Recap of Part 1
The pandemic has catalysed an unprecedented degree of interest in healthtech, in terms of products and services being offered, patient/consumer adoption and investor appetite. Yet, predictably, legislation has failed to keep up with the breakneck pace of growth in this young industry. For now, the healthtech ecosystem is governed by a patchwork of legacy and new legislation, including the Telemedicine Practice Guidelines of India, 2020, the Consumer Protection Act, 2019, the Consumer Protection (E-Commerce) Rules, 2020[1], the Drugs and Cosmetics Act, 1940[2] and the Drugs Rules, 1945[3].
Part 2 will examine the current and proposed data protection legal regimes that healthtech companies need to be aware of.
Introduction
Part of this rush is because India has not caught up with other jurisdictions when it comes to thinking about data protection seriously, as exemplified by the fact that there still exists no law in India that deals specifically with protection of healthcare data, but the smart money knows that this will happen sooner or later. The time of peak data, therefore, is now.
The United States has its Health Insurance Portability and Accountability Act, 1996 (hereinafter “HIPAA”), which establishes the legal framework for privacy and protection of health information and gives patients substantial control over their protected health information. The closest thing India has to HIPAA is a draft Bill, called the Digital Information Security in Healthcare Act, 2018 (DISHA), which shows no sign of becoming law anytime soon.
And what of the beleaguered Personal Data Protection (PDP) Bill, 2019? On 22-11-2021, after nearly two years of deliberations, the Joint Committee of Parliament on the PDP Bill has finalised and adopted its report on the Bill, which will now be presented in the winter session of Parliament along with the PDP Bill for discussion. However, the PDP Bill has been dogged by continued controversy for as long as it has been in the works, and for the time being remains some way from becoming law.
What then, is the law?
The Existing Data Protection Framework
- The Information Technology Act, 2000[4] (hereinafter “the IT Act”)
All healthtech companies must be compliant with India’s primary technology legislation, the IT Act. Although the IT Act acts as an overarching legislation for all digital businesses, the most relevant provision for most healthtech companies is likely the “safe harbour” protection for intermediaries in Section 79. An intermediaries defined in the IT Act, with respect to any particular electronic records, as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including network service providers, internet service providers and online marketplaces. The definition picks up most businesses that operate online. Section 79 provides a safe harbour to intermediaries from all unlawful acts and incorporates certain due diligence requirements they must meet to claim this exemption.
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[5] (hereinafter “the Intermediary Rules”)
The Intermediary Rules provide for a list of due diligence obligations that each intermediary needs to comply with. This includes:
(a) publishing on its website or mobile app or both, the rules and regulations, user agreement or privacy policy for access or usage of its service, and periodically (and at least once a year) informing users of any changes thereto;
(b) implementing restrictions on the nature of information that can be uploaded to the service, e.g. illegal or false or misleading information;
(c) providing information under its control or possession, or assistance to a lawfully authorised government agency within 72 hours of receipt of an order, for purposes specified in the Intermediary Rules;
(d) setting up a grievance redressal mechanism and appointing a grievance officer, and publishing their details on the website/app/both; and
(e) taking reasonable measures to follow the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules (see below).
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[6] (hereinafter “the SPDI Rules”)
Healthtech companies primarily collect and process health data, which is classified as sensitive personal data under the SPDI Rules. The relevant compliance requirements for these companies can be found in Sections 4, 5 and 8. The body corporate that collects and processes health data must publish an easily accessible privacy policy on their website which must conform to the principles of data minimisation and purpose limitation. In the privacy policy, the type of personal or sensitive personal data or information being collected must be clear, the purpose of collection and usage must be clearly mentioned, and the policy must be compliant with reasonable security practices as illustrated in Section 8 of the Rules. Section 5(6) further ensures that the information collected is used only for the purpose for which it is collected and has been disclosed. This is an important and often ignored privacy safeguard. Further, Section 5(1) provides for explicit consent from the user for collecting sensitive personal data, and Section 5(3) provides for making the user aware of the (a) the fact that the information is being collected; (b) the purpose for which the information is being collected; (c) the intended recipients of the information; and (d) the name and address of — (i) the agency that is collecting the information; and (ii) the agency that will retain the information. The data retention period must also be strictly complied with laid down. Finally, Section 8 lays down reasonable security practices that these businesses must follow. It adopts the International Standard IS/ISO/IEC 27001 on “Information Technology — Security Techniques — Information Security Management System — Requirements”. If any other internationally recognised best practice based self-regulatory practices are being used, they must be approved and notified by the Central Government.
