“…there are so many different types of data types in this one data set that if a patient wants to share this data with someone, even inside the hospital ecosystem, whether it’d be a doctor, whether it’d be a nurse, whether it’d be a physiotherapist, whether it’d be an accountant at the reception, it’s very different data sharing that is required for each of the actors and for how long also totally depends on the kind of actor there is and if there is some sort of clarity on that in terms of, okay for a particular category or a set of data, this is the type of data that can be shared, this is the type of data that a user can decide to share or not share…” said Rajeev Sharma, Vice President of Tata 1 Mg, when talking about what kind of guidelines for notice provisions can help the healthcare sector.
Sharma spoke during MediaNama’s flagship event ‘PrivacyNama’ alongisde other speakers such as Abha Tiwari , Legal Head and Data Protection Officer at Renault, Richa Mukherjee, Director of Public Policy and Corporate Affairs at PayU, B. G. Mahesh, Co-Founder of DigiSahamati Foundation, and moderator Sreenidhi Srinivasan, Partner at Ikigai Law to discuss the next steps following the passing of the Digital Personal Data Protection Act, 2023 (DPDP).
The full conversation can be seen here:
This discussion was organised with support from Meta, PhonePe, Google, and Salesforce and in partnership with CUTS, and the Centre for Communication Governance.
Data and its processing must be categorised: Sharma said that there should be guidelines that call for a categorisation of data, its processing and the duration of such activities, especially for the healthcare sector.
In healthcare, entities obtain different types of data from a single user. However, the sharing of these individual data types depends on whether the user is dealing with a doctor,nurse, physiotherapist, the accountant at the reception, etc.
“It’s very different data sharing that is required for each of the actors and for how long also totally depends on the kind of actor there is and if there is some sort of clarity… [like] for a particular category or a set of data, this is the type of data that can be shared, this is the type of data that a user can decide to share or not share and there are enough means for [the user] to do it. I think that will really help,” said Sharma.
He added that the above example is specific to a “very low frequency throughout industry where a person would probably go to an outpatient department twice or thrice annually or go to an inpatient department once in 2-5 years. As such he suggested that there can be further definitions for different types of data usage, different types of actors.
Clarity on data usage helps patients take decisions: He also stressed the need for clarity on the period of retention for various data types and the purpose for using the data since that also helps the user decide how long they want to share the data or withdraw permission for the usage of certain data.
This is important considering in the healthcare sector, patients already have a lot of data before going to a hospital. Then more data is generated and stored in electronic medical record systems with the patient’s chief complaint, history of chief complaint, patient family history, patient’s past history, prescription information, age, name and even, to a certain extent, credit card information.
A case study to highlight the importance of defining and policy-making for various datasets
In another session, Valborg Steingrimsdottir, representing the Data Protection Authority of Iceland, talked about the country’s own Act on scientific research based on health data and how the department has to monitor specific aspects of these researches based on the same. At the same time, other public entities monitor other aspects of these researches, which often leads to conflict. For example, there was a conflict between a private entity storing genetic information and the public hospital doing research on COVID-19 patients.
“We had three major decisions where we came to the conclusion that there was a breach of both the Data Protection Act, as well as this Act on the scientific research. And we found that was a bit difficult for our cooperation with the other surveillance authorities, because we were not in complete agreement on how to interpret these Acts. But this is something that we take very seriously, because especially these researches, when you collide these health data and the genetic data, this can have a great consequence for people,” said Steingrimsdottir.
- Google Encourages Entry Of AI Into Healthcare: Here’s All You Need To Know
- Business Leaders At IAMAI Digital Health Summit Discuss The Use Cases Of AI In The Healthcare Industry
- Amazon Launches AWS HealthScribe, Generative AI Service To Assist Healthcare Practitioners
- “India Needs A Risk-Based Approach For Data Breach Notification”: Varun Bahl, NASSCOM #PrivacyNama2023
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!