The regulation, protection, disclosure, and transfer of personal data in India, is not governed by a robust, broad-gauge, and comprehensive law. The recently retracted Personal Data Protection Bill, 2019, was expected to change the law of the land in this respect; however, what awaits the Data Protection policy of India is a long-haul.
The current legal framework pertaining to data privacy and protection is addressed by the Information Technology Act, 2000 (‘IT Act’)as amended by the Information Technology (Amendment) Act, 2008, read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. However, the IT Act fails to address concerns of data privacy specifically and focuses highly on information security. Additionally, it does not provide any overarching rules for the protection, transfer, and disclosure of personal data, including data concerning health. In this respect, the proposed Digital Information Security in Healthcare Act 2018 (‘DISHA’) provides security, standardisation, privacy, and confidentiality standards for electronic health data. DISHA is considered to be the Indian counterpart of the U.S. law on the matter- the Health Insurance Portability and Accountability Act, 1996 (‘HIPPA’) and the EU equivalent of health data protection under the General Data Protection Regulation (‘GDPR’). Even though DISHA appears promising enough, its deployment and enforcement have not yet been thoroughly tested.
Whether or not DISHA sufficiently addresses concerns relating to the protection of Data concerning health in India is assessed in this article, and parallels have been drawn with the GDPR, to arrive at some facets that can be adopted by India. Initially, the definitions of Data Concerning Health under the current Indian laws, and European GDPR regulations have been assessed. Later, the article deals with the issue of processing data and obtaining consent from the data subject, for the regulatory framework to be more robust.
Defining Data Concerning Health
The GDPR defines ‘Data Concerning health’ as personal data, that falls under special category data, which includes data that requires stringent and special protection due to its sensitive nature (Article 9(1)). Apart from Data Concerning health, special category data also includes biometric data, genetic data, and data related to the sex life and sexual orientation of the data subject. The GDPR defines Data Concerning health, in the broadest sense possible. It includes personal data, related to the mental and physical health of a natural person. It also protects information revealing a person’s past, current, and future physical, or mental health and includes provisions for healthcare services that reveal such information. (Article 4(15)). Therefore, an apt construction of the GDPR definition of Data Concerning health would be: all collected personal data, as soon as it is used to gain information regarding the health status of the data subject.
Furthermore, a closer examination of the GDPR’s preamble reveals that health-related data is not just derived from medical sources but also has independent origins. This term applies to all information on a person’s health, regardless of the type of source (medical or non-medical). Another derivation of an expansive interpretation of this definition is that data that is not health data per se, falls under this definition as soon as it is used to identify ‘disease risk.’ (This may include information about the genetic disposition, alcohol consumption, drug use, blood pressure levels, obesity levels, etc). Hence, the EU regulation prescribes that it is important that the data is used to gain information about the personal health of an individual, and it is inconsequential whether the data itself is directly related to health.
DISHA, as it appears, on the face of it, only attempts to regulate digital health data (DHD) (Section 3(1)(e)), as opposed to Data Concerning health, which includes a wide range of data, independent of its source and nature, as protected under GDPR. Digital Health Data (DHD) is defined to include electronic records of health-related information concerning the individual, derived from testing or relating to the clinical establishment accessed. Associated personally identifiable information (PII) (Section 3(1)(k)), is also regulated under DISHA. PII is defined as any information that can uniquely identify an individual. Schedule 1 of the Bill contains a list of PII, which includes, name, address, financial information, medical records, information regarding physical, physiological and mental condition, sexual orientation, etc. Additionally, DISHA draws a distinction between DHD and Sensitive health-related information, which is separately defined as information that, if lost, disclosed or compromised, could result in substantial harm to one’s physical or mental health condition, etc. (Section 3(1)(o)). The distinction drawn in the terminology of data is vague and can invite confusion. Moreover, the Bill does not provide a broad scope to health data and hence limits it to data obtained digitally, along with associated PII. On the contrary, GDPR attempts to place such data under a special category and accords heightened protection. Ideally, the data protection law that attempts to protect health data should have a sizable scope, inclusive of data beyond specific affiliation to the health of the individual, but also, prospective risks.
