Digital Personal Data Protection Bill 2022 – History & Impact in Healthcare Industry

 

On November 18, 2022, the Ministry of Electronics and Information Technology (MeitY) released the draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill 2022), inviting suggestions and comments from relevant stakeholders. In its fourth iteration since 2017, the DPDP Bill 2022 attempts a better ‘comprehensive legal framework’. Previous versions of the proposed general data protection legislation drew heavily upon European Union’s General Data Protection Regulation (GDPR) and were dense, voluminous documents, etc. The Bill draws inspiration from Singapore’s Personal Data Protection Act, 2012, and is a condensed and concise document. The new bill is a lot simpler than the previous one as it is having only 24 pages as compared to 70 pages as well as 30 guidelines as compared to 90 in the previous draft bill.

Let’s first understand the status of privacy in the Indian context. As per Part III of the Indian Constitution, we have many fundamental rights like Right to Life & Personal Liberty, Right to Equality, Freedom of Speech & Expression, etc. Fundamental rights provide a high degree of protection from encroachment but the fundamental right to privacy was not guaranteed under the Constitution of India till 2017. Before 2017 in many cases e.g. M. P. Sharma vs. Satish Chandra and Kharak Singh v. State of Uttar Pradesh, the status of Privacy was not recognized as a Fundamental right. In Justice K. S. Puttaswamy v Union of India, the nine Judge Bench unanimously reaffirmed the right to privacy as a fundamental right under the Constitution of India. As per instruction of the Supreme Court of India an expert committee headed by Justice B. N. Srikrishna was created to examine various issues related to data protection in India. The Committee submitted its report and a draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology.

Provisions related to Protected Health Information (PHI) are governed by the Information Technology Act, 2000, together with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Patient data, including health information, is treated as sensitive personal data or information and under the IT Act offers some degree of protection to the collection, disclosure, and transfer of sensitive personal data. Also long before DPDP Bill 2022, the Government introduced the Digital Information Security in Healthcare Act (DISHA), India’s counterpart of the Health Insurance Portability and Accountability Act (HIPAA), aimed at providing healthcare data privacy, security, confidentiality, and standardization and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges. While the purpose of this act is to encourage the pan-India adoption of e-health standards, DISHA has not yet come into force.

Digital Personal Data Protection 2022 Bill operates on a triad - Data Principal, Data Fiduciary, and Grievance Resolver. Unlike the GDPR, the bill boldly defines “harm”, “loss”, and “public interest” in small lists. A first in India’s legislative history, the bill uses “her” and “she” for an individual, irrespective of gender—a welcome populist and inclusive move. The Bill mandates obtaining consent for processing after providing notice in clear and plain language, “describing” the type of personal data sought to be collected and an ‘itemized’ list of the purposes of the processing. PDDP Bill 2022 allows the transfer of personal data outside India to countries notified by the Indian government.

The provisions for penalties in DPDP Bill 2022 Bill fall far short of other data protection legislation around the world, such as GDPR or similar laws in China. In the proposed bill, Healthcare Organizations are subject to penalties of up to ₹500 crores for non-compliance. Other than that, the bill includes a laundry list of penalties: up to ₹250 crores for failing to take adequate precautions against data breaches; ₹200 crores for failing to notify of a breach or complying with provisions related to children; ₹10 crores for violating data localization norms; ₹150 crores when a significant Healthcare Organization fails to carry out their additional obligations under the proposed law. A key ingredient in laws in other countries is the power to impose penalties up to a particular amount as prescribed for offenses or as a percentage of total worldwide turnover, whichever is higher.

A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information. DPDP Bill 2022 has introduced a penalty of up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.

The proposed DPDP Bill 2022 introduces the concept of ‘Deemed Consent’ where the data principal is deemed to have given consent for processing their personal data. Consensual processing of Personal Data may be done in case of medical emergencies involving a threat to life or an immediate threat to the health of the Data Principal. In the context of such processing, a parallel may be drawn with India’s draft Health Data Management Policy by NDHM released in April 2022 which also envisages provisions relating to the processing of Personal Data in case of medical emergencies. Notably, the NDHM contemplates the appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill, or mentally incapacitated, or where the data principal is facing a threat to life or a severe threat to health and is unable to give valid consent. Unlike the DPDP Bill 2022, the NDHM does not propose Deemed Consent in absence of a nominee but rather shifts the right to give valid consent on behalf of the Data Principal to an adult member of the family of the Data Principal.

