Health Data Regulation in India


To say that Personal Data (PD) of an individual in India has been ‘regulated by adequate legal protections’ is a stretch. The Information Technology Act, 2000 (IT Act), and its Rules, inter alia protect digital PD in India, but have been found to be lacking on multiple counts. To name a few, these include, the application of the IT Act and Rules to private entities and not government bodies; the definition of PI and SPDI (personal information and sensitive personal data or information) not covering electronic communications, browsing, chatbots et al., especially with the ability of such sources of ‘information creation’ to create inferred/ observed data on individuals; the narrow interpretation given to consent of an individual. On the technical side the required compliance for an organization is compliance with the internationally accepted standards laid out in ISO/IEC 27001. These standards, while they do cover the regulation of personal information, have a primary focus on the instituting an appropriate level of information security practices that a business needs to protect its assets such as IP, employee details, financial information, third-party/client data et al. Again, these do not apply to govt. bodies. The govt. through its various schemes and programs directed at the populace, maintain a healthy amount of personal data and in theory and practice should have access to large databases created for the same, and as a consequence should be subject equally to any personal data protection law.

A new dimension to protect PD, is in the works through the institution of the Personal Data Protection Bill, 2019, (PDP Bill) though when it will come in to effect and more importantly how much time will be afforded for covered entities to comply with its requirements, is anyone’s guess (the EU GDPR had a compliance time of 06 months after its notification).

Health data is a subset of PD and S (sensitive) PD under the Bill. Even with the (now somewhat less-muted) anticipation of the notification of the PDP Bill, we already have in the works the regulation of health data by and under the National Digital Health Mission (NDHM). The NHA, India will be responsible for regulating the NDHM. The NDHM comes with its own health data policy (the Health Data Management Policy or HDMP), along with other guidelines. The subject of this piece is to ascertain the rights of individuals (referred to as Data Principals or DPs) under a reading of the PDP Bill and the HDMP, when they come into force. As an aside, I would like to point out that the NDHM is already in its phase 1 rollout stage in Union Territories, and while its exact implementation status is unclear, as part of phase 1, HIPs, HIUs and other digital health ecosystem participants are expected to generate Health IDs and create and push information onto PHRs (personal health records of patients). Doctors and health facilities are also required to register themselves on respective health registries, as well as provide information that forms part of a PHR. Thus, the new regime under which personal health data is created has already kicked off.

Deloitte’s recent report citing its own ‘data ethics consumer research’ suggests that across industries, 21% of Europeans (the largest sample size of consumers per sectors which such customers receive services from) are very willing (the highest measure of willingness) to share their personal data with and for procuring, medical services. While this is not juxtaposed for India, we have the second highest internet penetration in the world, and for health services to be effective, PD will need to be processed. For a public-private model of health like ours to thrive, one of the pillars to strengthen the same is the need to disseminate more and better- quality information (care), which in turn will need access to better, more actionable PD.

An important aspect related to PD, and indeed the rights of DPs over their PD, both under the PDP Bill and HDMP is the purpose for which data is collected. Under the PDP, PD can only be processed for the purposes it needs to be processed, for which consent is to be clearly established. Health data, on a reading of the PDP Bill and HDMP is a subset of SPD, and requires a higher standard of conformity for acquiring consent. This is similar to the GDPR where, for health data, the purpose for providing health services is equal to the ‘obvious purpose’ requirement of processing, which is linked to the actual ‘service’ that healthcare service provider provides. It is expected that India would follow the same principle, especially within a digital health ecosystem we aspire to create.

The first right under the anticipated frameworks is the right to confirmation and access. This right allows the DP to obtain confirmation of processing and processed activities on its PD, including a summary of processing activities and a copy of the same as well, which includes the purpose, nature, category of the PD, from and as provided to a Data Fiduciary (DF; which does include any healthcare service provider). This right also requires DF’s to disclose other parties with whom the PD has been shared. This right under the PDP Bill does not cover the right to access third party information, i.e., about others. This isn’t referred to under the HDMP as well, however, under the EU GDPR, exemptions are practically available for this. There is a carve-out known as the ‘health data test’ which is met if a health record contains the information, and if a third-party individual is a health professional who compiles the health record, contributes to the record and/or was involved in the DP’s diagnosis, care or treatment. Thus, third party information, that meets the health data test, should be allowed to be accessed by a DP enforcing this right. Under the digital architecture of the NDHM, each building block of the system needs to be interoperable with each other, meaning that information and data should be able to be seamlessly shared between all healthcare service participants, including public and private entities. The NDHM is pushing the adoption of the FHIR (Fast Healthcare Interoperability Resources) R4 standards to facilitate exchange of healthcare information, which is suitable for use in a wide variety of contexts – mobile phone apps, cloud communications, EHR-based data sharing, server communication in large institutional healthcare providers, and much more. This FHIR standard is built on various ‘resources’, which can be thought of as digital forms that reflect different types of clinical and administrative information that can be captured and shared. The FHIR specification defines a generic ‘form template’ for each type of clinical information – so one for allergies, one for prescriptions, one for referrals, etc. It is therefore required by the tech architecture of the NDHM itself that such data is made available.

