The Healthcare sector in our country has been developing at a rapid pace. Even before this ongoing pandemic, we have been working on various aspects to make healthcare facilities better and achieved great success compared to the last decade. New health technologies such as wearable tech, telemedicine, genomics, virtual reality (VR), robotics, and artificial intelligence (AI) are changing the landscape of the Indian healthcare system. Like many other markets, India too is at the cusp of a ‘digital health’ revolution. Digital health technology is a pivotal pillar in delivering value-based care across the healthcare continuum in India. Adaptive intelligent solutions can help lower the barriers between hospitals and patients, improving access to care and enhancing overall patient satisfaction. People used to wear analog watches but now we hardly see any wrist with that type of watch. Nowadays, everyone using either smartwatches or fit bands which track their physical activity, calories count/burnt and other health-related aspects. People have installed apps according to their health conditions and updated personal health-related details to access the apps. In a way, developing technology and more comfort in doing everything online, fascinates the user and they are forced to shift from the physical world into virtual/digital one completely. But who keeps check on these apps or portals as far as data of the users are concerned. Telemedicine, tech devices and all these apps create fear in the mind of patients about their information being leaked or used inappropriately or discussed with any third party. Most of these mobile phone apps share the data of the consumer with a third party or social media platforms like Facebook. Once data enters that cloud, the customer will start receiving advertisements related to their health insurance, their health conditions, sexual orientation, mental health, or whatever the conditions for they have used the mobile app. These advertisements even suggest products one can buy and one should avoid, basically everything they can sell related to that particular information they will advertise the same. YouTube does the same thing by recommending videos related to the particular condition. In such conditions, how one can protect their data as well as seek medical professional help without any threat to their privacy. What all remedies does one have when their data related to health is shared without their proper consent?
After the landmark decision of the Apex Court in Justice K.S Puttaswamy (Retd.) v. Union of India1 where the right to privacy was declared as a fundamental right derived under Article 21 of the Constitution of India, efforts were made to frame a data protection act in India. In this step, PDP Bill, 2019 was tabled in the Parliament.
The Government of India introduced the draft Digital Information Security in Healthcare Act 2018 (“DISHA”) for the protection of digital health data of citizens, which combined with the Personal Data Protection Bill, 2019 gives a promising future for the data protection regime in India. However, the collection of Digital Health Data by the healthcare industry remains a matter of concern, due to the weakness of antiquated laws that govern this arena. Currently, the data protection regime is governed by Information Technology Act, 2000 read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, which provides for a body corporate to follow ‘adept data’ protection measures and, in case of any breach, pay compensation to the affected person.
Types of Health Data
As per the National Digital Health Mission, health data can be classified into the following categories:
• Personal health data – data related to an individual containing detailed information of various health conditions and treatments. It includes any data with personally identifiable information of various stakeholders, such as healthcare professionals; and
• Non-personal health data – includes aggregated health data such as the number of dengue cases and anonymized health data where all personally identifiable information has been removed. This will also include information about health facilities, drugs and so on that do not involve personally identifiable information.
Relevant provisions of Legislations related to Data Protection:
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011
Privacy Rules regulate:
Collecting, receiving, possessing, storing, dealing, handling, retaining, using, transferring, and disclosing sensitive personal data or information (SPDI) (Sections 5 to 7, Privacy Rules). • Security practices and procedures for handling SPDI (Section 8, Privacy Rules).
Data subjects' rights to review and update SPDI and withdraw consent for SPDI processing (Sections 5(6) and 5(7), Privacy Rules).
Privacy Rules Exempt any information that is:
Freely available or accessible in the public domain.
Furnished under the Right to Information Act 2005 or any other enforceable law.
The Indian government has clarified that the Privacy Rules apply only to the body corporates that collect information from natural persons. Organizations that provide services relating to collecting, storing, or handling SPDI pursuant to a contractual relationship, such as outsourcing organizations, are exempt from complying with the personal data collection and disclosure obligations set out under Privacy Rules 5 and 6 (Clarification on Privacy Rules, Press Note dated August 24, 2011).
Section 43A of the IT Act 2000 as amended by the Information Technology (Amendment) Act 2008 and Privacy Rules 2011 apply to sensitive personal data or information (SPDI). The Privacy Rules define SPDI to mean personal information which consists of information relating to a person's:
Passwords • Financial information, including information relating to bank accounts, credit cards, debit cards, and other payment card information
Physical, physiological, or mental health • Sexual orientation • Medical records and history.
Biometric information. SPDI also includes any details relating to the above categories even if the person provides the data to a body corporate to provide a service or for processing under a lawful contract. (Rule 3, Privacy Rules.)
Personal Data Protection Bill, 2019
PDP Bill was tabled in the Parliament to provide for the protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data. Definition clause of the bill clearly distinguishes between Health Data, Personal Data, Sensitive Personal Data under clause 21, 28 and 36 respectively.
