Currently, the data protection law in India is facing many issues due to the absence of proper legislative framework. The theft and sale of stolen data is happening across vast continents, where physical boundaries pose no restriction in today’s technologically advanced era. India, being the largest host of outsourced data processing in the world, could become the hotbed of cyber crimes; mainly owing to the lack of appropriate legislation. (1)
To facilitate promotion/adoption of e-Health standards along with entailing privacy and security measures for electronic health data, regulation of storage, and exchange of electronic health records (EHRs); the Ministry of Health and Family Welfare, Govt. of India, is planning to enforce a ‘Digital Information Security in Healthcare Act’ (DISHA). The purpose of this act is to ensure electronic health data privacy, confidentiality, security and standardization, and to provide for establishment of ‘National Digital Health Authority’, Health Information Exchanges, and related matters. (2)
The Centre has presented the draft of DISHA to ensure protection of health data that makes any breach punishable by up to five years imprisonment and a fine of Rs 5-lakh. This draft further states that any health data including physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information are the property of the person who it pertains to. (2) This law will form the foundation for creating digital health records in India, as it will enable the digital sharing of personal health records with hospitals and clinics, and between hospitals and clinics. Reports also suggest that the National Health Policy approves the conception of a National Health Information Network, for sharing of Aadhaar linked Electronic Health Records. (3)
What DISHA is all about? (2,3)
As per the draft, the owners have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data. Additionally, the owner of the data shall hold the rights to – i) give/refuse/withdraw consent for using this data, ii) data collection, iii) transparency, iv) rectification, v) sharing, vi) not to be refused health service if they refuse to give the consent for data use, and vii) protection.
The required health data can be obtained by consent from the owner, thus informing him on the purpose of collection, identity of the recipients to whom the health data may be transmitted or disclosed, identity of the recipients who may have access to the data on a “need to know” basis. Also, proxy consent may be taken from a nominated representative, relative, care giver or such other person in case if an individual is incapacitated or incompetent to provide consent.
All digital health data will be held by the clinical establishment or health information exchange on behalf of National Electronic Health Authority. The Act also lists down factors affecting data transmission as to who can transmit, how they can transmit and monitoring of data transmission. The Act further lists down the guidelines on accessing this data, with regards to who can access, how they can access, and purpose of data access by various entities. Moreover, the act also puts forth the implications of any breaches of digital data and the resulting penalties. A serious breach of this data is said to have occurred when the breach is intentional or repeated or its security not ensured as per the standards in the Act or if it is used for commercial gains.(4)
Patient data protection laws in other countries!
As India gears up to launch such data protection law, it may be enlightening to look at what other countries have enacted. In this context, the United States, China and the European Union have all taken drastically different directions. As stated earlier, data privacy involves getting consent from individuals before collecting their information, being transparent about why and how the information will be used, and deleting the information when it is no longer needed or when consent is withdrawn. Data protection involves taking adequate steps to protect data from accidental or malevolent leak. (5)
The US is generally considered to have strong data privacy and protection laws (except one case in early 2017), although entangled in regulations and federal and state laws. Disclosure of health data is highly regulated at the federal level. Also, breach notification laws were pioneered in the US. The threat of legal action lawsuits compels companies to take measures to protect data and privacy. China also has multiple laws and regulations for data protection; wherein individual protections, such as requiring consent, protection of sensitive information, and limitation on use of data are provided. The latest Cybersecurity Law that rolled out on May 1, 2017 forbids people in China from using information networks to violate the privacy of others, using illegal methods to obtain personal data, and using their positions to acquire, leak, sell or share the same. In the European Union (EU), a new General Data Protection Regulation (GDPR) will be enforced starting 25th May 2018, which is expected to have a significant impact beyond the EU, because it applies to any organization that collects or processes data in the EU or from residents of the EU.5 After EU, Japan has also introduced a separate central legislation as the Act on the Protection of Personal Information (APPI) with an aim of data protection. The Act took partial effect in 2016 and has been enforceable from 30th May, 2017. Alike the EU regulation, consent of a data subject forms the essence of this legislation and has been stated as mandatory in case of transmitting data to a third party or for any use beyond communication purposes. (6)
Amidst issues of data revelations and disclosure of personal information, India is in need of a formal legislation to uphold individual informational privacy and data protection. Internet and privacy rights supporters have demanded for such a law since long time, and the government has finally started taking steps towards this. DISHA is a result of these countless debates over data privacy issues and also, the need of the hour, i.e. protection of patient health data. India, as a country, lags behind the world leaders when it comes to data protection. Therefore, we feel, DISHA (which is inviting public comments till 21st April) will lay the groundwork for many health exchanges while ensuring privacy and confidentiality of patient data. All we have to do now is wait and watch!
- Khan MN. Does India have a Data Protection Law? Legal Service India.
- Government of India- Ministry of Health and Family Welfare (eHealth Section). Comments on Draft Digital Information Security in Health Care Act.(DISHA).. March 21st, 2018.
- Pahwa N. Summary: Digital Information Security in Healthcare Act (DISHA) to enable electronic health records. March 29th, 2018.
- Ghosh A. In draft digital health security law, 5-year jail term, Rs 5 lakh fine for data breach. March 27th, 2018.
- Kambampati S. What India’s data protection committee can learn from US, EU and China. October 3rd, 2017.
- Awasthi S. Data privacy: Where is India when it comes to legislation? August 24th, 2017.