Issues needing to be ironed out: For an entity that is facing a demand for the exercising of this right from a DP, this will be akin to a SAR (Subject Access Request). It is common for nominal fees to be charged from a DP for any SAR, however, this should not be exorbitant and priced in a way so as to be construed to be a barrier to a DP to enforce this right, and the Srikrishna Committee Report alludes to the same. When the PDP Bill/HDMP comes into force, it will be interesting to see the price possibly set for such a right. A SAR, under the GDPR needs to be responded to within 30 days, and currently Indian entities are advised by information security professionals to comply with the same, especially when it comes to selling their products/services in European and US markets. The necessity of the enforcement of this right can be highlighted in a number of ways, however an interesting example is the handling of this right in the US, by the Department of Health and Human Services (HHS), through its Office of Civil Rights (OCR), where for certain covered entities, the number of days of responding to this right has been shortened from 30 days to 15 days. Moreover, there have been a number of monetary settlements that have taken place under the aegis of the OCR, which is strictly enforcing this right. Since assessing its first right of access rule settlement in late 2019, OCR has collected more than a dozen separate settlements – ranging in amount from $3,500 to $70,000 – from healthcare providers nationwide.

The second right is the right of correction and erasure, under which a DP can request and expect correction of any incorrect data, or provide complete information regarding any incorrect data. The right of correction specifically should not be charged and the Srikrishna Committee Report suggests the same, building on the philosophy that it is incumbent on the DF to maintain correct, accurate and updated records at all times.

Issues needing to be ironed out: The right to erasure of PD is interesting as, while the PDP Bill does provide this right for data/info that is no longer necessary for purposes for which it was processed, it does not provide the contours for what ‘necessary purposes’ are. Necessary purposes in this context is separate from ‘purpose’ as mentioned above, in the sense that it can’t be equated to ‘services’ alone. Erasing data is equated to the ‘right to be forgotten’ under the GDPR, but this terminology is not accorded the same ambit under the ‘right to be forgotten’ under the PDP Bill, which is discussed below. The right to be forgotten and right to erasure under the Indian context are separate rights and should be understood as the same. There is no mention behind what ‘erasure’ amounts to under the Srikrishna Committee Report either. Under EU law, if the request for ‘erasure’ (i.e. the right to be forgotten), as understood there (and separate from the right to be forgotten under the PDP Bill), is manifestly unfounded or excessive, this right can be rejected by data fiduciaries. Public interest, scientific research, public health et al. are other exemptions from the a right of erasure request. Under the FHIR R4 interoperability standards, as modified for the EU GDPR, there is a limit in-built into the algorithm/codes, of each resource that makes up the standard, that does not permit the enjoyment of this right when there is another legal requirement such as for archiving medical documentation. In the way it has been understood as under EU law, this right to erasure means that all data including from back-up servers has to be purged, and by the very nature of how integrated and interoperable health records are practically going to be maintained as, a full exercise of this right may anyways be impossible to ensure. Finally, the right to erasure does not find any mention in the HDMP either.

The third right under the PDP Bill, and indeed one of the rights under the NDHM, is the right to data portability. This right allows a DP to switch healthcare providers, get a second opinion, require information to be transferred et al. When processing is carried out using automated means the DP has the right to receive the data, as well as have the same transferred to another DF. The kind of data that falls within the ambit of the exercise of this right includes the data provided to the DF, data output generated in providing services and data forming part of the DP’s profile. Issues needing to be ironed out: Now under the GDPR, data portability applies to two kinds of data that can be actively provided; data provided by the PD and observed data (which includes search history, traffic data, location, heartbeat tracked by wearables et al.). ‘Inferred’ or ‘derived’ data is not subject to this right. For example, the outcome of an assessment regarding the health of a user, is not in itself considered as data provided by an individual, and while this ‘outcome of assessment’ could/would be a case of inference or derivation (creating data) drawn from the use of services by an individual, such data would not be considered as observed data. The current position seems to be that a DF may exclude inferred and derived data which includes personal data created by a service provider (for example, algorithmic results), from the purview of this right. It’s possible that a health app that creates personal data by suggesting to a person an appropriate dosage for taking a medicine, would be doing so through a personalisation or recommendation process (using an algorithm), and this suggestion would be inferred / derived personal data, that would itself not be subject to the right of portability. It will be interesting to see how this plays out within the NDHM framework, as there is reference to personal data ‘which forms part of any profile’, as PD which would be subject to the Indian DP right to data portability. There is no generic reference to ‘profile’ under the HDMP and could instead be understood from the definition of ‘profiling’ under the PDP Bill, which is a form of processing that analyses or predicts aspects of behaviour, interests or attributes of a DP.

