By Supratim Chakraborty, Associate Partner
& Arindam Bhattacharjee, Associate Khaitan & Co
We are living in a time when there is heightened attention on privacy and data protection. In this advanced digital age, several countries round the globe, including India, have realized that their laws have lagged far behind technological developments. There is hardly any regulatory control over data collection or processing from a privacy and data protection perspective. The result is that “consent” has been made the “king” by businesses. Under the garb of omnibus and vaguely worded consents data subjects are made to compromise with their data, which at times are extremely sensitive in nature.
With right to privacy being made a fundamental right now and several instances of breach and misuse of medical data becoming “breaking news” in the media, Ministry of Health and Family Welfare (MoHFW) has decided to roll out the draft legislation called Digital Information Security in Healthcare Act (DISHA). MoHFW proposes to constitute a nodal body called “National Digital Health Authorty” to promote and adopt electronic health (e-health) standards, enforce privacy and security safeguards for e-health data and regulate the storage and exchange of e-health records.
WHAT IS NEW FOR THE DATA SUBJECTS
Enhanced protection of digital health data DISHA aims to protect the storage, use and transfer of digital health data and provides for e-health data privacy, confidentiality, security and standardization. The legislation ensures protection of digital health data of a data owner at every step, including at the time of generation, collection, storage and transmission of such e-health data.
Akin to what was highlighted in the white paper on the proposed data protection framework for India drafted by the committee of experts headed by former Supreme Court Justice B N Srikrishna (White Paper), DISHA accords great importance to “informed consent” of individuals and emphasizes on obtaining explicit consent before transfer and use of digital health data.
Right of refusal
DISHA further mandates that even if individuals refuse to consent to generation, collection, storage, transmission and disclosure of their electronic health data, they will be entitled to receive health services.
Restriction on commercial usage of digital health data
DISHA prohibits commercial usage of digital health data under any circumstance and defines the term “commercial purpose” widely to give enormous control to the individuals over their heath data. However, a limited exception has been created for insurance companies who are allowed to access such data only for the purpose of processing of insurance claims after obtaining due approval from data owners.
Data breach notification
Another noteworthy provision incorporated in the draft legislation relates to obligation of clinical establishments and health information exchanges to provide notice of breach of digital health data to the concerned individual within 3 working days.
Right of refusal
DISHA gives the right to an individual to withdraw consent for storage and transmission of his digital health data at any point of time.
Right of rectification
Individuals have been given the right to get their health data rectified within 3 working days of making an application for such rectification.
Significant penalties for non-compliance
Significant penalties, damages and provisions of imprisonment (some of which can extend up to 5 years) have been prescribed for offences such as failure to furnish information, return or failure to observe rules and directions, illegally obtaining of digital health information of another person and data theft.
DISHA – A MOVE IN THE RIGHT DIRECTION?
Indian laws in relation to data privacy and protection are quite patchy today even in a critical sphere such as healthcare. Apart from legislations like Information Technology Act 2000 (and the rules framed thereunder) and certain sectoral guidelines, no focussed regulatory protection has been afforded to medical health data. This lack of legislative protection has become all the more highlighted with the recent instances of medical data leaks. DISHA provides hope of ensuring safety, privacy and protection of health related digital information. It adopts global principals of privacy and data protection like data minimisation, rectification rights and puts an obligation on the bodies collecting health data to inform the individuals about the purpose of collection of the data. This is especially significant in a country like India where the literacy rate is low and data owners are rarely aware of their rights. It is very interesting to note that DISHA makes no discrimination between government and private bodies, thus making the scope uniform as far as applicability is concerned.
We hope that effective implementation of the provisions of DISHA will help in securing the significant amount of digital health data that gets generated every day. Of course, the draft of DISHA requires re-look at several parts and it also requires tightening of the overall construct. It appears from the construct of the legislation that important portions of the law would also be rolled out through further rules. Once such modifications are effectuated and rules are promulgated, it will be interesting to see how the legislation changes the privacy landscape in the sphere of digital health data.