Despite the recommendation under the JPC Report, the DPDP Bill 2022 has kept the 'Non-Personal Data' of the individuals such as information collected by the Government, NGOs, and other private sector entities, outside its ambit. The usage of phrases 'as it may consider necessary' and 'as may be prescribed' can lead to administrative ambiguities. The autonomy of the Data Protection Board which is entrusted with overseeing the protection of individual's personal data and ensuring compliance with the provisions of the law is not reassuring. Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled.

By 2030 India is projected to be the world’s third-largest economy and will have one of the world’s largest digital personal data footprints in motion and at rest. The DPDP 2022 Bill’s essentiality shines in our strengthening role in the global order. With the G20 Presidency and multiple Free Trade and Regional Trade Agreements in place, we will have to find solutions for Data Free Flow with Trust and cross-border data flows.

Security & Privacy by Design - 'The Guiding Principle' of Health Data Management Policy by ABDM

Every byte of data has a story to tell. The question is whether the story is being narrated accurately and securely. Usually, we focus sharply on the trends around data with a goal of revenue acceleration but commonly forget about the vulnerabilities caused due to bad data management. Data possesses immense power, but immense power comes with increased responsibility. In today’s world collecting, analyzing and build prediction models is simply not enough. Keep in mind that we are in a generation where the requirements for data security have perhaps surpassed the need for data correctness. Hence the need for Privacy By Design is greater than ever.

“Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection. The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive. Privacy by design is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures. The adoption of security and privacy principles is a crucial step in building a secure, audit-ready program.

Privacy by Design is based on following 7 principles:

1. Proactive not Reactive; Preventative not Remedial - Privacy by Design comes before-the-fact, not after.
2. Privacy as the Default Setting - it is built into the system, by default.
3. Privacy by Design is embedded into the design and architecture of IT systems and business practices
4. Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner not Zero-Sum
5. End-to-End Security — Full Life-cycle Protection
6. Visibility and Transparency — Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives,
7. Respect for User Privacy — Keep it User-Centric

Privacy by Design in Health Data Management Policy by ABDM

Consider  data  protection  requirements  as  part  of  the  design  and  implementation  of  systems, services,  products  and  business  practices.  The  federated  design  of  the  National  Digital  Health  Ecosystem ensures  that  no  personal data other than  what  is  required  at  a  minimum  to  create  and  maintain  Health  IDs,  Facility  IDs  or  Health  Professional  IDs shall  be  stored  centrally.  Electronic  medical  records  shall  be  stored  at  the  health  facility  where  such  records  are created,  or  at  such  other  entities  as  may  be  specified  by  Policy.  Electronic  health  records  shall be  maintained  by  entities  specified  by  Policy,  as  a  collection  of  links  to  the  related  medical records.  ABDM  shall  issue  appropriate  technological  and  operational  guidelines  providing  for  the establishment  and  maintenance  of  the  federated  architecture,  for  ensuring  the  security  and  privacy  of  the personal  data  of  data  principals,  and  for  maintenance  of  electronic  medical  records  and  electronic  health records.

Prepare  a  privacy  policy  containing  the  following  information:

(a)  clear  and  easily  accessible  statements  of  its  practices  and  policies;  

(b)  type of personal  or  sensitive  personal  data  collected; 
(c) the  purpose  of  collection  and  usage  of  such  personal  or  sensitive  personal  data;   
(d)  whether  personal  or  sensitive  personal  data  is  being  shared  with  other  data  fiduciaries  or  data processors;   
(e)  reasonable  security  practices  and  procedures  used  by  the  data  fiduciary  to  safeguard  the personal or  sensitive  personal  data  that  is  being  processed. 

The  privacy  policy  referred  shall  be  published  on  the  website  of  the  data  fiduciary.  In  addition, the  data  fiduciary  shall  also  make  available  a  privacy  by  design  policy  on  its  website  containing  the following  information:

(a)  the  managerial,  organisational,  business  practices  and  technical  systems  designed  to  anticipate, identify  and  avoid  harm  to  the  data  principal; 

(b)  the  obligations  of  data  fiduciaries; 

(c)  the technology  used in  the  processing  of  personal data,  in  accordance  with  commercially  accepted or  certified  standards; 

(d)  the protection of privacy throughout processing from the point of collection to deletion of personal data; 

(e)  the  processing  of  personal  data  in  a  transparent  manner;  and 

(f)  the  fact  that  the  interest  of  the  data  principal  is  accounted  for  at  every  stage  of  processing  of personal  data. 

The  privacy  policy  issued  and  the  principles  of  privacy  by  design  followed  by  the  data  fiduciaries  should be  in  consonance  with  this  Policy  and  applicable  law.