The right to portability is also limited under the GDPR by intellectual property and trade secrets, or any other form of confidential and proprietary information protection. If an algorithm has the potential to disclose sensitive information about a business in the healthcare space to a competitor/other party to whom the data has to be transferred to, a DF may refuse the exercise of this right by a DP. A final limit on the right to data portability is the technical feasibility limit. If a DF is able to prove that it’s not technically feasible to transfer PD, then they are allowed to reject the request. This is also recognised under the Srikrishna Committee Report. For this limit to apply, technical inability should limit the DF’s in a way that it should not create an obligation for the DF to adopt or maintain processing systems which are technically incompatible. However, PD is to be transferred between DF’s in a structured, commonly used and machine readable format. This flows from the principle of interoperability, a principle of the NDHM. The aim of data portability is to produce interoperable systems, and not compatible systems. Effectively, with the adoption of the digital health framework, this limit should not be an issue.

The fourth and final right is the right to be forgotten. As mentioned above, the right to erasure under the PDP Bill is akin to the right to be forgotten under GDPR. However, the right to be forgotten under the PDP Bill is more like the right to restrict processing under the GDPR as the principles and characteristics of both are similar. Under this right a DP has the right to prevent continued disclosure of PD by a DF, if such disclosure has served its purpose, or where the consent to disclose is withdrawn, or the disclosure is contrary to any of the provisions of the PDP Bill. Principally this right has more to do with the right to freedom of expression. The Srikrishna Committee Report suggests a balancing test to determine whether this right should be allowed to be exercised wherein it is to be determined whether the interest in discontinuing the disclosure outweighs the interest in continuing with it. A right to be forgotten request does not entail a direction from the DP to delete the data. The steps that a DF would be required to take would be temporary measures (such as moving the data to other systems, making the data unavailable to users, or temporarily removing published data from the website) and the restrictions would ideally lift once the reason for restricting processing is not present. The HDMP phrases this right as the right to restrict or object to disclosure. If this right is enforced, then not only would a DF have to take temporary steps to restrict access to such PD, they would also have to ensure that other DF’s do the same. There is no reference to this requirement under any proposed Indian law regulating personal health data as of now. There may be nominal charge payment for the exercise of this right, to be paid by a DP.

The third and fourth rights are an extension from the first right, i.e. the right to access data, and require a DF to take steps to stop processing data, and not deleting it permanently. As we can see from the above, as such the right to be forgotten is a misnomer in the Indian context. In any case, for health data and records there are sector specific regulations to be followed. The Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 state that every physician is to maintain the medical records pertaining to his/her indoor patients for a period of three years from the date of commencement of the treatment. Thus even if this data is to be transferred to another DF, a registered medical practitioner is still required to keep a copy of this data, which practically would mean that the healthcare institute itself would have access to the data. There is no specific mention of this under the HDMP or other digital health ecosystem guidelines, however, the requirement to keep such records stems from a requirement of medical practice, and not data protection regulation. Even under GDPR, there are two circumstances under which the right to erasure will not apply to special category data (which includes health related data): i) if the processing is necessary for public health purposes in the public interest (ex: protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or ii) if the processing is necessary for the purposes of preventative or occupational medicine, for medical diagnosis, for the provision of health or social care, or for the management of health or social care systems or services. This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (ex: a health professional).

Procedural issues that remain to be clarified: Since neither the PDP Bill has been notified, and the HDMP as part of NDHM is in phase 1 of its roll-out, there are certain issues that will need to be addressed if we truly want to enable the exercise of the health data rights. These are: a) the time-lines within which DF’s need to reply to DP rights; b) the cost on a DP to enforce their rights and the necessary regulatory logic for the same; c) the form in which a DP can enforce such rights. As of now, globally SARs are exercised using electronic means, and while this is fine as an option for enforcement of this right and should be kept in India (as under the HDMP), the consent manager framework must be leveraged for the same. A consent manager is an entity/individual that interacts with the DP and obtains consent from the DP, for any intended access to PD or SPD. This would be important for a country like India, where once can expect that the enforcement of digital rights will not be a mandate that is pushed or debated, except in the higher echelons of civil society. Do watch this space for more information on consent managers and their role so far.