As per PDP Bill, 2019, you need consent for the processing of digital data, and since health data has been defined as sensitive personal data [Section 3(36)], the requirement is explicit consent, at only one stage which is before using such data by any entity (Section 11)
Further, under Section 12, also explains when personal data can be processed without the consent of the owner:
- To respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual.
- To undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health.
Data not being sensitive personal data can be processed for purposes related to employment (S.13) or any other reasonable purpose (S.14).
Digital Information Security in Healthcare Act, 2018
DISHA has been drafted by the Ministry of Family and Health welfare for the protection of Digital Health Data(DHD). Various terms like Anonymization, Digital Health Data, Clinical Establishment, Personally Identifiable Information, Data Security, Sensitive Health Related Information have been mentioned under S.3(a), (e), (i), (k), (n) (o) respectively. Further, the Act also explains all the rights available to the owner of the digital health data under section 28. The user has been given the power to control the flow of his/her data at every stage of data collection, processing, storage, transmission, etc. Moreover, the user has been given the power to refuse the consent for data collection at any stage he/she wants. Note that all these steps need to be taken after explicit and prior permission from the user, for every use of data in an identifiable form.
Section 29(2) of DISHA, M-Health service providers like applications or wearable devices which collect DHD of its customer fall under the ambit of ‘other entity’ (since they aren’t clinical establishment or health information exchange). As a result, they will be governed under DISHA, and have to comply with the strict requirement of obtaining consent at every stage of data collection.
Commercialization of health data
The M-health industry functions on various business models, but one of the key components of them is targeted advertisements. This is important for those service providers who are fully automated online and offer various services completely free for increasing their customer base and send them targeted advertisements based on user data. Consider the example of Mobisoft which through its apps/wearable devices can collect sophisticated data like Body Mass Index, and on basis of such data prepares specific content tailored for a specific individual which often comes with recommendations or advertisements for any product or company.
DISHA has limited the use of DHD by ‘other entity’ to only limited purposes (mentioned in Section 28(2) of the Act) and completely prohibited the commercialization of DHD (Section 29(5), DISHA). Since the term ‘commercial’ hasn’t been defined in the Act, we need to take look in the context of legal precedents. In Laxmi Engineering Works v. P.S.G. Industrial Institute2, the Court held that commercial means related to commerce, which means “connected with, or engaged in commerce; mercantile; having profit as the main aim”.
The ‘freemium model apps’ provide services and features free of cost, which means there is no commercial transaction per se. However, the use of data to send a tailored advertisement to the user for revenue can be interpreted under the ambit of the term ‘commercial’, but unless the scope of the term is defined, it will be difficult to ascertain what ‘commercialization’ of DHD means. Hence the scope of the term ‘commercial’ needs to be defined to erase any confusion. If there is a complete ban on the commercialization of health data, without defining its scope then it will affect M-health service providers who use either ‘freemium’ or ‘subscription-based model, as the use of DHD for tailored advertisement/recommendation for a specific user would amount to ‘commercial’ use of DHD.
Further section 29(5) of DISHA has even prohibited the use and access of DHD in ‘anonymized’ (Section 3(1)(a), DISHA) form for any commercial purpose. The use of DHD in the anonymized form helps in creating data points, which helps in curating to the user’s need and developing the product in tune with the current trends in the market. This will also hamper research, development, and innovation in the M-health sector.
Which law will prevail PDP or DISHA?
In PDP Bill, 2019, health data being sensitive personal data needs the express consent of the individual for the data to be processed, but in DISHA any use of DHD for commercial purposes has been prohibited. The problem lies as to the applicability of the law, i.e., which law will apply in this scenario, as both the PDP Bill and DISHA have overriding clauses (Section 96 and Section 52, respectively). Thus, if any conflicting provisions of any other law exist, then that conflicting provision wouldn’t be applicable. Following the maxim, Generalia specialibus non derogant meaning thereby that special law will prevail over general law whenever there is a conflict between provisions of the particular laws.
In such a case the support can be taken from General Manager, Telecom v. M. Krishna3, where it was observed that in case of conflict between two sets of laws, the special law, which in this case is DISHA, will override general law, which in this case is PDP Bill 2019.
The applicability of DISHA can be limited to clinical establishments or health information exchanges only, considering the nature of DHD they handle, and apps/wearable devices providing M health services can be governed under PDP Bill 2019, which will not only reduce friction between two sets of laws but will also promote the development of M-health.
So, in the case of any app/wearable device that collects DHD, if it is to be governed under PDP Bill, 2019, the requirement of consent is at only one stage, i.e., before the processing of data by the collecting entity. However, if DISHA is to be applied then it has to obtain consent at each stage of data collection from processing to that of transmission and storage. Hence, if DISHA is to be applied in such a case, it will lengthen the process, limiting the use of such data as per the strict compliance requirements of DISHA which has been discussed above.