How does The Personal Data Protection Bill, 2019 impact the Healthcare Sector?
Issue 4 | July 11, 2020
After an entire year of soliciting suggestions and comments on the Draft Bill of 2018 proposed by the B. N. Srikrishna Committee, a revised Bill (“PDPB”) was cleared in December 2019. Albeit, the Bill retains the broad contours proposed in the Draft, a closer scrutiny yields presence of loopholes. In June 2019, while participating in a discussion around the PDPB vis-à-vis the healthcare sector, President of the Telemedicine Society of India, Dr. Sunil Shroff remarked, “This Bill in a generic format is good. When you go down into the sensitive areas there is a lack of clarity”.
One primary concern revolved around having a Healthcare specific legislation in place is because of lack of homogeneity across the sector. Healthcare services are not only provided by large hospitals but also small private clinics and laboratories which cater to a big chunk of the Indian population. This scope has further been diversified with online portals such as ‘1mg’. S. 28 casts an onus on data fiduciaries, however, the state of affairs at numerous small clinics would render the enforcement of the provision difficult.
Second, the definition of “health data” u/S. 3(21) ought to be more coherent in terms of specifying the categories of health services to which the definition applies.
Third, a lot of importance has been accorded to “consent” of the data principal (to whom the personal data actually belongs), but a few issues need to be addressed. PDPB lacks provisions dealing with the consent of terminally ills patients or those patients who are not rightly suited to give informed consent. The cue should be taken from the Mental Health Care Act, 2017 as regards appointment of a ‘nominated representative’ for all intents and purposes. Further, since health data falls within the ambit of ‘sensitive personal data’, additional measures are to be taken to obtain explicit consent. Personal Data can be processed without obtaining consent in case of a medical emergency or functions of the State when it relates to providing services to the data principal, employment matters, amongst others. It is pertinent to note at this juncture that the ambit of ‘medical emergency’ has not been defined. Moreover, S. 34 allows the transfer of critical personal data outside India, in cases of health or emergency services. Considering that medical emergency may include instances of patients incapable of consenting, a more cautious framework is required as regards consent because it can spark privacy-related concerns. As cautioned by the Kerala High Court in April 2020, while disposing of a bunch of Writ Petitions concerning sharing of confidential data of people in order to efficiently track Covid-19 with Sprinklr, a New York-based company dealing in analytics, ensure that a situation of ‘data epidemic’ does not arise after controlling Covid-19. An injunction was granted prohibiting Sprinklr from breaching confidentiality clauses, sharing collated data, and even advertising that it was in possession of such data.
Moving further, the principal has the rights of data portability once the processing is over, in a structured manner (S. 19). In order to give effect to this provision, it is important to mandate a uniform storage standard and make available necessary software infrastructure for the same. The next issue pertains to the Data Protection Authority of India. It should include a cell which caters to grievances concerning misuse of health data as it is extremely sensitive in nature, e.g, HIV records. The last issue concerns multiple exemptions granted to the government and its agencies for collating and processing personal data for quite a few purposes. All these issues require serious considerations, for the data principal and the healthcare sector in general to ensure maximum enforcement of data protection provisions.