At a glance: data protection and management of health data in India

Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

As per the National Digital Health Mission, health data can be classified into the following categories:

• personal health data – data related to an individual containing detailed information of various health conditions and treatments. It includes any data with personally identifiable information of various stakeholders, such as healthcare professionals; and

• non-personal health data – includes aggregated health data sich as number of dengue cases and anonymised health data where all personally identifiable information has been removed. This will also include information about health facilities, drugs and so on that do not involve personally identifiable information.

Further, ‘health data’ under section 3(21) of the Personal Data Protection Bill 2019 (PDP) is the ‘data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services’. Further, under section 3(36) of PDP 2019, ‘sensitive personal data’ means personal data that may reveal, be related to or constitute health data, among others. However, the Bill is still under debate in parliament and is yet to be enacted. Furthermore, under section 3(e) of the Digital Information Security in Healthcare Act (DISHA), digital health data is defined as ‘an electronic record of health-related information about an individual’.

The present law is silent on anonymised data. However, section 3(2) of PDP 2019 defines ‘anonymisation’ in relation to personal data as ‘such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standard of irreversibility specified by the Authority’. Further, the draft Health Data Management Policy, released by the government in August 2020, defines ‘anonymisation’ in relation to personal data, which ‘means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified through any means reasonably likely to be used to identify such data principal’. Further, as per the policy, sensitive personal data includes physical, physiological and mental health data and would include information relating to various health conditions and treatments of the data principal, such as electronic health records (EHR), electronic medical records and personal health records.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

India does not have in force any specific data protection law like the USA’s Health Insurance Portability and Accountability Act to develop regulations protecting the privacy and security of certain health information.

There are two draft legislations in this regard:

the PDP and
DISHA by the Health Ministry, which is especially for the sharing of healthcare data.

Further, the government has also released a draft Health Data Management Policy, which aims to protect citizens’ health data.

Currently, a patient’s personal information, which includes health information, is treated as sensitive personal data or information (SPDI) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and is accorded higher protection than personal data. In this regard, it is imperative to note that in a recent judgment in April 2020 by the Kerala High Court, the court observed that there is a need ‘to ensure that there is no “data epidemic” after the covid-19 epidemic is controlled’.

Rule 3 of the Rules define ‘SPDI’ as personal information that consists of information relating to:

password;
financial information such as bank account, credit or debit card or other payment instrument details;
physical, physiological and mental health conditions;
sexual orientation;
medical records and history;
biometric information;
any detail relating to the above clauses as provided to body corporate for providing service; and
any of the information received under the above clauses by a body corporate for processing, stored or processed under lawful contract or otherwise, provided that any information that is freely available or accessible in the public domain or furnished under the Right to Information Act 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Data privacy issues when dealing with SPDI can arise and service providers need to ensure that the requirements of a body corporate are complied with as per the SPDI Rules. When a body corporate collects, stores, transfers or processes SPDI, certain requirements under the Rules are mandated to be met regarding the collection, storing and transferring of SPDI. Consent, through letter, fax or email, is mandatory for the collection of SPDI. Further, the patient must be informed about the fact that SPDI is being collected, what it will be used for, the recipients of the data, and whether it will be transferred to any third parties, along with the contact details of the agency collecting the information. Further, the service provider is required to have a privacy policy in place. Service providers must ensure proper planning and systems are in place for data security and management. If SPDI is planned to be disclosed to a third party, prior permission of the owner of the SPDI is to be obtained. In cases where SPDI is being transferred, the body corporate transferring SPDI must ensure that the receiver of SPDI has adequate security practices in place in addition to obtaining the consent of the provider of the information for the transfer. Further, SPDI cannot be published. The Rules also mandate the implementation of reasonable security practices and procedures in order to keep SPDI secure and for the appointment of a grievance officer, whose contact details are to be published on the website. Apart from these, there are also other requirements such as allowing users to remove or amend their SPDI. However, body corporates that are collecting, storing, processing or transferring information out of a contractual obligation are not required to observe some of the requirements of the Rules, such as obtaining consent from the owner of SPDI for collecting or disclosing SPDI. The other requirements, though, must still be observed.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

There is no specific regulation or guideline presently for anonymised health data. However, DISHA contains some requirements in relation to anonymised health data, such as the bar on commercial use.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

India does not have dedicated data protection laws; however, certain provisions of the Information Technology Act 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 deal with the protection of personal information and sensitive personal data that includes health data as well. Offences under the IT Act entail both imprisonment and fines. Further, any negligent disclosure of personal information may result in a claim for compensation. However, if the disclosure is coupled with criminal intent, it may result in imprisonment for a term of up to three years, a fine of up to 500,00 rupees, or both.

Very recently, the Kerala High Court, in the interim order in the case of Balu Gopalakrishnan v State of Kerala (Kerala High Court, WP (C) Temp No. 84 (2020), 24 April 2020), issued measures for protecting the data of covid positive patients in the state of Kerala, which include the duty of the state government to anonymise the data before sharing it with a third party, in this the entity being a US company. In future, all data to be relayed to the third party must be with the express consent of the individual. Further, after the processing of the data as per the contract, the third party must return the data to the state government. Lastly, the US company was injuncted to relay to any third party that it was in possession of any data related to covid-19 patients and was prohibited from commercially exploiting the name and logo of the state of Kerala.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

The IT Act 2000, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 and Information Technology (Intermediaries Guidelines) Rules 2011 are the relevant cybersecurity laws for digital health offerings. As per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, any entity possessing SPDI is required to comply with the international standard IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’ or such other comparable standards as per their documented information security programme and information security policies as approved and notified by the central government.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Some methods to effectively manage health data would be employing encryption methods to store data, strong passwords, ensuring that the data is only shared with the relevant people within the organisation, timely review of the firewall settings, securing all the devices that can access the personal data of an individual, and performing due diligence when sharing information with third-party vendors. The MoHFW also notified the Electronic Health Record (EHR) Standards 2016 with the objective of introducing a uniform standard-based system for the creation and maintenance of EHRs and its adoption by healthcare providers in their IT systems. A few standards recommended are ISO/TS 22220:2011 Health Informatics – Identification of Subjects of Health Care for storing the basic identity of patients; ISO 13940 Health informatics – System of Concepts to Support Continuity of Care, Digital Imaging and Communications in Medicine (DICOM) PS3.0-2015 for images, waveform, audio and video files; and ISO/IEC 14496 – Coding of Audio-Visual Objects for format for audio or video capture, etc.

Law stated date

Correct on

Give the date on which the above content is accurate.

18 November 2020.

Register now for your free, tailored, daily legal newsfeed service.

At a glance: data protection and management of health data in India

Filed under

Topics

Popular articles from this firm

Bombay High Court Halts Aquapeya’s Operations in Trademark Dispute with Bisleri *

Parallel Paths of Protection: Decoding Sections 27 & 29 of the Trade Marks Act, 1999 *

Delhi High Court Rules on Deepfake Dilemma: When Identity Becomes an Illusion *

To Use or Not to Use: Understanding the Concept of Nominative Fair Use *

Overlap between Design and Copyright Law: An Indian Perspective *

Professional development

Related practical resources PRO

Related research hubs

Digital health

India

Healthcare & Life Sciences

IT & Data Protection