Processing Data and Obtaining Consent
Article 6 of GDPR states that personal data can be processed only after obtaining the consent of the data subject, as and when it is necessary for the performance of a contract. It can also be done when required to comply with a legal obligation, or when necessary for the vital interests of the data subject or any other natural person. Hence, processing data is only allowed for the pursuit of legitimate interests by the controller or any third party. However, special categories of personal data (Article 9), which includes genetic data, biometric data and data concerning health, require ‘explicit consent’ of the data subject and should be done for reasons of public interest. Legal interpretation and judicial clarifications have revealed that explicit consent, as opposed to unambiguous consent, would include robust agreements pointing to the consent of the data subject, clearly and explicitly obtained.
DISHA, in chapter IV clarifies that the owner shall have the right to privacy, security and confidentiality of their DHD, which can be stored and collected by a clinical establishment or entity (Section 28). The owner shall also have the right to refuse consent altogether. The Bill also provides that data can only be used for such purposes as the owner has consented to, and nothing beyond the provisions of the Bill. Although, DISHA requires that consent be obtained at each stage of data processing, that is from collection, to storage and transmission, it still falls short on vigorous protection. The GDPR differs from DISHA in this respect and yields greater levels of protection, since it attempts to obtain ‘explicit consent’. DISHA is silent on the matter, and one can only expect that the consent so obtained under this Bill, is informed at best. However, compliance with that shall also require stringent security solutions and protocols. Since, DISHA caters to digitally obtained data, it is important to note that such data is vulnerable to security failures and breaches, hence, the requirement to place consent, primarily informed and explicit in nature, at a higher pedestal, is essential.
A closer look at the DISHA Bill also reveals that protection is provided against clinical establishments and entities, which are defined under Section 3(1)(f), and includes any individual, company, government department, firms, corporations, etc. GDPR on the other hand provides sufficient protection against any controller or third party. The limited protection rendered in the DISHA Bill, is not all encompassing and excludes a range of third-party controllers such as mobile health (M-health) service apps, and wearables from within its ambit. This exclusion is specifically dangerous, since M-health service providers often collect sophisticated data such as blood sugar levels, Body Mass Index (BMI), etc, which is then used to recommend targeted advertisements for a specific company or product. The only protection that DISHA grants in this regard is Section 29(5), which forbids the use and access of anonymized data for any commercial purposes. Additionally, Article 17 of the GDPR, incorporates the essential ‘Right to be Forgotten’ or ‘Right to Erasure’ which dovetails with the Right to Personal Information, as guaranteed under Article 15 of GDPR. This right ensures that the data subject has the autonomy to request the take down and deletion of their personal data on occasions of unnecessary storage of data, withdrawal of absolute consent, etc. Such a right exists under specific circumstances and cannot be exercised as an absolute right. Regardless, the 2014 judgement of the EU Court of Justice sufficiently outlines the importance of such a right for the data subject, and ensures comprehensive subsummation of the same in the EU regulations. The present Indian regulations, do not cater to the Right to be Forgotten or Erasure. It is only considered to be a part of the Right to Privacy.
While the DISHA Bill awaits enactment and implementation, it is stirring to observe that such an initiative in the direction of privacy and data protection has been taken to match the global standards of robust data protection. However, the interplay of DISHA and the expected data protection Bill, which is likely to be more comprehensive and contemporary, awaits scrutiny. The DISHA Bill, on its own, falters in defining health data in a broad sense and offering protection against a large pool of parties. The legislation also needs to be more stringent in terms of obtaining consent, in order to ensure that there are no leakages. While the current law with regard to the protection of health or personal data is insufficient to meet global standards, DISHA brings out special provisions with uncompromising compliance responsibilities and penalties. A more promising legislation for health data protection can be shaped if the provisions of GDPR are selectively incorporated in the DISHA Bill or the upcoming data protection Bill. An expansive definition of Data Concerning Health, which involves a vivid understanding of explicit consent and the procedure to obtain the same thereof, are some substantial suggestions that can be assimilated. Moreover, the expected Data Protection Bill must necessarily include provisions to effect the Right to be Forgotten, in order for the interplay of DISHA Bill and the said expected law to be more successful.
The Author is a student at the Army Institute of Law, Mohali.