- Telecom Commercial Communications Customer Preference Regulations, 2018
These regulations prohibit telemedicine platforms from sending unsolicited commercial communication over SMS or voice. However, there is no similar legal bar on sending transactional messages.
Proposed Legislation
- Digital Information Security in Healthcare Act (hereinafter, the “DISHA”)
The DISHA has been in circulation for a long time but has not been passed as an Act yet. This framework, when implemented, will include extremely critical compliance requirements by healthtech companies. Section 3(e) of the proposed Bill defines digital health data as an electronic record of health-related information about an individual and shall include the following: (i) information concerning the physical or mental health of the individual; (ii) information concerning any health service provided to the individual; (iii) information concerning the donation by the individual of any body part or any bodily substance; (iv) information derived from the testing or examination of a body part or bodily substance of the individual; (v) information that is collected in the course of providing health services to the individual; or (vi) information relating to details of the clinical establishment accessed by the individual. This Bill is especially relevant for businesses aggregating patient records as well as for e-pharmacies collecting digital prescriptions of patients.
DISHA prohibits commercialisation or commercial use of digital health data. Further, DISHA clearly enumerates the purposes that health data can be collected and processed for and bars the use of health data for any other purpose. The enumerated purposes relate to delivery of patient-centered medical care, providing information to help guide medical decisions at the time and place of treatment, improve coordination of care information among different clinical establishments through a secure infrastructure, and to improve public health responses through review and research. In fact, even with explicit consent, health data cannot be used for disallowed purposes. In relation to the permitted purposes, for which use is allowed, explicit consent or a legislation requiring such use must exist.
Further, an individual retains the autonomy throughout the process and can withdraw their consent at any time in the DISHA framework. For instance, if an individual consents to the collection of their health data, they can withdraw their consent for utilisation or processing of that data. This is made easier by the requirement of explicit consent at each stage. DISHA also ensures that no patient is refused care for withdrawing or refusing to share their data. This is an extremely important right for individuals to be able to realise their informational privacy and autonomy.
Entities other than clinical establishments i.e. either the State or private health insurance companies, pharmaceutical companies, e-pharmacies, health and fitness apps, implantable or wearable medical devices, etc. are also governed by the DISHA. For such entities, the only permissible purposes for which health data can be collected, processed, or stored is to advance the delivery of patient-centered medical care, to provide information to guide medical decisions, or to improve coordination of care and information among hospitals, laboratories. Therefore, the additional grounds available to clinical establishments to collect data for public health purposes are not available to other entities.
In Section 30, the Bill clarifies that no health data shall be collected for the purpose of conversion to digital health data. This is one provision that may come in direct conflict with the businesses of digital health information management systems. The Bill proposes that entities collecting and processing health data shall be “custodians” of that data, implying a fiduciary relationship. This duty is also reiterated in Section 35(2). Finally, it also incorporates criminal penalties for breach of obligations in collecting, processing, and storing health data.
- Personal Data Protection Bill, 2019 (hereinafter “the PDP Bill”)
The PDP Bill, which was first presented by the Government in 2018, has been in the works for nearly three years. On 22-11-2021, after nearly two years of deliberations, the Joint Committee of Parliament on the Personal Data Protection Bill, 2019 on Monday adopted the report on the Bill. The report will now be presented in the winter session of Parliament along with the PDP Bill for discussion.
The PDP Bill aims to provide a general data protection framework for personal as well as sensitive personal data. Some of the important data protection safeguards for data principals in the PDP Bill are contained in Chapters 2, 6, and 7 of the Bill. These include prohibition on processing personal data (Section 4), purpose limitation (Section 5), data minimisation (Section 6), restriction on retention periods (Section 9), and the nature of consent required (Section 11). Chapter 6 deals with security safeguards, obligations to mandatorily report data breaches (Section 26), conduct data protection impact assessments (Section 27) and also provides for grievance redressal by the data fiduciary (Section 32). Finally, Chapter 7 deals exclusively with sensitive personal data and is therefore this is especially important in a healthtech context. It includes a strict data localisation mandate (Section 33) and limited enumerated conditions of transfer of sensitive personal data (Section 34).
PDP Bill and GDPR Compared
The Personal Data Protection (PDP) Bill incorporates many aspects of the European Union’s General Data Protection Regulation (GDPR). The GDPR has become the industry standard for personal data protection and regulation. It tackles a wide range of current and potential data-related challenges, and it is largely regarded as the working standard for data protection. It has also served as a model for other countries attempting to develop their own data protection legislation.
The aspects of the GDPR which are incorporated into the PDP Bill include notice and prior consent requirements for the use of individual data, constraints on the reasons for which organisations can process data, and restrictions to guarantee that only data required for providing a service to the individual in question is collected. While the PDP Bill has visibly adopted GDPR in many main areas, there are a few key aspects where they differ from one another.
