Healthcare & Digital Personal Data Protection Act

The Digital Personal Data Protection Act of 2023 (DPDP Act) represents a significant milestone in Indian legislation, dedicated to safeguarding the privacy and security of personal data within the nation. This act carries profound implications for the healthcare sector, an industry entrusted with sensitive and confidential patient information. Below, we outline key facets of the act that directly impact the healthcare field:

1. Data Categorization and Compliance: Under the DPDP Act, healthcare organizations are mandated to categorize patient data based on its significance, distinguishing between 'sensitive personal data' and 'critical personal data.' Specific regulations must be adhered to. For instance, sensitive personal data can be transferred outside India only upon explicit consent from the data principal, subject to conditions stipulated by the Data Protection Board of India (DPBI).

2. Sensitive Personal Data Definition: The act defines sensitive personal data as information that pertains to an individual's health, biometric and genetic data, sexual orientation, religious or political beliefs, or financial details. The processing of such data requires explicit consent from the data principal and must serve a specific purpose.

3. Critical Personal Data Concept: The DPDP Act introduces the notion of critical personal data, which is data that the central government may designate as critical on an ongoing basis. Processing such data is restricted to India and necessitates prior approval from the central government for any international transfers.

4. Patient Data Rights: Healthcare providers and entities are obliged, under the act, to protect the rights and interests of patients as data principals. This entails granting them access to their personal information, enabling corrections or erasures, and addressing their complaints and grievances.

5. Data Principal Rights: The act endows data principals with several rights, including the right to access, correct, erase, port, restrict, or object to the processing of their personal data. Data fiduciaries are obligated to establish mechanisms for data principals to exercise these rights promptly.

6. Data Fiduciary Duties: Healthcare providers and entities must comply with data fiduciary duties, such as obtaining patient consent for data processing, providing comprehensive information about the purpose and nature of data processing, and ensuring data security and quality.

7. Security Safeguards: Data fiduciaries must implement appropriate security measures to safeguard personal data from unauthorized access, use, disclosure, modification, or destruction. These safeguards may include encryption, pseudonymization, anonymization, or other techniques prescribed by the DPA.

8. Obligations and Reporting: The DPDP Act imposes obligations on data fiduciaries, including obtaining consent, providing notice, maintaining transparency, ensuring data quality, conducting data protection impact assessments, reporting data breaches, and adhering to cross-border data transfer restrictions.

9. Data Protection Authority (DPA): The act establishes a Data Protection Authority (DPA) responsible for overseeing and enforcing its provisions. The DPA possesses the authority to issue codes of practice, conduct audits, impose penalties, and adjudicate complaints pertaining to data protection violations.

The Digital Personal Data Protection Act is poised to create a more robust and accountable framework for personal data processing in India. It will bolster patient trust and confidence by granting them greater control and protection over their personal health-related information.

Written By: Jaanvi Sharma