By Nikhil Pahwa and Aditi Agrawal

The risks are too great, the use cases are too unclear, and a broad Personal Data Protection Bill, 2019, does not adequately take into account the concerns of the healthcare sector. Doctors speaking at MediaNama’s discussion on the impact of the PDP Bill on the healthcare sector held on June 19, 2020, felt that there needs to be a different, sectoral approach to protect healthcare data. This discussion was supported by Microsoft, Google, TMT Law Practice and the Telemedicine Society of India. A wish list from our participants:

A sector specific bill for healthcare: Dr Sunil Shroff, President (TN), Telemedicine Society of India, felt that the healthcare sector at this time, needs a bill which is just for healthcare, as far as data protection is concerned. The heterogeneity of the healthcare sector can only be addressed through a separate legislation. For instance, Dr Varun Gupta, Vice President of Medical Affairs and Public Policy at 1mg, said that there are companies that are not hospitals or clinics, but partner with multiple players in the ecosystem; any legislation needs to look at those allied roles.

Graded compliance requirements for different players in the ecosystem: Different players in the ecosystem, such as a large hospital, a standalone diabetes clinic, and an aggregation platform like 1mg, have varying abilities to meet all the requirements of the Bill. For instance, maintaining medical records for a small clinic is very difficult. Ensuring right to data portability of patients/data principals will imply the need for a medical records system, which will add to the cost of healthcare.

Option for nominated representation for consent: Dr. Shroff pointed out that when a person is incapacitated, there needs to be nominated representation for processing of data. He cited the Mental Health Act, 2017, which has an entire chapter on nominated representation, from an immediate family member, a friend, or the director of an organisation.

Provisions post death: Dr. Shroff also pointed out that provisions are needed to govern data after a person dies, with people given the right to determine what happens to their data once they die. “What happens to your personal data, because once you die all your personal rights go away?” He suggested that users be given an option to provide an “advance directive”, to decide whether their data is deleted or transferred post their death. Yahoo, he said, is one digital business that, he noticed, prompts a user about such decisions.

Definition of personal data: The definition of inferred data as personal data creates complications, and further clarity limiting the scope of usage of such data needs to be provided, Dr Shubnum Singh, Advisor, CII National Healthcare Council, and Consultant Emeritus, Max Healthcare Institute Ltd, said. Gupta said that if additional clarity about limiting the scope of inferred data cannot be provided, then inferred data should not be included within the definition of personal data.

Medical emergency must be defined: The Bill allows fiduciaries to process personal data without consent for medical emergencies, and provision of medical treatment and health services during a pandemic, or any other threat to public health. Similarly, critical personal data may also be transferred out of the country only if it is for a medical emergency. “Thus, it’s very important to delineate the contours of medical emergency,” Abhishek Malhotra, Managing Partner of TMT Law Practice, said. Since medical emergency may include a patient who is incapacitated or is unconscious, it becomes all the more important to define it, Shroff said. The Mental Health Act can provide guidance for that.

Reconsider the standard of irreversibility set as the definition of anonymized data: Further the standard of irreversibility set as the definition of anonymised data should be reconsidered. Singh pointed towards the sensitive nature of health data, especially mental health and HIV related data, and the stigmatisation associated with it. “We have had episodes earlier on, and even till today, for people with tuberculosis.” She also highlighted issues related to data in e-prescriptions, and that more discussions are needed to understand risks. On the other hand, Gupta said that anonymised data and non-personal data should not be a part of the Bill at all.

Portability standards: Portability standards need to be defined because in healthcare, different codes exist for storage of medical data, across hospitals, pharmacies, diagnostic labs, etc. Without standardisation, there would be chaos.

Multiple instances of consent for extremely sensitive personal data: Shweta Mohandas of the Centre for Internet and Society said that while consent fatigue is a concern, there’s a case for renewal of consent for extremely sensitive personal data, especially if there’s is a change in business model, mergers and acquisitions etc.

Consent in vernacular: Malhotra said that regulations framed under the Bill should have a requirement to transmit that consent in vernacular, “so that the informed consent is truly informed”. Udbhav Tiwari of Mozilla added that when it comes to healthcare, the threshold for consent will be a very different threshold from traditional standards of informed consent, even if data is being collected via mobile devices.

Consent should not be required for follow-up consults: Healthcare scenarios often involve longitudinal, long-term treatment, for chronic illnesses and hence involve follow-up consultations. For instance, epilepsy patients are usually on medication, but see their doctor from time-to-time. Consent for such follow-up consultations should not be mandatory.

Explicit consent must be required in digital health scenarios: The fact that patients themselves seek consultation is sufficient to imply consent during in-person consults. However, explicit consent should be required in digital health or teleconsultation scenarios even if it is as simple as an opt-in consent, Malhotra said. This should be done regardless of paucity of time, especially since it would be difficult to control misuse. Besides, there is a distinction between consent give for the consultation and for processing of the data collected during the consultation.

Consent for follow-up consultations should not be mandatory in all cases: Healthcare scenarios often involve longitudinal, long-term treatment, for chronic illnesses and hence involve follow-up consultations. For instance, epilepsy patients are usually on medication, but see their doctor from time-to-time. Consent from follow-up consultations should not be mandatory in such cases, Gupta suggested.

Standardisation is necessary to ensure data portability: Data across hospitals, diagnostic laboratories, and pharmacies are not stored in a standard format, thus restricting the ability of patients to port their data across providers. Some institutions follow no standards, some follow ICD-10 for reporting, but follow SNOMED CT for specific incidences. Thus, standards need to be brought in, and then need to be implemented, all the doctors concurred.

Exemptions for government need to be limited: The Bill has exemptions to the government at large, and they could end up creating exemptions, for example, for government hospitals and government health-care projects. It suggests, according to Tiwari, that “the government will be able to apply differential standards of privacy to its own health care policies because the bill allows it to do so, because it is, at the end of the day, the government is providing you that service. So, to make sure that the government exemption which exists for a variety of reasons doesn’t leak or like leak into health care related concerns I think is going to be quite important.”

A dedicated healthcare office at the DPA: “A minimum I would imagine”, Tiwari said, “like the ICO in the United Kingdom, they have a dedicated healthcare office within the data protection authority where they look into sort of medical concerns and like generally health care related issues within in a sort of dedicated manner within the data protection office.”

Consider only civil liability, no criminal offences: Gupta recommended that the Bill should only impose civil liabilities without venturing into the terrain of criminal offences. The Bill currently criminalises re-identification of de-identified data.

Contour the innovation sandbox better: Gupta said that details about the innovation sandbox, including definitions, compliances associated with it have to be defined better. “At least innovation has been acknowledged, but it needs to go to the next level,” he said.

Sandbox should not lead to government monopoly: In the absence of specific criteria for inclusion in the innovation sandbox, we must be wary of government monopolies being created within the sandbox. The Bill needs to play a balancing act between private and public interest, something that will shape up only once the regulations are framed, Vatsal Gaur, Associate Partner at HSA Advocates, said.