In this blog post
Personal Data Protection in India
The healthcare sector is in the middle of massive digital reform to overcome inefficiencies, improve utilization of resources, and enhance the delivery of quality service to patients. The rapid adoption of technology comes with its challenges – one of them being the huge volumes of data that get generated every single day – data that needs to be protected on priority. The availability of vast amounts of sensitive patient information is what has made the healthcare industry a primary target of cyberattacks and data breaches. In 2020, India reported a 37% increase in cyberattacks on healthcare organizations in November and December. With increasing healthcare digitalization, cyberattacks of various kinds like ransomware attacks, DDoS attacks, phishing emails, have also increased in number and complexity.
Understanding health data
According to National Digital Health Mission (NDHM), health data is classified into two broad segments:
- Personal health data – data related to an individual. This contains detailed information of various health conditions and treatments, personally identifiable information of multiple stakeholders, including healthcare professionals.
- Non-personal health data – includes aggregate health data and anonymized health data where all personally identifiable information has been removed.
The Ministry of Health and Family Welfare issued draft legislation, namely the Digital Information Security in Healthcare Act (DISH Act), to regulate all digital health data generation, collection, storage, access, transmission, and use.
Personal Data Protection Bill, 2019 (PDPB)
Notably, India does not have any national regulatory authority focusing on the protection of personal data. To remedy the situation, the government of India and a Joint Parliamentary Committee proposed the draft PDP Bill on December 12, 2019, that addresses the issue of data protection. This bill will be India’s first law on personal data protection and will repeal Section 43A of the IT Act.
The bill defines ‘health data’ under section 3(21) as the ‘data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services’.
The proposed PDP Bill applies extraterritorially to non-Indian organizations if specific nexus requirements are met and suggests the formation of a Data Protection Authority of India that will be in charge of preventing misuse of personal data, protecting the interests of data principals, and ensuring compliance with the new law.
The PDP Bill takes inspiration from GDPR to establish a comprehensive data protection regime in India. The current draft of the PDP Bill
- Introduces a central data protection regulator
- Broadens the rights given to individuals
- Specifies compliance requirements for all personal data
- Institutes data localization requirements for certain types of sensitive data
PDP bill vs. existing data protection regimes
With a tighter grip around localization, the PDPB goes a step beyond the rules mandated by GDPR and the United States’ Clarifying Lawful Oversees Use of Data (CLOUD) Act. Although there is no timeline for the implementation, PDP will be rolled out in a phased manner.
- Localization of data – The PDP Bill is more restrictive and mandates the localization of sensitive personal data and critical personal data. The bill also imposes restrictions on the cross-border transfer of critical and sensitive personal data.
- Extra-territoriality principle – The bill applies the extra-territoriality principle to the processing of any personal data by organizations outside India. The principle applies if personal data is processed concerning any business or activity that involves offering goods or services to consumers in India or profiling data principles within India.
- Local presence required – The draft policies regulate organizations that are not established in India but offer goods or services to consumers in India to have a company incorporated in India and appoint an Indian resident as a nodal person of contact to ensure compliance with applicable laws. This move is to ensure regulatory and enforcement control over foreign entities who trade in India.
In today’s highly regulated data environment, healthcare companies in India must embrace and build an effective compliance strategy. They need to obtain better visibility of their data before considering focusing on data protection regulation compliance. By adopting a layered approach to data security focusing on people, processes, and a technology-centric approach, organizations across industries in the country can embrace the new PDP Bill. The bill should be viewed as a competitive advantage. While the regulation focuses on data protection and security, healthcare organizations can implement these methods to effectively manage health data.
- Deploying encryption to store data
- Mandating the use of strong passwords
- Data sharing with only relevant people to avoid misuse
- Periodic review of firewall settings
- Securing all devices that have access to the personal data of an individual
- Due diligence before sharing information with third-party vendors
GAVS offers data privacy services and solutions designed to protect the organization’s information through the full data lifecycle, from acquisition to disposal. Our service offerings help organizations adhere to data privacy best practices and regulatory compliance in a constantly evolving threat environment and regulatory landscape. You can find more information on GAVS’ offerings at Cyber Security Services & Data Privacy Services.