At this time, India does not have a specific legislation enacted primarily for data protection. Personal Data Protection Bill 2019 (PDP Bill - Dec, 2019) has been proposed by Ministry of Information and Technology and is under review by Joint Parliamentary Committee.
Disclaimer: The information in this blog is for information purposes only. For legal advise please contact appropriate lawyers.
What is applicable in India?
“Information Technology Act, 2000 (“the IT Act”) and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“the IT Rules”). Article 21 of the Indian Constitution guarantees the Right to Privacy as a fundamental right to all citizens.
The Bill proposes to make it mandatory for organizations that store or process health data to notify their users of personal or health data breach. Organizations that fail to ensure information protection may be liable for fine and/or imprisonment of up to five years.
Digital Information Security in Healthcare Act ('DISHA')
With the objective to improve healthcare information, the Indian government will be exploring implementation of DISHA. This includes setting up "National Electronic Health Authority 'NeHA' at central level and State Electronic Health Authority ('SeHA’) in the states which will responsible for enforcement of regulations governing protection and security of digital health data as well as the standard for electronic health data exchange and storage.
Scope of coverage
“Geo location and personal information, obtained by both Indian and foreign entities will be protected.”
All clinical establishments including diagnostic centers and even individual clinics will be required to prescribe stricter privacy and confidentiality rules and the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health data immediately.
Right to be forgotten
The Bill proposes the legislative inclusion of the right to be forgotten. Individuals will have more control of their data and would be able to limit, delete, delink, or correct any information about him which is misleading, embarrassing, and irrelevant. It authorizes users to withdraw previously provided consents.
Comments