his/her data.

- Additional major rights and duties – While the draft clearly provides that it is the duty of the processor of data to process data in a fair and reasonable manner, certain other rights have also been conspicuously introduced: Right to confirmation, right to be forgotten and right to file a complaint with adjudication wing established by the Authority.

- Data storage limitation- The data so collected must not be kept beyond the indicated time period in the notice. The data processor must, thereafter, delete the data.

- Burden of proof –The draft puts the burden of proof in relation to the fulfillment of obligations under the draft and also to the fact that consent has been given by the owner, upon the data processor.

- Classifications – The draft makes further classification in terms of guardian data fiduciaries (processors of data who process large volumes of children data or operate commercial website services directed at children), significant data fiduciaries (based on volume of data, turnover etc.) and critical data (for the purpose of invalidating transfer of data outside India).

- Data portability and rectification procedure – The draft makes provisions for the purpose of moving data from one data processor to another with the consent of the owner. In case, any changes are to be made in the data supplied, the draft not only provides for such amendments in the record of the processor of data but also in the records of any other entity with which the data might have been shared.

- Review, data assessments and data audits – The draft raises the standard of responsibility for significant processors of data by requiring them to perform periodical reviews, impact assessments and data audits.

- Enforcement –The Bill provides for the appointment of an Adjudicating Officer who can impose a penalty for violation of provisions of Act. Appeals against the Order of the Adjudicating Officer lie to Appellate Authority. Further appeal may be made to the Supreme Court of India.

Conclusion

Though the subject matter in the legislations overlaps but the imminent need for a special law regulating health data cannot be denied. As discussed, health data is more susceptible to breaches being highly personal in nature and thus, requires a health-data centric legislation as that of DISHA.

DISHA has been a novel step in the direction of health data protection in Indian scenario but this novelty lacks royalty in its present form, royalty of being plenary and commensurately effective in line of its purpose. The answer lies not in scrapping off DISHA or in the conceited belief of the effectiveness of the Personal Data Protection Bill of 2018, which is yet to become a law, over health data.

The need of the hour is to bring the act on the same pedestal as that of the new personal data protection Bill so as to ensure clear application and smooth co-ordination between the two legislations and to further couch health data in a legislation measuring up to the imminent threat of the unbridled and transformative potential of digital economy.

 

Shruti is a 2018 law graduate and an ADR enthusiast. She is currently practising at an AOR's office.