To begin with, the PDP Bill’s definition of sensitive personal data is far broader than the GDPR’s, and it also includes provisions allowing government access to non-personal data stored by any data processor or data fiduciary for particular objectives related to improving government service delivery and policymaking, which are not included in the GDPR.
The PDP Bill continues to have several significant shortcomings. For instance, in the event of a data breach, GDPR mandates that data controllers notify the relevant supervisory authority within 72 hours (Para 85). However, under the PDP Bill, data fiduciaries are only obligated to notify data principals if the data protection authority specifically requests it [Section 25(5)]. Secondly, under the GDPR, only compliant data processors can be employed by data controllers. The GDPR provides for a code of conduct and only the data processes that are eligible as per that code of conduct can be employed by data collectors (Para 81). Under the PDP Bill, the standard for employing data processors is low compared to the GDPR as data fiduciaries can employ a data processor merely through a valid contract [Section 31(1)]. In addition to this, GDPR provides clear and strong provisions in circumstances where an automated decision-making process may cause personal harm. While the PDP Bill claims that large-scale profiling requires comprehensive evaluation, it does not give individuals any rights to object to automated profiling, with the exception of children. The GDPR goes further in this regard, stating that data subjects have the right to object to automated profiling for direct marketing purposes (Section 4, Article 21). The GDPR also requires that the data subject’s right to object be communicated to them in a clear and distinct manner. Lastly, the GDPR is a civil remedy for a civil wrongdoing, whereas the PDP Bill includes criminal penalties as well as the possibility of jail time if the provisions of the Act are contravened.
However, the PDP Bill, if enacted, will provide India with a broad, cross-sectoral privacy and data protection mechanism. At the same time, it would also pose several challenges to healthtech companies in India.
Conclusion: Increased Compliance for Healthtech Ahead?
Data collected by companies in the healthcare space is usually more sensitive than others because it is uniquely linked to an individual. Of the two data protection bills waiting in the wings, the PDP Bill probably has a greater chance of passing into law than DISHA. Compliance with the PDP Bill requirements will thus, become increasingly important as Indian healthcare players, such as hospitals and clinics (both private and public), dentistry, pharmacies, nursing homes, diagnostic laboratories, medical device manufacturers, and health insurance providers, manage a wide range of personal data. Personal data providers (also known “as data principals under the PDP Bill”) have certain rights, such as the “right to be forgotten,” the “right of erasure,” etc. As a result, healthtech companies must employ technology, policies, and procedures to establish a system that permits people who engage with it, to exercise all of these rights.
Equally, healthtech organisations would be required to adopt privacy by design, a concept of built-in privacy that encompasses the entire business, technology, and systems. Such a system would not only assure security of personal data, but would also facilitate in enabling the individuals to exercise their rights under the Bill. Currently, businesses rely on international standards such as those set forth by the International Organisation for Standardisation (ISO).
Furthermore, in order to address the growing dangers and threats of cyberattacks, healthtech companies would be obliged to do periodic risk assessments, data protection impact assessments, regular audits, and training programs for third parties.
Healthtech companies would also be expected to classify data in order to better understand data assets, the level of security required, where to find them, and which data assets are worth safeguarding. They must also be aware of how and where their patient data is generated and stored, since this becomes increasingly important when data breaches must be notified. Photos, IP addresses, social media posts, cookies, individual likenesses, fingerprints, and other data may be classified as more sensitive than they are now as India’s privacy law advances.
All healthcare providers will be required by law to keep records for as long as they are needed to perform the service for which they were obtained. The PDP Bill establishes a framework for how personal data can be acquired, used, and deleted in certain circumstances. These measures would need to be closely monitored to ensure adherence to the Bill and also protect the rights of the patients in this regard.
In terms of data security, the healthtech industry is currently relatively vulnerable to among other things ransomware, phishing, malicious spam, extortion, blackmail, or simple misappropriation of the valuable personal data they hold because of the nature of the data they handle.
If and when the PDP Bill becomes law, healthtech companies that deal with personal data will be required to have state of the art data protection infrastructure. This criterion becomes even more important as the healthcare business becomes more reliant on data and analytics to provide faster and more efficient services. Improving data security and privacy will go a long way toward restoring confidence among employees and patients, especially in a field that deals with people’s emotional and physical health.
† Shantanu Mukherjee, Founder, Ronin Legal.
*The Author wants to thank Varunavi Bangia (NUJS) and Shweta Shenoy (Christ College of Law) for their research on the piece.