An India Today investigation showed that data harvesting to manipulate voters is perhaps even more brazen in India than the case of UK-based Cambridge Analytica. Meanwhile, every app being downloaded in mobile devices today is collecting user data constantly. And despite the comprehensive White Paper brought out by the Justice Srikrishna committee on a data protection framework for India, the draft for a comprehensive law that can protect the data and privacy of Indian citizens is still not ready.
But while the draft for the overarching data protection and privacy law is taking time, the Ministry of Health and Welfare have prepared a clear and relatively short Digital Information Security in Healthcare Act (DISHA) draft in end-March and invited comments. Unlike the Srikrishna committee white paper, this one takes a far more cut and dried view of protection of health records and data of individuals.
The purpose of DISHA is to regulate the generation, collection, storage, analysis, transmission and ownership of patient health data and personally identifiable information. It calls for the creation of a central regulator called National Electronic Health Authority, and of state regulators called State Electronic Health Authorities. It also calls for the setting up of Health Information Exchanges by the government.
The great thing about DISHA is that it is very clear both about who owns the data (the patient does) and about what it be used for and who it can be shared with. It explicitly states that a patient's data can only be used for treating him - and that too with his consent (in the case of a minor, the legal guardian can give proxy consent, but once the minor reaches majority, he owns the data, can access and correct it or can even withdraw it).
More importantly, even the entities that can collect digital health data (DHD) like clinics or diagnostic centers have specific obligations under the draft Act. And the DHD which is stored or transmitted has to be done only on a need to know basis. DHD can be collected, stored and analysed only for these purposes
(a) To advance the delivery of patient centered medical care;
(b) To provide appropriate information to help guide medical decisions at the time and place of treatment;
(c) To improve the coordination of care and information among hospitals, laboratories, medical professionals, and other
entities through an effective infrastructure for the secure and authorised exchange of digital health data;
(d) To improve public health activities and facilitate the early identification and rapid response to public health threats and
emergencies, including bioterror events and infectious disease outbreaks;
(e) To facilitate health and clinical research and health care quality;
(f) To promote early detection, prevention, and management of chronic diseases;
(g) To carry out public health research, review and analysis, and policy formulation;
(h) To undertake academic research and other related purposes. Even in these, personally identifiable data can be used only for the first three points. For all others, only de-identified and aggregated DHD can be used.
The Act provides for strict punishment in case the data is not securely kept or if it is misused in any way. It also makes it mandatory for the collection to happen only after taking a patient's approval.
The major problem with the Act is that it does not take into account the proliferation of fitness and other wearable devices that are also collecting health data and transmitting it. Nor does it take into account the hundreds of personal health and fitness apps that are being launched every day. The Act in its present form cannot regulate them.
Still, in every other respect, DISHA is very clear cut and can serve as the model for even the overall data protection regulations and Privacy Act as long as it also takes into account other devices that collect digital health data.