The LexGaze Weekly - DECIPHER

How does The Personal Data Protection Bill, 2019 impact the Healthcare Sector?

Shambhavi Shekhar

Issue 4 | July 11, 2020

After an entire year of soliciting suggestions and comments on the Draft Bill of 2018 proposed by the B. N. Srikrishna Committee, a revised Bill (“PDPB”) was cleared in December 2019. Albeit, the Bill retains the broad contours proposed in the Draft, a closer scrutiny yields presence of loopholes. In June 2019, while participating in a discussion around the PDPB vis-à-vis the healthcare sector, President of the Telemedicine Society of India, Dr. Sunil Shroff remarked, “This Bill in a generic format is good. When you go down into the sensitive areas there is a lack of clarity”.

  1. One primary      concern revolved around having a Healthcare specific legislation in place      is because of lack of homogeneity across the sector. Healthcare services      are not only provided by large hospitals but also small private clinics      and laboratories which cater to a big chunk of the Indian population. This      scope has further been diversified with online portals such as ‘1mg’. S.      28 casts an onus on data fiduciaries, however, the state of affairs at      numerous small clinics would render the enforcement of the provision      difficult.

  2. Second, the      definition of “health data” u/S. 3(21) ought to be more coherent in terms      of specifying the categories of health services to which the definition      applies.

  3. Third, a lot of      importance has been accorded to “consent” of the data principal (to whom      the personal data actually belongs), but a few issues need to be      addressed. PDPB lacks provisions dealing with the consent of terminally      ills patients or those patients who are not rightly suited to give      informed consent. The cue should be taken from the Mental Health Care Act,      2017 as regards appointment of a ‘nominated representative’ for all      intents and purposes. Further, since health data falls within the ambit of      ‘sensitive personal data’, additional measures are to be taken to obtain      explicit consent. Personal Data can be processed without obtaining consent      in case of a medical emergency or functions of the State when it relates      to providing services to the data principal, employment matters, amongst      others. It is pertinent to note at this juncture that the ambit of      ‘medical emergency’ has not been defined. Moreover, S. 34 allows the      transfer of critical personal data outside India, in cases of health or      emergency services. Considering that medical emergency may include      instances of patients incapable of consenting, a more cautious framework      is required as regards consent because it can spark privacy-related      concerns. As cautioned by the Kerala High Court in April 2020, while      disposing of a bunch of Writ Petitions concerning sharing of confidential      data of people in order to efficiently track Covid-19 with Sprinklr, a New      York-based company dealing in analytics, ensure that a situation of ‘data      epidemic’ does not arise after controlling Covid-19. An injunction was      granted prohibiting Sprinklr from breaching confidentiality clauses,      sharing collated data, and even advertising that it was in possession of      such data.

Moving further, the principal has the rights of data portability once the processing is over, in a structured manner (S. 19). In order to give effect to this provision, it is important to mandate a uniform storage standard and make available necessary software infrastructure for the same. The next issue pertains to the Data Protection Authority of India. It should include a cell which caters to grievances concerning misuse of health data as it is extremely sensitive in nature, e.g, HIV records. The last issue concerns multiple exemptions granted to the government and its agencies for collating and processing personal data for quite a few purposes. All these issues require serious considerations, for the data principal and the healthcare sector in general to ensure maximum enforcement of data protection provisions.

Contact Us:

In case of any urgent queries, please contact at the links given below:
Rishabh Shukla:
Prakhar Srivastav:


© 2020 LexGaze | All rights are reserved.